1 files changed, 186 insertions, 92 deletions
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 83ec98b7e98..31a0fd8189f 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1,4 +1,4 @@
-/* keyctl.c: userspace keyctl operations
+/* Userspace key control operations
 *
 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
@@ -31,27 +31,24 @@ static int key_get_type_from_user(char *type,
        int ret;
        ret = strncpy_from_user(type, _type, len);
        if (ret < 0)
                return ret;
        if (ret == 0 || ret >= len)
                return -EINVAL;
        if (type[0] == '.')
                return -EPERM;
        type[len - 1] = '\0';
        return 0;
 }
 /*
- * extract the description of a new key from userspace and either add it as a
+ * Extract the description of a new key from userspace and either add it as a
- * new key to the specified keyring or update a matching key in that keyring
+ * new key to the specified keyring or update a matching key in that keyring.
- * - the keyring must be writable
+ *
- * - returns the new key's serial number
+ * The keyring must be writable so that we can attach the key to it.
- * - implements add_key()
+ *
+ * If successful, the new key's serial number is returned, otherwise an error
+ * code is returned.
 */
 SYSCALL_DEFINE5(add_key, const char __user *, _type,
                const char __user *, _description,
@@ -134,14 +131,17 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
 }
 /*
- * search the process keyrings for a matching key
+ * Search the process keyrings and keyring trees linked from those for a
- * - nested keyrings may also be searched if they have Search permission
+ * matching key.  Keyrings must have appropriate Search permission to be
- * - if a key is found, it will be attached to the destination keyring if
+ * searched.
- *   there's one specified
+ *
- * - /sbin/request-key will be invoked if _callout_info is non-NULL
+ * If a key is found, it will be attached to the destination keyring if there's
- *   - the _callout_info string will be passed to /sbin/request-key
+ * one specified and the serial number of the key will be returned.
- *   - if the _callout_info string is empty, it will be rendered as "-"
+ *
- * - implements request_key()
+ * If no key is found, /sbin/request-key will be invoked if _callout_info is
+ * non-NULL in an attempt to create a key.  The _callout_info string will be
+ * passed to /sbin/request-key to aid with completing the request.  If the
+ * _callout_info string is "" then it will be changed to "-".
 */
 SYSCALL_DEFINE4(request_key, const char __user *, _type,
                const char __user *, _description,
@@ -222,9 +222,11 @@ error:
 }
 /*
- * get the ID of the specified process keyring
+ * Get the ID of the specified process keyring.
- * - the keyring must have search permission to be found
+ *
- * - implements keyctl(KEYCTL_GET_KEYRING_ID)
+ * The requested keyring must have search permission to be found.
+ *
+ * If successful, the ID of the requested keyring will be returned.
 */
 long keyctl_get_keyring_ID(key_serial_t id, int create)
 {
@@ -243,12 +245,17 @@ long keyctl_get_keyring_ID(key_serial_t id, int create)
        key_ref_put(key_ref);
 error:
        return ret;
+}
-} /* end keyctl_get_keyring_ID() */
 /*
- * join the session keyring
+ * Join a (named) session keyring.
- * - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING)
+ *
+ * Create and join an anonymous session keyring or join a named session
+ * keyring, creating it if necessary.  A named session keyring must have Search
+ * permission for it to be joined.  Session keyrings without this permit will
+ * be skipped over.
+ *
+ * If successful, the ID of the joined session keyring will be returned.
 */
 long keyctl_join_session_keyring(const char __user *_name)
 {
@@ -274,9 +281,14 @@ error:
 }
 /*
- * update a key's data payload
+ * Update a key's data payload from the given data.
- * - the key must be writable
+ *
- * - implements keyctl(KEYCTL_UPDATE)
+ * The key must grant the caller Write permission and the key type must support
+ * updating for this to work.  A negative key can be positively instantiated
+ * with this call.
+ *
+ * If successful, 0 will be returned.  If the key type does not support
+ * updating, then -EOPNOTSUPP will be returned.
 */
 long keyctl_update_key(key_serial_t id,
                       const void __user *_payload,
@@ -321,9 +333,14 @@ error:
 }
 /*
- * revoke a key
+ * Revoke a key.
- * - the key must be writable
+ *
- * - implements keyctl(KEYCTL_REVOKE)
+ * The key must be grant the caller Write or Setattr permission for this to
+ * work.  The key type should give up its quota claim when revoked.  The key
+ * and any links to the key will be automatically garbage collected after a
+ * certain amount of time (/proc/sys/kernel/keys/gc_delay).
