aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2005-09-28 12:03:15 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2005-09-28 12:10:47 -0400
commit664cceb0093b755739e56572b836a99104ee8a75 (patch)
treedbaa3ab802803879f29532db4d8a91a54294cf88
parent5134fc15b643dc36eb9aa77e4318b886844a9ac5 (diff)
[PATCH] Keys: Add possessor permissions to keys [try #3]
The attached patch adds extra permission grants to keys for the possessor of a key in addition to the owner, group and other permissions bits. This makes SUID binaries easier to support without going as far as labelling keys and key targets using the LSM facilities. This patch adds a second "pointer type" to key structures (struct key_ref *) that can have the bottom bit of the address set to indicate the possession of a key. This is propagated through searches from the keyring to the discovered key. It has been made a separate type so that the compiler can spot attempts to dereference a potentially incorrect pointer. The "possession" attribute can't be attached to a key structure directly as it's not an intrinsic property of a key. Pointers to keys have been replaced with struct key_ref *'s wherever possession information needs to be passed through. This does assume that the bottom bit of the pointer will always be zero on return from kmem_cache_alloc(). The key reference type has been made into a typedef so that at least it can be located in the sources, even though it's basically a pointer to an undefined type. I've also renamed the accessor functions to be more useful, and all reference variables should now end in "_ref". Signed-Off-By: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--Documentation/keys.txt74
-rw-r--r--include/linux/key-ui.h28
-rw-r--r--include/linux/key.h78
-rw-r--r--security/keys/internal.h26
-rw-r--r--security/keys/key.c81
-rw-r--r--security/keys/keyctl.c301
-rw-r--r--security/keys/keyring.c86
-rw-r--r--security/keys/proc.c2
-rw-r--r--security/keys/process_keys.c164
-rw-r--r--security/keys/request_key.c36
-rw-r--r--security/keys/request_key_auth.c2
11 files changed, 528 insertions, 350 deletions
diff --git a/Documentation/keys.txt b/Documentation/keys.txt
index 0321ded4b9ae..b22e7c8d059a 100644
--- a/Documentation/keys.txt
+++ b/Documentation/keys.txt
@@ -195,8 +195,8 @@ KEY ACCESS PERMISSIONS
195====================== 195======================
196 196
197Keys have an owner user ID, a group access ID, and a permissions mask. The mask 197Keys have an owner user ID, a group access ID, and a permissions mask. The mask
198has up to eight bits each for user, group and other access. Only five of each 198has up to eight bits each for possessor, user, group and other access. Only
199set of eight bits are defined. These permissions granted are: 199five of each set of eight bits are defined. These permissions granted are:
200 200
201 (*) View 201 (*) View
202 202
@@ -241,16 +241,16 @@ about the status of the key service:
241 type, description and permissions. The payload of the key is not available 241 type, description and permissions. The payload of the key is not available
242 this way: 242 this way:
243 243
244 SERIAL FLAGS USAGE EXPY PERM UID GID TYPE DESCRIPTION: SUMMARY 244 SERIAL FLAGS USAGE EXPY PERM UID GID TYPE DESCRIPTION: SUMMARY
245 00000001 I----- 39 perm 1f0000 0 0 keyring _uid_ses.0: 1/4 245 00000001 I----- 39 perm 1f1f0000 0 0 keyring _uid_ses.0: 1/4
246 00000002 I----- 2 perm 1f0000 0 0 keyring _uid.0: empty 246 00000002 I----- 2 perm 1f1f0000 0 0 keyring _uid.0: empty
247 00000007 I----- 1 perm 1f0000 0 0 keyring _pid.1: empty 247 00000007 I----- 1 perm 1f1f0000 0 0 keyring _pid.1: empty
248 0000018d I----- 1 perm 1f0000 0 0 keyring _pid.412: empty 248 0000018d I----- 1 perm 1f1f0000 0 0 keyring _pid.412: empty
249 000004d2 I--Q-- 1 perm 1f0000 32 -1 keyring _uid.32: 1/4 249 000004d2 I--Q-- 1 perm 1f1f0000 32 -1 keyring _uid.32: 1/4
250 000004d3 I--Q-- 3 perm 1f0000 32 -1 keyring _uid_ses.32: empty 250 000004d3 I--Q-- 3 perm 1f1f0000 32 -1 keyring _uid_ses.32: empty
251 00000892 I--QU- 1 perm 1f0000 0 0 user metal:copper: 0 251 00000892 I--QU- 1 perm 1f000000 0 0 user metal:copper: 0
252 00000893 I--Q-N 1 35s 1f0000 0 0 user metal:silver: 0 252 00000893 I--Q-N 1 35s 1f1f0000 0 0 user metal:silver: 0
253 00000894 I--Q-- 1 10h 1f0000 0 0 user metal:gold: 0 253 00000894 I--Q-- 1 10h 001f0000 0 0 user metal:gold: 0
254 254
255 The flags are: 255 The flags are:
256 256
@@ -637,6 +637,34 @@ call, and the key released upon close. How to deal with conflicting keys due to
637two different users opening the same file is left to the filesystem author to 637two different users opening the same file is left to the filesystem author to
638solve. 638solve.
639 639
640Note that there are two different types of pointers to keys that may be
641encountered:
642
643 (*) struct key *
644
645 This simply points to the key structure itself. Key structures will be at
646 least four-byte aligned.
647
648 (*) key_ref_t
649
650 This is equivalent to a struct key *, but the least significant bit is set
651 if the caller "possesses" the key. By "possession" it is meant that the
652 calling processes has a searchable link to the key from one of its
653 keyrings. There are three functions for dealing with these:
654
655 key_ref_t make_key_ref(const struct key *key,
656 unsigned long possession);
657
658 struct key *key_ref_to_ptr(const key_ref_t key_ref);
659
660 unsigned long is_key_possessed(const key_ref_t key_ref);
661
662 The first function constructs a key reference from a key pointer and
663 possession information (which must be 0 or 1 and not any other value).
664
665 The second function retrieves the key pointer from a reference and the
666 third retrieves the possession flag.
667
640When accessing a key's payload contents, certain precautions must be taken to 668When accessing a key's payload contents, certain precautions must be taken to
641prevent access vs modification races. See the section "Notes on accessing 669prevent access vs modification races. See the section "Notes on accessing
642payload contents" for more information. 670payload contents" for more information.
@@ -665,7 +693,11 @@ payload contents" for more information.
665 693
666 void key_put(struct key *key); 694 void key_put(struct key *key);
667 695
668 This can be called from interrupt context. If CONFIG_KEYS is not set then 696 Or:
697
698 void key_ref_put(key_ref_t key_ref);
699
700 These can be called from interrupt context. If CONFIG_KEYS is not set then
669 the argument will not be parsed. 701 the argument will not be parsed.
670 702
671 703
@@ -689,13 +721,17 @@ payload contents" for more information.
689 721
690(*) If a keyring was found in the search, this can be further searched by: 722(*) If a keyring was found in the search, this can be further searched by:
691 723
692 struct key *keyring_search(struct key *keyring, 724 key_ref_t keyring_search(key_ref_t keyring_ref,
693 const struct key_type *type, 725 const struct key_type *type,
694 const char *description) 726 const char *description)
695 727
696 This searches the keyring tree specified for a matching key. Error ENOKEY 728 This searches the keyring tree specified for a matching key. Error ENOKEY
697 is returned upon failure. If successful, the returned key will need to be 729 is returned upon failure (use IS_ERR/PTR_ERR to determine). If successful,
698 released. 730 the returned key will need to be released.