+ *
+ * If successful, 0 is returned.
 */
 long keyctl_revoke_key(key_serial_t id)
 {
@@ -351,9 +368,11 @@ error:
 }
 /*
- * clear the specified process keyring
+ * Clear the specified keyring, creating an empty process keyring if one of the
- * - the keyring must be writable
+ * special keyring IDs is used.
- * - implements keyctl(KEYCTL_CLEAR)
+ *
+ * The keyring must grant the caller Write permission for this to work.  If
+ * successful, 0 will be returned.
 */
 long keyctl_keyring_clear(key_serial_t ringid)
 {
@@ -374,10 +393,15 @@ error:
 }
 /*
- * link a key into a keyring
+ * Create a link from a keyring to a key if there's no matching key in the
- * - the keyring must be writable
+ * keyring, otherwise replace the link to the matching key with a link to the
- * - the key must be linkable
+ * new key.
- * - implements keyctl(KEYCTL_LINK)
+ *
+ * The key must grant the caller Link permission and the the keyring must grant
+ * the caller Write permission.  Furthermore, if an additional link is created,
+ * the keyring's quota will be extended.
+ *
+ * If successful, 0 will be returned.
 */
 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
 {
@@ -406,10 +430,13 @@ error:
 }
 /*
- * unlink the first attachment of a key from a keyring
+ * Unlink a key from a keyring.
- * - the keyring must be writable
+ *
- * - we don't need any permissions on the key
+ * The keyring must grant the caller Write permission for this to work; the key
- * - implements keyctl(KEYCTL_UNLINK)
+ * itself need not grant the caller anything.  If the last link to a key is
+ * removed then that key will be scheduled for destruction.
+ *
+ * If successful, 0 will be returned.
 */
 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
 {
@@ -438,14 +465,17 @@ error:
 }
 /*
- * describe a user key
+ * Return a description of a key to userspace.
- * - the key must have view permission
+ *
- * - if there's a buffer, we place up to buflen bytes of data into it
+ * The key must grant the caller View permission for this to work.
- * - unless there's an error, we return the amount of description available,
+ *
- *   irrespective of how much we may have copied
+ * If there's a buffer, we place up to buflen bytes of data into it formatted
- * - the description is formatted thus:
+ * in the following way:
+ *
 *      type;uid;gid;perm;description<NUL>
- * - implements keyctl(KEYCTL_DESCRIBE)
+ *
+ * If successful, we return the amount of description available, irrespective
+ * of how much we may have copied into the buffer.
 */
 long keyctl_describe_key(key_serial_t keyid,
                         char __user *buffer,
@@ -516,13 +546,14 @@ error:
 }
 /*
- * search the specified keyring for a matching key
+ * Search the specified keyring and any keyrings it links to for a matching
- * - the start keyring must be searchable
+ * key.  Only keyrings that grant the caller Search permission will be searched
- * - nested keyrings may also be searched if they are searchable
+ * (this includes the starting keyring).  Only keys with Search permission can
- * - only keys with search permission may be found
+ * be found.
- * - if a key is found, it will be attached to the destination keyring if
+ *
- *   there's one specified
+ * If successful, the found key will be linked to the destination keyring if
- * - implements keyctl(KEYCTL_SEARCH)
+ * supplied and the key has Link permission, and the found key ID will be
+ * returned.
 */
 long keyctl_keyring_search(key_serial_t ringid,
                           const char __user *_type,
@@ -609,13 +640,14 @@ error:
 }
 /*
- * read a user key's payload
+ * Read a key's payload.
- * - the keyring must be readable or the key must be searchable from the
+ *
- *   process's keyrings
+ * The key must either grant the caller Read permission, or it must grant the
- * - if there's a buffer, we place up to buflen bytes of data into it
+ * caller Search permission when searched for from the process keyrings.
- * - unless there's an error, we return the amount of data in the key,
+ *
- *   irrespective of how much we may have copied
+ * If successful, we place up to buflen bytes of data into the buffer, if one
- * - implements keyctl(KEYCTL_READ)
+ * is provided, and return the amount of data that is available in the key,
+ * irrespective of how much we copied into the buffer.
 */
 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
 {
@@ -669,10 +701,19 @@ error:
 }
 /*
- * change the ownership of a key
+ * Change the ownership of a key
- * - the keyring owned by the changer
+ *
- * - if the uid or gid is -1, then that parameter is not changed
+ * The key must grant the caller Setattr permission for this to work, though
- * - implements keyctl(KEYCTL_CHOWN)
+ * the key need not be fully instantiated yet.  For the UID to be changed, or
+ * for the GID to be changed to a group the caller is not a member of, the
+ * caller must have sysadmin capability.  If either uid or gid is -1 then that
+ * attribute is not changed.
+ *
+ * If the UID is to be changed, the new user must have sufficient quota to
+ * accept the key.  The quota deduction will be removed from the old user to
+ * the new user should the attribute be changed.
+ *
+ * If successful, 0 will be returned.
 */
 long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
 {
@@ -775,9 +816,11 @@ quota_overrun:
 }
 /*
- * change the permission mask on a key
+ * Change the permission mask on a key.
- * - the keyring owned by the changer
+ *
- * - implements keyctl(KEYCTL_SETPERM)
+ * The key must grant the caller Setattr permission for this to work, though
+ * the key need not be fully instantiated yet.  If the caller does not have
+ * sysadmin capability, it may only change the permission on keys that it owns.
 */
 long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
 {
@@ -815,7 +858,8 @@ error:
 }
 /*
- * get the destination keyring for instantiation
+ * Get the destination keyring for instantiation and check that the caller has
+ * Write permission on it.
 */
 static long get_instantiation_keyring(key_serial_t ringid,
                                      struct request_key_auth *rka,
@@ -852,7 +896,7 @@ static long get_instantiation_keyring(key_serial_t ringid,
 }
 /*
- * change the request_key authorisation key on the current process
+ * Change the request_key authorisation key on the current process.
 */
 static int keyctl_change_reqkey_auth(struct key *key)
 {
@@ -869,8 +913,13 @@ static int keyctl_change_reqkey_auth(struct key *key)
 }
 /*
- * instantiate the key with the specified payload, and, if one is given, link
+ * Instantiate a key with the specified payload and link the key into the
- * the key into the keyring
+ * destination keyring if one is given.
+ *
+ * The caller must have the appropriate instantiation permit set for this to
+ * work (see keyctl_assume_authority).  No other permissions are required.
+ *
+ * If successful, 0 will be returned.
 */
 long keyctl_instantiate_key(key_serial_t id,
                            const void __user *_payload,
@@ -948,8 +997,19 @@ error:
 }
 /*
- * negatively instantiate the key with the given timeout (in seconds), and, if
+ * Negatively instantiate the key with the given timeout (in seconds) and link
- * one is given, link the key into the keyring
+ * the key into the destination keyring if one is given.
+ *
+ * The caller must have the appropriate instantiation permit set for this to
+ * work (see keyctl_assume_authority).  No other permissions are required.
+ *
+ * The key and any links to the key will be automatically garbage collected
+ * after the timeout expires.
+ *
+ * Negative keys are used to rate limit repeated request_key() calls by causing
+ * them to return -ENOKEY until the negative key expires.
+ *
+ * If successful, 0 will be returned.
 */
 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
 {
@@ -993,8 +1053,11 @@ error:
 }
 /*
- * set the default keyring in which request_key() will cache keys
+ * Read or set the default keyring in which request_key() will cache keys and
- * - return the old setting
+ * return the old setting.
+ *
+ * If a process keyring is specified then this will be created if it doesn't
+ * yet exist.  The old setting will be returned if successful.
 */
 long keyctl_set_reqkey_keyring(int reqkey_defl)
 {
@@ -1050,7 +1113,16 @@ error:
 }
 /*
- * set or clear the timeout for a key
+ * Set or clear the timeout on a key.
+ *
+ * Either the key must grant the caller Setattr permission or else the caller
+ * must hold an instantiation authorisation token for the key.
+ *
+ * The timeout is either 0 to clear the timeout, or a number of seconds from
+ * the current time.  The key and any links to the key will be automatically
+ * garbage collected after the timeout expires.
+ *
+ * If successful, 0 is returned.
 */
 long keyctl_set_timeout(key_serial_t id, unsigned timeout)
 {
@@ -1105,7 +1177,21 @@ error:
 }
 /*
- * assume the authority to instantiate the specified key
+ * Assume (or clear) the authority to instantiate the specified key.
+ *
+ * This sets the authoritative token currently in force for key instantiation.
+ * This must be done for a key to be instantiated.  It has the effect of making
+ * available all the keys from the caller of the request_key() that created a
+ * key to request_key() calls made by the caller of this function.