731
732 The possession attribute from the keyring reference is used to control
733 access through the permissions mask and is propagated to the returned key
734 reference pointer if successful.
699 735
700 736
701(*) To check the validity of a key, this function can be called: 737(*) To check the validity of a key, this function can be called:
@@ -732,7 +768,7 @@ More complex payload contents must be allocated and a pointer to them set in
732key->payload.data. One of the following ways must be selected to access the 768key->payload.data. One of the following ways must be selected to access the
733data: 769data:
734 770
735 (1) Unmodifyable key type. 771 (1) Unmodifiable key type.
736 772
737 If the key type does not have a modify method, then the key's payload can 773 If the key type does not have a modify method, then the key's payload can
738 be accessed without any form of locking, provided that it's known to be 774 be accessed without any form of locking, provided that it's known to be
diff --git a/include/linux/key-ui.h b/include/linux/key-ui.h
index cc326174a808..918c34a8347e 100644
--- a/include/linux/key-ui.h
+++ b/include/linux/key-ui.h
@@ -42,11 +42,14 @@ struct keyring_list {
42/* 42/*
43 * check to see whether permission is granted to use a key in the desired way 43 * check to see whether permission is granted to use a key in the desired way
44 */ 44 */
45static inline int key_permission(const struct key *key, key_perm_t perm) 45static inline int key_permission(const key_ref_t key_ref, key_perm_t perm)
46{ 46{
47 struct key *key = key_ref_to_ptr(key_ref);
47 key_perm_t kperm; 48 key_perm_t kperm;
48 49
49 if (key->uid == current->fsuid) 50 if (is_key_possessed(key_ref))
51 kperm = key->perm >> 24;
52 else if (key->uid == current->fsuid)
50 kperm = key->perm >> 16; 53 kperm = key->perm >> 16;
51 else if (key->gid != -1 && 54 else if (key->gid != -1 &&
52 key->perm & KEY_GRP_ALL && 55 key->perm & KEY_GRP_ALL &&
@@ -65,11 +68,14 @@ static inline int key_permission(const struct key *key, key_perm_t perm)
65 * check to see whether permission is granted to use a key in at least one of 68 * check to see whether permission is granted to use a key in at least one of
66 * the desired ways 69 * the desired ways
67 */ 70 */
68static inline int key_any_permission(const struct key *key, key_perm_t perm) 71static inline int key_any_permission(const key_ref_t key_ref, key_perm_t perm)
69{ 72{
73 struct key *key = key_ref_to_ptr(key_ref);
70 key_perm_t kperm; 74 key_perm_t kperm;
71 75
72 if (key->uid == current->fsuid) 76 if (is_key_possessed(key_ref))
77 kperm = key->perm >> 24;
78 else if (key->uid == current->fsuid)
73 kperm = key->perm >> 16; 79 kperm = key->perm >> 16;
74 else if (key->gid != -1 && 80 else if (key->gid != -1 &&
75 key->perm & KEY_GRP_ALL && 81 key->perm & KEY_GRP_ALL &&
@@ -94,13 +100,17 @@ static inline int key_task_groups_search(struct task_struct *tsk, gid_t gid)
94 return ret; 100 return ret;
95} 101}
96 102
97static inline int key_task_permission(const struct key *key, 103static inline int key_task_permission(const key_ref_t key_ref,
98 struct task_struct *context, 104 struct task_struct *context,
99 key_perm_t perm) 105 key_perm_t perm)
100{ 106{
107 struct key *key = key_ref_to_ptr(key_ref);
101 key_perm_t kperm; 108 key_perm_t kperm;
102 109
103 if (key->uid == context->fsuid) { 110 if (is_key_possessed(key_ref)) {
111 kperm = key->perm >> 24;
112 }
113 else if (key->uid == context->fsuid) {
104 kperm = key->perm >> 16; 114 kperm = key->perm >> 16;
105 } 115 }
106 else if (key->gid != -1 && 116 else if (key->gid != -1 &&
@@ -121,9 +131,9 @@ static inline int key_task_permission(const struct key *key,
121 131
122} 132}
123 133
124extern struct key *lookup_user_key(struct task_struct *context, 134extern key_ref_t lookup_user_key(struct task_struct *context,
125 key_serial_t id, int create, int partial, 135 key_serial_t id, int create, int partial,
126 key_perm_t perm); 136 key_perm_t perm);
127 137
128extern long join_session_keyring(const char *name); 138extern long join_session_keyring(const char *name);
129 139
diff --git a/include/linux/key.h b/include/linux/key.h
index 970bbd916cf4..f1efa016dbf3 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -35,11 +35,18 @@ struct key;
35 35
36#undef KEY_DEBUGGING 36#undef KEY_DEBUGGING
37 37
38#define KEY_USR_VIEW 0x00010000 /* user can view a key's attributes */ 38#define KEY_POS_VIEW 0x01000000 /* possessor can view a key's attributes */
39#define KEY_USR_READ 0x00020000 /* user can read key payload / view keyring */ 39#define KEY_POS_READ 0x02000000 /* possessor can read key payload / view keyring */
40#define KEY_USR_WRITE 0x00040000 /* user can update key payload / add link to keyring */ 40#define KEY_POS_WRITE 0x04000000 /* possessor can update key payload / add link to keyring */
41#define KEY_USR_SEARCH 0x00080000 /* user can find a key in search / search a keyring */ 41#define KEY_POS_SEARCH 0x08000000 /* possessor can find a key in search / search a keyring */
42#define KEY_USR_LINK 0x00100000 /* user can create a link to a key/keyring */ 42#define KEY_POS_LINK 0x10000000 /* possessor can create a link to a key/keyring */
43#define KEY_POS_ALL 0x1f000000
44
45#define KEY_USR_VIEW 0x00010000 /* user permissions... */
46#define KEY_USR_READ 0x00020000
47#define KEY_USR_WRITE 0x00040000
48#define KEY_USR_SEARCH 0x00080000
49#define KEY_USR_LINK 0x00100000
43#define KEY_USR_ALL 0x001f0000 50#define KEY_USR_ALL 0x001f0000
44 51
45#define KEY_GRP_VIEW 0x00000100 /* group permissions... */ 52#define KEY_GRP_VIEW 0x00000100 /* group permissions... */
@@ -67,6 +74,38 @@ struct keyring_name;
67 74
68/*****************************************************************************/ 75/*****************************************************************************/
69/* 76/*
77 * key reference with possession attribute handling
78 *
79 * NOTE! key_ref_t is a typedef'd pointer to a type that is not actually
80 * defined. This is because we abuse the bottom bit of the reference to carry a
81 * flag to indicate whether the calling process possesses that key in one of
82 * its keyrings.
83 *
84 * the key_ref_t has been made a separate type so that the compiler can reject
85 * attempts to dereference it without proper conversion.