+ *
+ * The caller must have the instantiation key in their process keyrings with a
+ * Search permission grant available to the caller.
+ *
+ * If the ID given is 0, then the setting will be cleared and 0 returned.
+ *
+ * If the ID given has a matching an authorisation key, then that key will be
+ * set and its ID will be returned.  The authorisation key can be read to get
+ * the callout information passed to request_key().
 */
 long keyctl_assume_authority(key_serial_t id)
 {
@@ -1145,12 +1231,14 @@ error:
 }
 /*
- * get the security label of a key
+ * Get a key's the LSM security label.
- * - the key must grant us view permission
+ *
- * - if there's a buffer, we place up to buflen bytes of data into it
+ * The key must grant the caller View permission for this to work.
- * - unless there's an error, we return the amount of information available,
+ *
- *   irrespective of how much we may have copied (including the terminal NUL)
+ * If there's a buffer, then up to buflen bytes of data will be placed into it.
- * - implements keyctl(KEYCTL_GET_SECURITY)
+ *
+ * If successful, the amount of information available will be returned,
+ * irrespective of how much was copied (including the terminal NUL).
 */
 long keyctl_get_security(key_serial_t keyid,
                         char __user *buffer,
@@ -1205,10 +1293,16 @@ long keyctl_get_security(key_serial_t keyid,
 }
 /*
- * attempt to install the calling process's session keyring on the process's
+ * Attempt to install the calling process's session keyring on the process's
- * parent process
+ * parent process.
- * - the keyring must exist and must grant us LINK permission
+ *
- * - implements keyctl(KEYCTL_SESSION_TO_PARENT)
+ * The keyring must exist and must grant the caller LINK permission, and the
+ * parent process must be single-threaded and must have the same effective
+ * ownership as this process and mustn't be SUID/SGID.
+ *
+ * The keyring will be emplaced on the parent when it next resumes userspace.
+ *
+ * If successful, 0 will be returned.
 */
 long keyctl_session_to_parent(void)
 {
@@ -1312,7 +1406,7 @@ error_keyring:
 }
 /*
- * the key control system call
+ * The key control system call
 */
 SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
                unsigned long, arg4, unsigned long, arg5)

diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 83ec98b7e98..31a0fd8189f 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c
@@ -1,4 +1,4 @@
1	/* keyctl.c: userspace keyctl operations	1	/* Userspace key control operations
2	*	2	*
3	* Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.	3	* Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
4	* Written by David Howells (dhowells@redhat.com)	4	* Written by David Howells (dhowells@redhat.com)
@@ -31,27 +31,24 @@ static int key_get_type_from_user(char *type,
31	int ret;	31	int ret;
32		32
33	ret = strncpy_from_user(type, _type, len);	33	ret = strncpy_from_user(type, _type, len);
34
35	if (ret < 0)	34	if (ret < 0)
36	return ret;	35	return ret;
37
38	if (ret == 0 \|\| ret >= len)	36	if (ret == 0 \|\| ret >= len)
39	return -EINVAL;	37	return -EINVAL;
40
41	if (type[0] == '.')	38	if (type[0] == '.')
42	return -EPERM;	39	return -EPERM;
43
44	type[len - 1] = '\0';	40	type[len - 1] = '\0';
45
46	return 0;	41	return 0;
47	}	42	}
48		43
49	/*	44	/*
50	* extract the description of a new key from userspace and either add it as a	45	* Extract the description of a new key from userspace and either add it as a
51	* new key to the specified keyring or update a matching key in that keyring	46	* new key to the specified keyring or update a matching key in that keyring.
52	* - the keyring must be writable	47	*
53	* - returns the new key's serial number	48	* The keyring must be writable so that we can attach the key to it.
54	* - implements add_key()	49	*
		50	* If successful, the new key's serial number is returned, otherwise an error
		51	* code is returned.
55	*/	52	*/
56	SYSCALL_DEFINE5(add_key, const char __user *, _type,	53	SYSCALL_DEFINE5(add_key, const char __user *, _type,
57	const char __user *, _description,	54	const char __user *, _description,
@@ -134,14 +131,17 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
134	}	131	}
135		132
136	/*	133	/*
137	* search the process keyrings for a matching key	134	* Search the process keyrings and keyring trees linked from those for a
138	* - nested keyrings may also be searched if they have Search permission	135	* matching key. Keyrings must have appropriate Search permission to be
139	* - if a key is found, it will be attached to the destination keyring if	136	* searched.
140	* there's one specified	137	*
141	* - /sbin/request-key will be invoked if _callout_info is non-NULL	138	* If a key is found, it will be attached to the destination keyring if there's
142	* - the _callout_info string will be passed to /sbin/request-key	139	* one specified and the serial number of the key will be returned.
143	* - if the _callout_info string is empty, it will be rendered as "-"	140	*
144	* - implements request_key()	141	* If no key is found, /sbin/request-key will be invoked if _callout_info is
		142	* non-NULL in an attempt to create a key. The _callout_info string will be
		143	* passed to /sbin/request-key to aid with completing the request. If the
		144	* _callout_info string is "" then it will be changed to "-".
145	*/	145	*/
146	SYSCALL_DEFINE4(request_key, const char __user *, _type,	146	SYSCALL_DEFINE4(request_key, const char __user *, _type,
147	const char __user *, _description,	147	const char __user *, _description,
@@ -222,9 +222,11 @@ error:
222	}	222	}
223		223
224	/*	224	/*
225	* get the ID of the specified process keyring	225	* Get the ID of the specified process keyring.
226	* - the keyring must have search permission to be found	226	*
227	* - implements keyctl(KEYCTL_GET_KEYRING_ID)	227	* The requested keyring must have search permission to be found.
		228	*
		229	* If successful, the ID of the requested keyring will be returned.
228	*/	230	*/
229	long keyctl_get_keyring_ID(key_serial_t id, int create)	231	long keyctl_get_keyring_ID(key_serial_t id, int create)
230	{	232	{
@@ -243,12 +245,17 @@ long keyctl_get_keyring_ID(key_serial_t id, int create)
243	key_ref_put(key_ref);	245	key_ref_put(key_ref);
244	error:	246	error:
245	return ret;	247	return ret;
246		248	}
247	} /* end keyctl_get_keyring_ID() */
248		249
249	/*	250	/*
250	* join the session keyring	251	* Join a (named) session keyring.
251	* - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING)	252	*
		253	* Create and join an anonymous session keyring or join a named session
		254	* keyring, creating it if necessary. A named session keyring must have Search
		255	* permission for it to be joined. Session keyrings without this permit will
		256	* be skipped over.
		257	*
		258	* If successful, the ID of the joined session keyring will be returned.
252	*/	259	*/
253	long keyctl_join_session_keyring(const char __user *_name)	260	long keyctl_join_session_keyring(const char __user *_name)
254	{	261	{
@@ -274,9 +281,14 @@ error:
274	}	281	}
275		282
276	/*	283	/*
277	* update a key's data payload	284	* Update a key's data payload from the given data.
278	* - the key must be writable	285	*
279	* - implements keyctl(KEYCTL_UPDATE)	286	* The key must grant the caller Write permission and the key type must support
		287	* updating for this to work. A negative key can be positively instantiated
		288	* with this call.
		289	*
		290	* If successful, 0 will be returned. If the key type does not support
		291	* updating, then -EOPNOTSUPP will be returned.
280	*/	292	*/
281	long keyctl_update_key(key_serial_t id,	293	long keyctl_update_key(key_serial_t id,
282	const void __user *_payload,	294	const void __user *_payload,
@@ -321,9 +333,14 @@ error:
321	}	333	}
322		334
323	/*	335	/*
324	* revoke a key	336	* Revoke a key.
325	* - the key must be writable	337	*
326	* - implements keyctl(KEYCTL_REVOKE)	338	* The key must be grant the caller Write or Setattr permission for this to
		339	* work. The key type should give up its quota claim when revoked. The key
		340	* and any links to the key will be automatically garbage collected after a
		341	* certain amount of time (/proc/sys/kernel/keys/gc_delay).
		342	*
		343	* If successful, 0 is returned.
327	*/	344	*/
328	long keyctl_revoke_key(key_serial_t id)	345	long keyctl_revoke_key(key_serial_t id)
329	{	346	{
@@ -351,9 +368,11 @@ error:
351	}	368	}
352		369
353	/*	370	/*
354	* clear the specified process keyring	371	* Clear the specified keyring, creating an empty process keyring if one of the
355	* - the keyring must be writable	372	* special keyring IDs is used.
356	* - implements keyctl(KEYCTL_CLEAR)	373	*
		374	* The keyring must grant the caller Write permission for this to work. If
		375	* successful, 0 will be returned.