86 *
87 * the three functions are used to assemble and disassemble references
88 */
89typedef struct __key_reference_with_attributes *key_ref_t;
90
91static inline key_ref_t make_key_ref(const struct key *key,
92 unsigned long possession)
93{
94 return (key_ref_t) ((unsigned long) key | possession);
95}
96
97static inline struct key *key_ref_to_ptr(const key_ref_t key_ref)
98{
99 return (struct key *) ((unsigned long) key_ref & ~1UL);
100}
101
102static inline unsigned long is_key_possessed(const key_ref_t key_ref)
103{
104 return (unsigned long) key_ref & 1UL;
105}
106
107/*****************************************************************************/
108/*
70 * authentication token / access credential / keyring 109 * authentication token / access credential / keyring
71 * - types of key include: 110 * - types of key include:
72 * - keyrings 111 * - keyrings
@@ -215,20 +254,25 @@ static inline struct key *key_get(struct key *key)
215 return key; 254 return key;
216} 255}
217 256
257static inline void key_ref_put(key_ref_t key_ref)
258{
259 key_put(key_ref_to_ptr(key_ref));
260}
261
218extern struct key *request_key(struct key_type *type, 262extern struct key *request_key(struct key_type *type,
219 const char *description, 263 const char *description,
220 const char *callout_info); 264 const char *callout_info);
221 265
222extern int key_validate(struct key *key); 266extern int key_validate(struct key *key);
223 267
224extern struct key *key_create_or_update(struct key *keyring, 268extern key_ref_t key_create_or_update(key_ref_t keyring,
225 const char *type, 269 const char *type,
226 const char *description, 270 const char *description,
227 const void *payload, 271 const void *payload,
228 size_t plen, 272 size_t plen,
229 int not_in_quota); 273 int not_in_quota);
230 274
231extern int key_update(struct key *key, 275extern int key_update(key_ref_t key,
232 const void *payload, 276 const void *payload,
233 size_t plen); 277 size_t plen);
234 278
@@ -243,9 +287,9 @@ extern struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
243 287
244extern int keyring_clear(struct key *keyring); 288extern int keyring_clear(struct key *keyring);
245 289
246extern struct key *keyring_search(struct key *keyring, 290extern key_ref_t keyring_search(key_ref_t keyring,
247 struct key_type *type, 291 struct key_type *type,
248 const char *description); 292 const char *description);
249 293
250extern int keyring_add_key(struct key *keyring, 294extern int keyring_add_key(struct key *keyring,
251 struct key *key); 295 struct key *key);
@@ -285,6 +329,10 @@ extern void key_init(void);
285#define key_serial(k) 0 329#define key_serial(k) 0
286#define key_get(k) ({ NULL; }) 330#define key_get(k) ({ NULL; })
287#define key_put(k) do { } while(0) 331#define key_put(k) do { } while(0)
332#define key_ref_put(k) do { } while(0)
333#define make_key_ref(k) ({ NULL; })
334#define key_ref_to_ptr(k) ({ NULL; })
335#define is_key_possessed(k) 0
288#define alloc_uid_keyring(u) 0 336#define alloc_uid_keyring(u) 0
289#define switch_uid_keyring(u) do { } while(0) 337#define switch_uid_keyring(u) do { } while(0)
290#define __install_session_keyring(t, k) ({ NULL; }) 338#define __install_session_keyring(t, k) ({ NULL; })
diff --git a/security/keys/internal.h b/security/keys/internal.h
index 46c8602661c9..db99ed434f3a 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -71,26 +71,26 @@ extern void keyring_publish_name(struct key *keyring);
71 71
72extern int __key_link(struct key *keyring, struct key *key); 72extern int __key_link(struct key *keyring, struct key *key);
73 73
74extern struct key *__keyring_search_one(struct key *keyring, 74extern key_ref_t __keyring_search_one(key_ref_t keyring_ref,
75 const struct key_type *type, 75 const struct key_type *type,
76 const char *description, 76 const char *description,
77 key_perm_t perm); 77 key_perm_t perm);
78 78
79extern struct key *keyring_search_instkey(struct key *keyring, 79extern struct key *keyring_search_instkey(struct key *keyring,
80 key_serial_t target_id); 80 key_serial_t target_id);
81 81
82typedef int (*key_match_func_t)(const struct key *, const void *); 82typedef int (*key_match_func_t)(const struct key *, const void *);
83 83
84extern struct key *keyring_search_aux(struct key *keyring, 84extern key_ref_t keyring_search_aux(key_ref_t keyring_ref,
85 struct task_struct *tsk, 85 struct task_struct *tsk,
86 struct key_type *type, 86 struct key_type *type,
87 const void *description, 87 const void *description,
88 key_match_func_t match); 88 key_match_func_t match);
89 89
90extern struct key *search_process_keyrings(struct key_type *type, 90extern key_ref_t search_process_keyrings(struct key_type *type,
91 const void *description, 91 const void *description,
92 key_match_func_t match, 92 key_match_func_t match,
93 struct task_struct *tsk); 93 struct task_struct *tsk);
94 94
95extern struct key *find_keyring_by_name(const char *name, key_serial_t bound); 95extern struct key *find_keyring_by_name(const char *name, key_serial_t bound);
96 96
diff --git a/security/keys/key.c b/security/keys/key.c
index fb89f9844465..2182be9e9309 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -693,14 +693,15 @@ void key_type_put(struct key_type *ktype)
693 * - the key has an incremented refcount 693 * - the key has an incremented refcount
694 * - we need to put the key if we get an error 694 * - we need to put the key if we get an error
695 */ 695 */
696static inline struct key *__key_update(struct key *key, const void *payload, 696static inline key_ref_t __key_update(key_ref_t key_ref,
697 size_t plen) 697 const void *payload, size_t plen)
698{ 698{
699 struct key *key = key_ref_to_ptr(key_ref);
699 int ret; 700 int ret;
700 701
701 /* need write permission on the key to update it */ 702 /* need write permission on the key to update it */
702 ret = -EACCES; 703 ret = -EACCES;
703 if (!key_permission(key, KEY_WRITE)) 704 if (!key_permission(key_ref, KEY_WRITE))
704 goto error; 705 goto error;
705 706
706 ret = -EEXIST; 707 ret = -EEXIST;
@@ -719,12 +720,12 @@ static inline struct key *__key_update(struct key *key, const void *payload,
719 720
720 if (ret < 0) 721 if (ret < 0)
721 goto error; 722 goto error;
722 out: 723out:
723 return key; 724 return key_ref;
724 725
725 error: 726error:
726 key_put(key); 727 key_put(key);
727 key = ERR_PTR(ret); 728 key_ref = ERR_PTR(ret);
728 goto out; 729 goto out;
729 730
730} /* end __key_update() */ 731} /* end __key_update() */
@@ -734,52 +735,56 @@ static inline struct key *__key_update(struct key *key, const void *payload,