357	*/	376	*/
358	long keyctl_keyring_clear(key_serial_t ringid)	377	long keyctl_keyring_clear(key_serial_t ringid)
359	{	378	{
@@ -374,10 +393,15 @@ error:
374	}	393	}
375		394
376	/*	395	/*
377	* link a key into a keyring	396	* Create a link from a keyring to a key if there's no matching key in the
378	* - the keyring must be writable	397	* keyring, otherwise replace the link to the matching key with a link to the
379	* - the key must be linkable	398	* new key.
380	* - implements keyctl(KEYCTL_LINK)	399	*
		400	* The key must grant the caller Link permission and the the keyring must grant
		401	* the caller Write permission. Furthermore, if an additional link is created,
		402	* the keyring's quota will be extended.
		403	*
		404	* If successful, 0 will be returned.
381	*/	405	*/
382	long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)	406	long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
383	{	407	{
@@ -406,10 +430,13 @@ error:
406	}	430	}
407		431
408	/*	432	/*
409	* unlink the first attachment of a key from a keyring	433	* Unlink a key from a keyring.
410	* - the keyring must be writable	434	*
411	* - we don't need any permissions on the key	435	* The keyring must grant the caller Write permission for this to work; the key
412	* - implements keyctl(KEYCTL_UNLINK)	436	* itself need not grant the caller anything. If the last link to a key is
		437	* removed then that key will be scheduled for destruction.
		438	*
		439	* If successful, 0 will be returned.
413	*/	440	*/
414	long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)	441	long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
415	{	442	{
@@ -438,14 +465,17 @@ error:
438	}	465	}
439		466
440	/*	467	/*
441	* describe a user key	468	* Return a description of a key to userspace.
442	* - the key must have view permission	469	*
443	* - if there's a buffer, we place up to buflen bytes of data into it	470	* The key must grant the caller View permission for this to work.
444	* - unless there's an error, we return the amount of description available,	471	*
445	* irrespective of how much we may have copied	472	* If there's a buffer, we place up to buflen bytes of data into it formatted
446	* - the description is formatted thus:	473	* in the following way:
		474	*
447	* type;uid;gid;perm;description<NUL>	475	* type;uid;gid;perm;description<NUL>
448	* - implements keyctl(KEYCTL_DESCRIBE)	476	*
		477	* If successful, we return the amount of description available, irrespective
		478	* of how much we may have copied into the buffer.
449	*/	479	*/
450	long keyctl_describe_key(key_serial_t keyid,	480	long keyctl_describe_key(key_serial_t keyid,
451	char __user *buffer,	481	char __user *buffer,
@@ -516,13 +546,14 @@ error:
516	}	546	}
517		547
518	/*	548	/*
519	* search the specified keyring for a matching key	549	* Search the specified keyring and any keyrings it links to for a matching
520	* - the start keyring must be searchable	550	* key. Only keyrings that grant the caller Search permission will be searched
521	* - nested keyrings may also be searched if they are searchable	551	* (this includes the starting keyring). Only keys with Search permission can
522	* - only keys with search permission may be found	552	* be found.
523	* - if a key is found, it will be attached to the destination keyring if	553	*
524	* there's one specified	554	* If successful, the found key will be linked to the destination keyring if
525	* - implements keyctl(KEYCTL_SEARCH)	555	* supplied and the key has Link permission, and the found key ID will be
		556	* returned.
526	*/	557	*/
527	long keyctl_keyring_search(key_serial_t ringid,	558	long keyctl_keyring_search(key_serial_t ringid,
528	const char __user *_type,	559	const char __user *_type,
@@ -609,13 +640,14 @@ error:
609	}	640	}
610		641
611	/*	642	/*
612	* read a user key's payload	643	* Read a key's payload.
613	* - the keyring must be readable or the key must be searchable from the	644	*
614	* process's keyrings	645	* The key must either grant the caller Read permission, or it must grant the
615	* - if there's a buffer, we place up to buflen bytes of data into it	646	* caller Search permission when searched for from the process keyrings.
616	* - unless there's an error, we return the amount of data in the key,	647	*
617	* irrespective of how much we may have copied	648	* If successful, we place up to buflen bytes of data into the buffer, if one
618	* - implements keyctl(KEYCTL_READ)	649	* is provided, and return the amount of data that is available in the key,
		650	* irrespective of how much we copied into the buffer.