734 * search the specified keyring for a key of the same description; if one is 735 * search the specified keyring for a key of the same description; if one is
735 * found, update it, otherwise add a new one 736 * found, update it, otherwise add a new one
736 */ 737 */
737struct key *key_create_or_update(struct key *keyring, 738key_ref_t key_create_or_update(key_ref_t keyring_ref,
738 const char *type, 739 const char *type,
739 const char *description, 740 const char *description,
740 const void *payload, 741 const void *payload,
741 size_t plen, 742 size_t plen,
742 int not_in_quota) 743 int not_in_quota)
743{ 744{
744 struct key_type *ktype; 745 struct key_type *ktype;
745 struct key *key = NULL; 746 struct key *keyring, *key = NULL;
746 key_perm_t perm; 747 key_perm_t perm;
748 key_ref_t key_ref;
747 int ret; 749 int ret;
748 750
749 key_check(keyring);
750
751 /* look up the key type to see if it's one of the registered kernel 751 /* look up the key type to see if it's one of the registered kernel
752 * types */ 752 * types */
753 ktype = key_type_lookup(type); 753 ktype = key_type_lookup(type);
754 if (IS_ERR(ktype)) { 754 if (IS_ERR(ktype)) {
755 key = ERR_PTR(-ENODEV); 755 key_ref = ERR_PTR(-ENODEV);
756 goto error; 756 goto error;
757 } 757 }
758 758
759 ret = -EINVAL; 759 key_ref = ERR_PTR(-EINVAL);
760 if (!ktype->match || !ktype->instantiate) 760 if (!ktype->match || !ktype->instantiate)
761 goto error_2; 761 goto error_2;
762 762
763 keyring = key_ref_to_ptr(keyring_ref);
764
765 key_check(keyring);
766
767 down_write(&keyring->sem);
768
769 /* if we're going to allocate a new key, we're going to have
770 * to modify the keyring */
771 key_ref = ERR_PTR(-EACCES);
772 if (!key_permission(keyring_ref, KEY_WRITE))
773 goto error_3;
774
763 /* search for an existing key of the same type and description in the 775 /* search for an existing key of the same type and description in the
764 * destination keyring 776 * destination keyring
765 */ 777 */
766 down_write(&keyring->sem); 778 key_ref = __keyring_search_one(keyring_ref, ktype, description, 0);
767 779 if (!IS_ERR(key_ref))
768 key = __keyring_search_one(keyring, ktype, description, 0);
769 if (!IS_ERR(key))
770 goto found_matching_key; 780 goto found_matching_key;
771 781
772 /* if we're going to allocate a new key, we're going to have to modify
773 * the keyring */
774 ret = -EACCES;
775 if (!key_permission(keyring, KEY_WRITE))
776 goto error_3;
777
778 /* decide on the permissions we want */ 782 /* decide on the permissions we want */
779 perm = KEY_USR_VIEW | KEY_USR_SEARCH | KEY_USR_LINK; 783 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK;
784 perm |= KEY_USR_VIEW | KEY_USR_SEARCH | KEY_USR_LINK;
780 785
781 if (ktype->read) 786 if (ktype->read)
782 perm |= KEY_USR_READ; 787 perm |= KEY_POS_READ | KEY_USR_READ;
783 788
784 if (ktype == &key_type_keyring || ktype->update) 789 if (ktype == &key_type_keyring || ktype->update)
785 perm |= KEY_USR_WRITE; 790 perm |= KEY_USR_WRITE;
@@ -788,7 +793,7 @@ struct key *key_create_or_update(struct key *keyring,
788 key = key_alloc(ktype, description, current->fsuid, current->fsgid, 793 key = key_alloc(ktype, description, current->fsuid, current->fsgid,
789 perm, not_in_quota); 794 perm, not_in_quota);
790 if (IS_ERR(key)) { 795 if (IS_ERR(key)) {
791 ret = PTR_ERR(key); 796 key_ref = ERR_PTR(PTR_ERR(key));
792 goto error_3; 797 goto error_3;
793 } 798 }
794 799
@@ -796,15 +801,18 @@ struct key *key_create_or_update(struct key *keyring,
796 ret = __key_instantiate_and_link(key, payload, plen, keyring, NULL); 801 ret = __key_instantiate_and_link(key, payload, plen, keyring, NULL);
797 if (ret < 0) { 802 if (ret < 0) {
798 key_put(key); 803 key_put(key);
799 key = ERR_PTR(ret); 804 key_ref = ERR_PTR(ret);
805 goto error_3;
800 } 806 }
801 807
808 key_ref = make_key_ref(key, is_key_possessed(keyring_ref));
809
802 error_3: 810 error_3:
803 up_write(&keyring->sem); 811 up_write(&keyring->sem);
804 error_2: 812 error_2:
805 key_type_put(ktype); 813 key_type_put(ktype);
806 error: 814 error:
807 return key; 815 return key_ref;
808 816
809 found_matching_key: 817 found_matching_key:
810 /* we found a matching key, so we're going to try to update it 818 /* we found a matching key, so we're going to try to update it
@@ -813,7 +821,7 @@ struct key *key_create_or_update(struct key *keyring,
813 up_write(&keyring->sem); 821 up_write(&keyring->sem);
814 key_type_put(ktype); 822 key_type_put(ktype);
815 823
816 key = __key_update(key, payload, plen); 824 key_ref = __key_update(key_ref, payload, plen);
817 goto error; 825 goto error;
818 826
819} /* end key_create_or_update() */ 827} /* end key_create_or_update() */
@@ -824,15 +832,16 @@ EXPORT_SYMBOL(key_create_or_update);
824/* 832/*
825 * update a key 833 * update a key
826 */ 834 */
827int key_update(struct key *key, const void *payload, size_t plen) 835int key_update(key_ref_t key_ref, const void *payload, size_t plen)
828{ 836{
837 struct key *key = key_ref_to_ptr(key_ref);
829 int ret; 838 int ret;
830 839
831 key_check(key); 840 key_check(key);
832 841
833 /* the key must be writable */ 842 /* the key must be writable */
834 ret = -EACCES; 843 ret = -EACCES;
835 if (!key_permission(key, KEY_WRITE)) 844 if (!key_permission(key_ref, KEY_WRITE))
836 goto error; 845 goto error;
837 846
838 /* attempt to update it if supported */ 847 /* attempt to update it if supported */
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index a6516a64b297..4c670ee6acf9 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -34,7 +34,7 @@ asmlinkage long sys_add_key(const char __user *_type,
34 size_t plen, 34 size_t plen,
35 key_serial_t ringid) 35 key_serial_t ringid)
36{ 36{
37 struct key *keyring, *key; 37 key_ref_t keyring_ref, key_ref;
38 char type[32], *description; 38 char type[32], *description;
39 void *payload; 39 void *payload;
40 long dlen, ret; 40 long dlen, ret;
@@ -86,25 +86,25 @@ asmlinkage long sys_add_key(const char __user *_type,
86 } 86 }
87 87
88 /* find the target keyring (which must be writable) */ 88 /* find the target keyring (which must be writable) */
89 keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 89 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
90 if (IS_ERR(keyring)) { 90 if (IS_ERR(keyring_ref)) {
91 ret = PTR_ERR(keyring); 91 ret = PTR_ERR(keyring_ref);
92 goto error3; 92 goto error3;
93 } 93 }
94 94
95 /* create or update the requested key and add it to the target 95 /* create or update the requested key and add it to the target
96 * keyring */ 96 * keyring */
97 key = key_create_or_update(keyring, type, description, 97 key_ref = key_create_or_update(keyring_ref, type, description,
98 payload, plen, 0); 98 payload, plen, 0);