619	*/	651	*/
620	long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)	652	long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
621	{	653	{
@@ -669,10 +701,19 @@ error:
669	}	701	}
670		702
671	/*	703	/*
672	* change the ownership of a key	704	* Change the ownership of a key
673	* - the keyring owned by the changer	705	*
674	* - if the uid or gid is -1, then that parameter is not changed	706	* The key must grant the caller Setattr permission for this to work, though
675	* - implements keyctl(KEYCTL_CHOWN)	707	* the key need not be fully instantiated yet. For the UID to be changed, or
		708	* for the GID to be changed to a group the caller is not a member of, the
		709	* caller must have sysadmin capability. If either uid or gid is -1 then that
		710	* attribute is not changed.
		711	*
		712	* If the UID is to be changed, the new user must have sufficient quota to
		713	* accept the key. The quota deduction will be removed from the old user to
		714	* the new user should the attribute be changed.
		715	*
		716	* If successful, 0 will be returned.
676	*/	717	*/
677	long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)	718	long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
678	{	719	{
@@ -775,9 +816,11 @@ quota_overrun:
775	}	816	}
776		817
777	/*	818	/*
778	* change the permission mask on a key	819	* Change the permission mask on a key.
779	* - the keyring owned by the changer	820	*
780	* - implements keyctl(KEYCTL_SETPERM)	821	* The key must grant the caller Setattr permission for this to work, though
		822	* the key need not be fully instantiated yet. If the caller does not have
		823	* sysadmin capability, it may only change the permission on keys that it owns.
781	*/	824	*/
782	long keyctl_setperm_key(key_serial_t id, key_perm_t perm)	825	long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
783	{	826	{
@@ -815,7 +858,8 @@ error:
815	}	858	}
816		859
817	/*	860	/*
818	* get the destination keyring for instantiation	861	* Get the destination keyring for instantiation and check that the caller has
		862	* Write permission on it.
819	*/	863	*/
820	static long get_instantiation_keyring(key_serial_t ringid,	864	static long get_instantiation_keyring(key_serial_t ringid,
821	struct request_key_auth *rka,	865	struct request_key_auth *rka,
@@ -852,7 +896,7 @@ static long get_instantiation_keyring(key_serial_t ringid,
852	}	896	}
853		897
854	/*	898	/*
855	* change the request_key authorisation key on the current process	899	* Change the request_key authorisation key on the current process.
856	*/	900	*/
857	static int keyctl_change_reqkey_auth(struct key *key)	901	static int keyctl_change_reqkey_auth(struct key *key)
858	{	902	{
@@ -869,8 +913,13 @@ static int keyctl_change_reqkey_auth(struct key *key)
869	}	913	}
870		914
871	/*	915	/*
872	* instantiate the key with the specified payload, and, if one is given, link	916	* Instantiate a key with the specified payload and link the key into the
873	* the key into the keyring	917	* destination keyring if one is given.
		918	*
		919	* The caller must have the appropriate instantiation permit set for this to
		920	* work (see keyctl_assume_authority). No other permissions are required.
		921	*
		922	* If successful, 0 will be returned.
874	*/	923	*/
875	long keyctl_instantiate_key(key_serial_t id,	924	long keyctl_instantiate_key(key_serial_t id,
876	const void __user *_payload,	925	const void __user *_payload,
@@ -948,8 +997,19 @@ error:
948	}	997	}
949		998
950	/*	999	/*
951	* negatively instantiate the key with the given timeout (in seconds), and, if	1000	* Negatively instantiate the key with the given timeout (in seconds) and link
952	* one is given, link the key into the keyring	1001	* the key into the destination keyring if one is given.
		1002	*
		1003	* The caller must have the appropriate instantiation permit set for this to
		1004	* work (see keyctl_assume_authority). No other permissions are required.
		1005	*
		1006	* The key and any links to the key will be automatically garbage collected
		1007	* after the timeout expires.
		1008	*
		1009	* Negative keys are used to rate limit repeated request_key() calls by causing
		1010	* them to return -ENOKEY until the negative key expires.
		1011	*
		1012	* If successful, 0 will be returned.
953	*/	1013	*/
954	long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)	1014	long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
955	{	1015	{
@@ -993,8 +1053,11 @@ error:
993	}	1053	}
994		1054
995	/*	1055	/*
996	* set the default keyring in which request_key() will cache keys	1056	* Read or set the default keyring in which request_key() will cache keys and
997	* - return the old setting	1057	* return the old setting.
		1058	*
		1059	* If a process keyring is specified then this will be created if it doesn't
		1060	* yet exist. The old setting will be returned if successful.