99 if (!IS_ERR(key)) { 99 if (!IS_ERR(key_ref)) {
100 ret = key->serial; 100 ret = key_ref_to_ptr(key_ref)->serial;
101 key_put(key); 101 key_ref_put(key_ref);
102 } 102 }
103 else { 103 else {
104 ret = PTR_ERR(key); 104 ret = PTR_ERR(key_ref);
105 } 105 }
106 106
107 key_put(keyring); 107 key_ref_put(keyring_ref);
108 error3: 108 error3:
109 kfree(payload); 109 kfree(payload);
110 error2: 110 error2:
@@ -131,7 +131,8 @@ asmlinkage long sys_request_key(const char __user *_type,
131 key_serial_t destringid) 131 key_serial_t destringid)
132{ 132{
133 struct key_type *ktype; 133 struct key_type *ktype;
134 struct key *key, *dest; 134 struct key *key;
135 key_ref_t dest_ref;
135 char type[32], *description, *callout_info; 136 char type[32], *description, *callout_info;
136 long dlen, ret; 137 long dlen, ret;
137 138
@@ -187,11 +188,11 @@ asmlinkage long sys_request_key(const char __user *_type,
187 } 188 }
188 189
189 /* get the destination keyring if specified */ 190 /* get the destination keyring if specified */
190 dest = NULL; 191 dest_ref = NULL;
191 if (destringid) { 192 if (destringid) {
192 dest = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 193 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE);
193 if (IS_ERR(dest)) { 194 if (IS_ERR(dest_ref)) {
194 ret = PTR_ERR(dest); 195 ret = PTR_ERR(dest_ref);
195 goto error3; 196 goto error3;
196 } 197 }
197 } 198 }
@@ -204,7 +205,8 @@ asmlinkage long sys_request_key(const char __user *_type,
204 } 205 }
205 206
206 /* do the search */ 207 /* do the search */
207 key = request_key_and_link(ktype, description, callout_info, dest); 208 key = request_key_and_link(ktype, description, callout_info,
209 key_ref_to_ptr(dest_ref));
208 if (IS_ERR(key)) { 210 if (IS_ERR(key)) {
209 ret = PTR_ERR(key); 211 ret = PTR_ERR(key);
210 goto error5; 212 goto error5;
@@ -216,7 +218,7 @@ asmlinkage long sys_request_key(const char __user *_type,
216 error5: 218 error5:
217 key_type_put(ktype); 219 key_type_put(ktype);
218 error4: 220 error4:
219 key_put(dest); 221 key_ref_put(dest_ref);
220 error3: 222 error3:
221 kfree(callout_info); 223 kfree(callout_info);
222 error2: 224 error2:
@@ -234,17 +236,17 @@ asmlinkage long sys_request_key(const char __user *_type,
234 */ 236 */
235long keyctl_get_keyring_ID(key_serial_t id, int create) 237long keyctl_get_keyring_ID(key_serial_t id, int create)
236{ 238{
237 struct key *key; 239 key_ref_t key_ref;
238 long ret; 240 long ret;
239 241
240 key = lookup_user_key(NULL, id, create, 0, KEY_SEARCH); 242 key_ref = lookup_user_key(NULL, id, create, 0, KEY_SEARCH);
241 if (IS_ERR(key)) { 243 if (IS_ERR(key_ref)) {
242 ret = PTR_ERR(key); 244 ret = PTR_ERR(key_ref);
243 goto error; 245 goto error;
244 } 246 }
245 247
246 ret = key->serial; 248 ret = key_ref_to_ptr(key_ref)->serial;
247 key_put(key); 249 key_ref_put(key_ref);
248 error: 250 error:
249 return ret; 251 return ret;
250 252
@@ -302,7 +304,7 @@ long keyctl_update_key(key_serial_t id,
302 const void __user *_payload, 304 const void __user *_payload,
303 size_t plen) 305 size_t plen)
304{ 306{
305 struct key *key; 307 key_ref_t key_ref;
306 void *payload; 308 void *payload;
307 long ret; 309 long ret;
308 310
@@ -324,16 +326,16 @@ long keyctl_update_key(key_serial_t id,
324 } 326 }
325 327
326 /* find the target key (which must be writable) */ 328 /* find the target key (which must be writable) */
327 key = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 329 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE);
328 if (IS_ERR(key)) { 330 if (IS_ERR(key_ref)) {
329 ret = PTR_ERR(key); 331 ret = PTR_ERR(key_ref);
330 goto error2; 332 goto error2;
331 } 333 }
332 334
333 /* update the key */ 335 /* update the key */
334 ret = key_update(key, payload, plen); 336 ret = key_update(key_ref, payload, plen);
335 337
336 key_put(key); 338 key_ref_put(key_ref);
337 error2: 339 error2:
338 kfree(payload); 340 kfree(payload);
339 error: 341 error:
@@ -349,19 +351,19 @@ long keyctl_update_key(key_serial_t id,
349 */ 351 */
350long keyctl_revoke_key(key_serial_t id) 352long keyctl_revoke_key(key_serial_t id)
351{ 353{
352 struct key *key; 354 key_ref_t key_ref;
353 long ret; 355 long ret;
354 356
355 key = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 357 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE);
356 if (IS_ERR(key)) { 358 if (IS_ERR(key_ref)) {
357 ret = PTR_ERR(key); 359 ret = PTR_ERR(key_ref);
358 goto error; 360 goto error;
359 } 361 }
360 362
361 key_revoke(key); 363 key_revoke(key_ref_to_ptr(key_ref));
362 ret = 0; 364 ret = 0;
363 365
364 key_put(key); 366 key_ref_put(key_ref);
365 error: 367 error:
366 return ret; 368 return ret;
367 369
@@ -375,18 +377,18 @@ long keyctl_revoke_key(key_serial_t id)
375 */ 377 */
376long keyctl_keyring_clear(key_serial_t ringid) 378long keyctl_keyring_clear(key_serial_t ringid)
377{ 379{
378 struct key *keyring; 380 key_ref_t keyring_ref;
379 long ret; 381 long ret;
380 382
381 keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 383 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
382 if (IS_ERR(keyring)) { 384 if (IS_ERR(keyring_ref)) {
383 ret = PTR_ERR(keyring); 385 ret = PTR_ERR(keyring_ref);
384 goto error; 386 goto error;
385 } 387 }
386 388
387 ret = keyring_clear(keyring); 389 ret = keyring_clear(key_ref_to_ptr(keyring_ref));
388 390
389 key_put(keyring); 391 key_ref_put(keyring_ref);
390 error: 392 error:
391 return ret; 393 return ret;
392 394
@@ -401,26 +403,26 @@ long keyctl_keyring_clear(key_serial_t ringid)
401 */ 403 */
402long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 404long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
403{ 405{
404 struct key *keyring, *key; 406 key_ref_t keyring_ref, key_ref;
405 long ret; 407 long ret;
406 408
407 keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 409 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
408 if (IS_ERR(keyring)) { 410 if (IS_ERR(keyring_ref)) {
409 ret = PTR_ERR(keyring); 411 ret = PTR_ERR(keyring_ref);
410 goto error; 412 goto error;
411 } 413 }
412 414
413 key = lookup_user_key(NULL, id, 1, 0, KEY_LINK); 415 key_ref = lookup_user_key(NULL, id, 1, 0, KEY_LINK);
414 if (IS_ERR(key)) { 416 if (IS_ERR(key_ref)) {
415 ret = PTR_ERR(key); 417 ret = PTR_ERR(key_ref);
416 goto error2; 418 goto error2;
417 } 419 }
418 420
419 ret = key_link(keyring, key); 421 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref));
420 422
421 key_put(key); 423 key_ref_put(key_ref);
422 error2: 424 error2:
423 key_put(keyring); 425 key_ref_put(keyring_ref);
424 error: 426 error:
425 return ret; 427 return ret;
426 428
@@ -435,26 +437,26 @@ long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
435 */ 437 */
436long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 438long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
437{ 439{
438 struct key *keyring, *key; 440 key_ref_t keyring_ref, key_ref;
439 long ret; 441 long ret;
440 442
441 keyring = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE); 443 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE);
442 if (IS_ERR(keyring)) { 444 if (IS_ERR(keyring_ref)) {
443 ret = PTR_ERR(keyring); 445 ret = PTR_ERR(keyring_ref);
444 goto error; 446 goto error;
445 } 447 }
446 448
447 key = lookup_user_key(NULL, id, 0, 0, 0); 449 key_ref = lookup_user_key(NULL, id, 0, 0, 0);
448 if (IS_ERR(key)) { 450 if (IS_ERR(key_ref)) {
449 ret = PTR_ERR(key); 451 ret = PTR_ERR(key_ref);
450 goto error2; 452 goto error2;
451 } 453 }
452 454
453 ret = key_unlink(keyring, key); 455 ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref));
454 456
455 key_put(key); 457 key_ref_put(key_ref);
456 error2: 458 error2:
457 key_put(keyring); 459 key_ref_put(keyring_ref);
458 error: 460 error:
459 return ret; 461 return ret;
460 462
@@ -476,24 +478,26 @@ long keyctl_describe_key(key_serial_t keyid,
476 size_t buflen) 478 size_t buflen)
477{ 479{
478 struct key *key, *instkey; 480 struct key *key, *instkey;
481 key_ref_t key_ref;
479 char *tmpbuf; 482 char *tmpbuf;
480 long ret; 483 long ret;
481 484
482 key = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW); 485 key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW);
483 if (IS_ERR(key)) { 486 if (IS_ERR(key_ref)) {
484 /* viewing a key under construction is permitted if we have the 487 /* viewing a key under construction is permitted if we have the
485 * authorisation token handy */ 488 * authorisation token handy */
486 if (PTR_ERR(key) == -EACCES) { 489 if (PTR_ERR(key_ref) == -EACCES) {
487 instkey = key_get_instantiation_authkey(keyid); 490 instkey = key_get_instantiation_authkey(keyid);
488 if (!IS_ERR(instkey)) { 491 if (!IS_ERR(instkey)) {
489 key_put(instkey); 492 key_put(instkey);
490 key = lookup_user_key(NULL, keyid, 0, 1, 0); 493 key_ref = lookup_user_key(NULL, keyid,
491 if (!IS_ERR(key)) 494 0, 1, 0);
495 if (!IS_ERR(key_ref))
492 goto okay; 496 goto okay;
493 } 497 }
494 } 498 }
495 499
496 ret = PTR_ERR(key); 500 ret = PTR_ERR(key_ref);
497 goto error; 501 goto error;
498 } 502 }
499 503
@@ -504,13 +508,16 @@ okay:
504 if (!tmpbuf) 508 if (!tmpbuf)
505 goto error2; 509 goto error2;
506 510
511 key = key_ref_to_ptr(key_ref);
512
507 ret = snprintf(tmpbuf, PAGE_SIZE - 1, 513 ret = snprintf(tmpbuf, PAGE_SIZE - 1,
508 "%s;%d;%d;%06x;%s", 514 "%s;%d;%d;%08x;%s",
509 key->type->name, 515 key_ref_to_ptr(key_ref)->type->name,
510 key->uid, 516 key_ref_to_ptr(key_ref)->uid,
511 key->gid, 517 key_ref_to_ptr(key_ref)->gid,
512 key->perm, 518 key_ref_to_ptr(key_ref)->perm,
513 key->description ? key->description :"" 519 key_ref_to_ptr(key_ref)->description ?
520 key_ref_to_ptr(key_ref)->description : ""
514 ); 521 );
515 522
516 /* include a NUL char at the end of the data */ 523 /* include a NUL char at the end of the data */
@@ -530,7 +537,7 @@ okay:
530 537
531 kfree(tmpbuf); 538 kfree(tmpbuf);
532 error2: 539 error2:
533 key_put(key); 540 key_ref_put(key_ref);
534 error: 541 error:
535 return ret; 542 return ret;
536 543
@@ -552,7 +559,7 @@ long keyctl_keyring_search(key_serial_t ringid,
552 key_serial_t destringid) 559 key_serial_t destringid)
553{ 560{
554 struct key_type *ktype; 561 struct key_type *ktype;
555 struct key *keyring, *key, *dest; 562 key_ref_t keyring_ref, key_ref, dest_ref;
556 char type[32], *description; 563 char type[32], *description;
557 long dlen, ret; 564 long dlen, ret;
558 565
@@ -581,18 +588,18 @@ long keyctl_keyring_search(key_serial_t ringid,
581 goto error2; 588 goto error2;
582 589
583 /* get the keyring at which to begin the search */ 590 /* get the keyring at which to begin the search */
584 keyring = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH); 591 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH);
585 if (IS_ERR(keyring)) { 592 if (IS_ERR(keyring_ref)) {
586 ret = PTR_ERR(keyring); 593 ret = PTR_ERR(keyring_ref);
587 goto error2; 594 goto error2;
588 } 595 }
589 596
590 /* get the destination keyring if specified */ 597 /* get the destination keyring if specified */
591 dest = NULL; 598 dest_ref = NULL;
592 if (destringid) { 599 if (destringid) {
593 dest = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 600 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE);
594 if (IS_ERR(dest)) { 601 if (IS_ERR(dest_ref)) {
595 ret = PTR_ERR(dest); 602 ret = PTR_ERR(dest_ref);
596 goto error3; 603 goto error3;
597 } 604 }
598 } 605 }
@@ -605,9 +612,9 @@ long keyctl_keyring_search(key_serial_t ringid,
605 } 612 }
606 613
607 /* do the search */ 614 /* do the search */
608 key = keyring_search(keyring, ktype, description); 615 key_ref = keyring_search(keyring_ref, ktype, description);
609 if (IS_ERR(key)) { 616 if (IS_ERR(key_ref)) {
610 ret = PTR_ERR(key); 617 ret = PTR_ERR(key_ref);
611 618
612 /* treat lack or presence of a negative key the same */ 619 /* treat lack or presence of a negative key the same */
613 if (ret == -EAGAIN) 620 if (ret == -EAGAIN)
@@ -616,26 +623,26 @@ long keyctl_keyring_search(key_serial_t ringid,
616 } 623 }
617 624
618 /* link the resulting key to the destination keyring if we can */ 625 /* link the resulting key to the destination keyring if we can */
619 if (dest) { 626 if (dest_ref) {
620 ret = -EACCES; 627 ret = -EACCES;
621 if (!key_permission(key, KEY_LINK)) 628 if (!key_permission(key_ref, KEY_LINK))
622 goto error6; 629 goto error6;
623 630
624 ret = key_link(dest, key); 631 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref));
625 if (ret < 0) 632 if (ret < 0)
626 goto error6; 633 goto error6;
627 } 634 }
628 635
629 ret = key->serial; 636 ret = key_ref_to_ptr(key_ref)->serial;
630 637
631 error6: 638 error6:
632 key_put(key); 639 key_ref_put(key_ref);
633 error5: 640 error5:
634 key_type_put(ktype); 641 key_type_put(ktype);
635 error4: 642 error4:
636 key_put(dest); 643 key_ref_put(dest_ref);
637 error3: 644 error3:
638 key_put(keyring); 645 key_ref_put(keyring_ref);
639 error2: 646 error2:
640 kfree(description); 647 kfree(description);
641 error: 648 error:
@@ -645,16 +652,6 @@ long keyctl_keyring_search(key_serial_t ringid,
645 652
646/*****************************************************************************/ 653/*****************************************************************************/
647/* 654/*
648 * see if the key we're looking at is the target key
649 */
650static int keyctl_read_key_same(const struct key *key, const void *target)