998	*/	1061	*/
999	long keyctl_set_reqkey_keyring(int reqkey_defl)	1062	long keyctl_set_reqkey_keyring(int reqkey_defl)
1000	{	1063	{
@@ -1050,7 +1113,16 @@ error:
1050	}	1113	}
1051		1114
1052	/*	1115	/*
1053	* set or clear the timeout for a key	1116	* Set or clear the timeout on a key.
		1117	*
		1118	* Either the key must grant the caller Setattr permission or else the caller
		1119	* must hold an instantiation authorisation token for the key.
		1120	*
		1121	* The timeout is either 0 to clear the timeout, or a number of seconds from
		1122	* the current time. The key and any links to the key will be automatically
		1123	* garbage collected after the timeout expires.
		1124	*
		1125	* If successful, 0 is returned.
1054	*/	1126	*/
1055	long keyctl_set_timeout(key_serial_t id, unsigned timeout)	1127	long keyctl_set_timeout(key_serial_t id, unsigned timeout)
1056	{	1128	{
@@ -1105,7 +1177,21 @@ error:
1105	}	1177	}
1106		1178
1107	/*	1179	/*
1108	* assume the authority to instantiate the specified key	1180	* Assume (or clear) the authority to instantiate the specified key.
		1181	*
		1182	* This sets the authoritative token currently in force for key instantiation.
		1183	* This must be done for a key to be instantiated. It has the effect of making
		1184	* available all the keys from the caller of the request_key() that created a
		1185	* key to request_key() calls made by the caller of this function.
		1186	*
		1187	* The caller must have the instantiation key in their process keyrings with a
		1188	* Search permission grant available to the caller.
		1189	*
		1190	* If the ID given is 0, then the setting will be cleared and 0 returned.
		1191	*
		1192	* If the ID given has a matching an authorisation key, then that key will be
		1193	* set and its ID will be returned. The authorisation key can be read to get
		1194	* the callout information passed to request_key().
1109	*/	1195	*/
1110	long keyctl_assume_authority(key_serial_t id)	1196	long keyctl_assume_authority(key_serial_t id)
1111	{	1197	{
@@ -1145,12 +1231,14 @@ error:
1145	}	1231	}
1146		1232
1147	/*	1233	/*
1148	* get the security label of a key	1234	* Get a key's the LSM security label.
1149	* - the key must grant us view permission	1235	*
1150	* - if there's a buffer, we place up to buflen bytes of data into it	1236	* The key must grant the caller View permission for this to work.
1151	* - unless there's an error, we return the amount of information available,	1237	*
1152	* irrespective of how much we may have copied (including the terminal NUL)	1238	* If there's a buffer, then up to buflen bytes of data will be placed into it.
1153	* - implements keyctl(KEYCTL_GET_SECURITY)	1239	*
		1240	* If successful, the amount of information available will be returned,
		1241	* irrespective of how much was copied (including the terminal NUL).
1154	*/	1242	*/
1155	long keyctl_get_security(key_serial_t keyid,	1243	long keyctl_get_security(key_serial_t keyid,
1156	char __user *buffer,	1244	char __user *buffer,
@@ -1205,10 +1293,16 @@ long keyctl_get_security(key_serial_t keyid,
1205	}	1293	}
1206		1294
1207	/*	1295	/*
1208	* attempt to install the calling process's session keyring on the process's	1296	* Attempt to install the calling process's session keyring on the process's
1209	* parent process	1297	* parent process.
1210	* - the keyring must exist and must grant us LINK permission	1298	*
1211	* - implements keyctl(KEYCTL_SESSION_TO_PARENT)	1299	* The keyring must exist and must grant the caller LINK permission, and the
		1300	* parent process must be single-threaded and must have the same effective
		1301	* ownership as this process and mustn't be SUID/SGID.
		1302	*
		1303	* The keyring will be emplaced on the parent when it next resumes userspace.
		1304	*
		1305	* If successful, 0 will be returned.
1212	*/	1306	*/
1213	long keyctl_session_to_parent(void)	1307	long keyctl_session_to_parent(void)
1214	{	1308	{
@@ -1312,7 +1406,7 @@ error_keyring:
1312	}	1406	}
1313		1407
1314	/*	1408	/*
1315	* the key control system call	1409	* The key control system call
1316	*/	1410	*/
1317	SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,	1411	SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
1318	unsigned long, arg4, unsigned long, arg5)	1412	unsigned long, arg4, unsigned long, arg5)