651{
652 return key == target;
653
654} /* end keyctl_read_key_same() */
655
656/*****************************************************************************/
657/*
658 * read a user key's payload 655 * read a user key's payload
659 * - the keyring must be readable or the key must be searchable from the 656 * - the keyring must be readable or the key must be searchable from the
660 * process's keyrings 657 * process's keyrings
@@ -665,38 +662,33 @@ static int keyctl_read_key_same(const struct key *key, const void *target)
665 */ 662 */
666long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 663long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
667{ 664{
668 struct key *key, *skey; 665 struct key *key;
666 key_ref_t key_ref;
669 long ret; 667 long ret;
670 668
671 /* find the key first */ 669 /* find the key first */
672 key = lookup_user_key(NULL, keyid, 0, 0, 0); 670 key_ref = lookup_user_key(NULL, keyid, 0, 0, 0);
673 if (!IS_ERR(key)) { 671 if (IS_ERR(key_ref)) {
674 /* see if we can read it directly */ 672 ret = -ENOKEY;
675 if (key_permission(key, KEY_READ)) 673 goto error;
676 goto can_read_key;
677
678 /* we can't; see if it's searchable from this process's
679 * keyrings
680 * - we automatically take account of the fact that it may be
681 * dangling off an instantiation key
682 */
683 skey = search_process_keyrings(key->type, key,
684 keyctl_read_key_same, current);
685 if (!IS_ERR(skey))
686 goto can_read_key2;
687
688 ret = PTR_ERR(skey);
689 if (ret == -EAGAIN)
690 ret = -EACCES;
691 goto error2;
692 } 674 }
693 675
694 ret = -ENOKEY; 676 key = key_ref_to_ptr(key_ref);
695 goto error; 677
678 /* see if we can read it directly */
679 if (key_permission(key_ref, KEY_READ))
680 goto can_read_key;
681
682 /* we can't; see if it's searchable from this process's keyrings
683 * - we automatically take account of the fact that it may be
684 * dangling off an instantiation key
685 */
686 if (!is_key_possessed(key_ref)) {
687 ret = -EACCES;
688 goto error2;
689 }
696 690
697 /* the key is probably readable - now try to read it */ 691 /* the key is probably readable - now try to read it */
698 can_read_key2:
699 key_put(skey);
700 can_read_key: 692 can_read_key:
701 ret = key_validate(key); 693 ret = key_validate(key);
702 if (ret == 0) { 694 if (ret == 0) {
@@ -727,18 +719,21 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
727long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) 719long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
728{ 720{
729 struct key *key; 721 struct key *key;
722 key_ref_t key_ref;
730 long ret; 723 long ret;
731 724
732 ret = 0; 725 ret = 0;
733 if (uid == (uid_t) -1 && gid == (gid_t) -1) 726 if (uid == (uid_t) -1 && gid == (gid_t) -1)
734 goto error; 727 goto error;
735 728
736 key = lookup_user_key(NULL, id, 1, 1, 0); 729 key_ref = lookup_user_key(NULL, id, 1, 1, 0);
737 if (IS_ERR(key)) { 730 if (IS_ERR(key_ref)) {
738 ret = PTR_ERR(key); 731 ret = PTR_ERR(key_ref);
739 goto error; 732 goto error;
740 } 733 }
741 734
735 key = key_ref_to_ptr(key_ref);
736
742 /* make the changes with the locks held to prevent chown/chown races */ 737 /* make the changes with the locks held to prevent chown/chown races */
743 ret = -EACCES; 738 ret = -EACCES;
744 down_write(&key->sem); 739 down_write(&key->sem);
@@ -784,18 +779,21 @@ long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
784long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 779long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
785{ 780{
786 struct key *key; 781 struct key *key;
782 key_ref_t key_ref;
787 long ret; 783 long ret;
788 784
789 ret = -EINVAL; 785 ret = -EINVAL;
790 if (perm & ~(KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 786 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL))
791 goto error; 787 goto error;
792 788
793 key = lookup_user_key(NULL, id, 1, 1, 0); 789 key_ref = lookup_user_key(NULL, id, 1, 1, 0);
794 if (IS_ERR(key)) { 790 if (IS_ERR(key_ref)) {
795 ret = PTR_ERR(key); 791 ret = PTR_ERR(key_ref);
796 goto error; 792 goto error;
797 } 793 }
798 794
795 key = key_ref_to_ptr(key_ref);
796
799 /* make the changes with the locks held to prevent chown/chmod races */ 797 /* make the changes with the locks held to prevent chown/chmod races */
800 ret = -EACCES; 798 ret = -EACCES;
801 down_write(&key->sem); 799 down_write(&key->sem);
@@ -824,7 +822,8 @@ long keyctl_instantiate_key(key_serial_t id,
824 key_serial_t ringid) 822 key_serial_t ringid)
825{ 823{
826 struct request_key_auth *rka; 824 struct request_key_auth *rka;
827 struct key *instkey, *keyring; 825 struct key *instkey;
826 key_ref_t keyring_ref;
828 void *payload; 827 void *payload;
829 long ret; 828 long ret;
830 829
@@ -857,21 +856,21 @@ long keyctl_instantiate_key(key_serial_t id,
857 856
858 /* find the destination keyring amongst those belonging to the 857 /* find the destination keyring amongst those belonging to the
859 * requesting task */ 858 * requesting task */
860 keyring = NULL; 859 keyring_ref = NULL;
861 if (ringid) { 860 if (ringid) {
862 keyring = lookup_user_key(rka->context, ringid, 1, 0, 861 keyring_ref = lookup_user_key(rka->context, ringid, 1, 0,
863 KEY_WRITE); 862 KEY_WRITE);
864 if (IS_ERR(keyring)) { 863 if (IS_ERR(keyring_ref)) {
865 ret = PTR_ERR(keyring); 864 ret = PTR_ERR(keyring_ref);
866 goto error3; 865 goto error3;
867 } 866 }
868 } 867 }
869 868
870 /* instantiate the key and link it into a keyring */ 869 /* instantiate the key and link it into a keyring */
871 ret = key_instantiate_and_link(rka->target_key, payload, plen, 870 ret = key_instantiate_and_link(rka->target_key, payload, plen,
872 keyring, instkey); 871 key_ref_to_ptr(keyring_ref), instkey);
873 872
874 key_put(keyring); 873 key_ref_put(keyring_ref);
875 error3: 874 error3:
876 key_put(instkey); 875 key_put(instkey);
877 error2: 876 error2:
@@ -889,7 +888,8 @@ long keyctl_instantiate_key(key_serial_t id,
889long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 888long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
890{ 889{
891 struct request_key_auth *rka; 890 struct request_key_auth *rka;
892 struct key *instkey, *keyring; 891 struct key *instkey;
892 key_ref_t keyring_ref;
893 long ret; 893 long ret;
894 894
895 /* find the instantiation authorisation key */ 895 /* find the instantiation authorisation key */
@@ -903,19 +903,20 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
903 903
904 /* find the destination keyring if present (which must also be 904 /* find the destination keyring if present (which must also be
905 * writable) */ 905 * writable) */
906 keyring = NULL; 906 keyring_ref = NULL;
907 if (ringid) { 907 if (ringid) {
908 keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 908 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
909 if (IS_ERR(keyring)) { 909 if (IS_ERR(keyring_ref)) {
910 ret = PTR_ERR(keyring); 910 ret = PTR_ERR(keyring_ref);
911 goto error2; 911 goto error2;
912 } 912 }
913 } 913 }
914 914
915 /* instantiate the key and link it into a keyring */ 915 /* instantiate the key and link it into a keyring */
916 ret = key_negate_and_link(rka->target_key, timeout, keyring, instkey); 916 ret = key_negate_and_link(rka->target_key, timeout,
917 key_ref_to_ptr(keyring_ref), instkey);
917 918
918 key_put(keyring); 919 key_ref_put(keyring_ref);
919 error2: 920 error2:
920 key_put(instkey); 921 key_put(instkey);
921 error: 922 error:
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 9c208c756df8..0639396dd441 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -309,7 +309,7 @@ struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
309 int ret; 309 int ret;
310 310
311 keyring = key_alloc(&key_type_keyring, description, 311 keyring = key_alloc(&key_type_keyring, description,
312 uid, gid, KEY_USR_ALL, not_in_quota); 312 uid, gid, KEY_POS_ALL | KEY_USR_ALL, not_in_quota);
313 313
314 if (!IS_ERR(keyring)) { 314 if (!IS_ERR(keyring)) {
315 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL); 315 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
@@ -333,12 +333,13 @@ struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
333 * - we rely on RCU to prevent the keyring lists from disappearing on us 333 * - we rely on RCU to prevent the keyring lists from disappearing on us
334 * - we return -EAGAIN if we didn't find any matching key 334 * - we return -EAGAIN if we didn't find any matching key
335 * - we return -ENOKEY if we only found negative matching keys 335 * - we return -ENOKEY if we only found negative matching keys
336 * - we propagate the possession attribute from the keyring ref to the key ref
336 */ 337 */
337struct key *keyring_search_aux(struct key *keyring, 338key_ref_t keyring_search_aux(key_ref_t keyring_ref,
338 struct task_struct *context, 339 struct task_struct *context,
339 struct key_type *type, 340 struct key_type *type,
340 const void *description, 341 const void *description,
341 key_match_func_t match) 342 key_match_func_t match)
342{ 343{
343 struct { 344 struct {
344 struct keyring_list *keylist; 345 struct keyring_list *keylist;
@@ -347,29 +348,33 @@ struct key *keyring_search_aux(struct key *keyring,
347 348
348 struct keyring_list *keylist; 349 struct keyring_list *keylist;
349 struct timespec now; 350 struct timespec now;
350 struct key *key; 351 unsigned long possessed;
352 struct key *keyring, *key;
353 key_ref_t key_ref;
351 long err; 354 long err;
352 int sp, kix; 355 int sp, kix;
353 356
357 keyring = key_ref_to_ptr(keyring_ref);
358 possessed = is_key_possessed(keyring_ref);
354 key_check(keyring); 359 key_check(keyring);
355 360
356 rcu_read_lock();
357
358 /* top keyring must have search permission to begin the search */ 361 /* top keyring must have search permission to begin the search */
359 key = ERR_PTR(-EACCES); 362 key_ref = ERR_PTR(-EACCES);
360 if (!key_task_permission(keyring, context, KEY_SEARCH)) 363 if (!key_task_permission(keyring_ref, context, KEY_SEARCH))
361 goto error; 364 goto error;
362 365
363 key = ERR_PTR(-ENOTDIR); 366 key_ref = ERR_PTR(-ENOTDIR);
364 if (keyring->type != &key_type_keyring) 367 if (keyring->type != &key_type_keyring)
365 goto error; 368 goto error;
366 369
370 rcu_read_lock();
371
367 now = current_kernel_time(); 372 now = current_kernel_time();
368 err = -EAGAIN; 373 err = -EAGAIN;
369 sp = 0; 374 sp = 0;
370 375
371 /* start processing a new keyring */ 376 /* start processing a new keyring */
372 descend: 377descend:
373 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 378 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
374 goto not_this_keyring; 379 goto not_this_keyring;
375 380
@@ -397,7 +402,8 @@ struct key *keyring_search_aux(struct key *keyring,
397 continue; 402 continue;
398 403
399 /* key must have search permissions */ 404 /* key must have search permissions */
400 if (!key_task_permission(key, context, KEY_SEARCH)) 405 if (!key_task_permission(make_key_ref(key, possessed),
406 context, KEY_SEARCH))
401 continue; 407 continue;
402 408
403 /* we set a different error code if we find a negative key */ 409 /* we set a different error code if we find a negative key */
@@ -411,7 +417,7 @@ struct key *keyring_search_aux(struct key *keyring,
411 417
412 /* search through the keyrings nested in this one */ 418 /* search through the keyrings nested in this one */
413 kix = 0; 419 kix = 0;
414 ascend: 420ascend:
415 for (; kix < keylist->nkeys; kix++) { 421 for (; kix < keylist->nkeys; kix++) {
416 key = keylist->keys[kix]; 422 key = keylist->keys[kix];
417 if (key->type != &key_type_keyring) 423 if (key->type != &key_type_keyring)
@@ -423,7 +429,8 @@ struct key *keyring_search_aux(struct key *keyring,
423 if (sp >= KEYRING_SEARCH_MAX_DEPTH) 429 if (sp >= KEYRING_SEARCH_MAX_DEPTH)
424 continue; 430 continue;
425 431
426 if (!key_task_permission(key, context, KEY_SEARCH)) 432 if (!key_task_permission(make_key_ref(key, possessed),
433 context, KEY_SEARCH))
427 continue; 434 continue;
428 435
429 /* stack the current position */ 436 /* stack the current position */
@@ -438,7 +445,7 @@ struct key *keyring_search_aux(struct key *keyring,
438 445
439 /* the keyring we're looking at was disqualified or didn't contain a 446 /* the keyring we're looking at was disqualified or didn't contain a
440 * matching key */ 447 * matching key */
441 not_this_keyring: 448not_this_keyring:
442 if (sp > 0) { 449 if (sp > 0) {
443 /* resume the processing of a keyring higher up in the tree */ 450 /* resume the processing of a keyring higher up in the tree */
444 sp--; 451 sp--;
@@ -447,16 +454,18 @@ struct key *keyring_search_aux(struct key *keyring,
447 goto ascend; 454 goto ascend;
448 } 455 }
449 456
450 key = ERR_PTR(err); 457 key_ref = ERR_PTR(err);
451 goto error; 458 goto error_2;
452 459
453 /* we found a viable match */ 460 /* we found a viable match */
454 found: 461found:
455 atomic_inc(&key->usage); 462 atomic_inc(&key->usage);
456 key_check(key); 463 key_check(key);
457 error: 464 key_ref = make_key_ref(key, possessed);
465error_2:
458 rcu_read_unlock(); 466 rcu_read_unlock();
459 return key; 467error:
468 return key_ref;
460 469
461} /* end keyring_search_aux() */ 470} /* end keyring_search_aux() */
462 471
@@ -469,9 +478,9 @@ struct key *keyring_search_aux(struct key *keyring,
469 * - we return -EAGAIN if we didn't find any matching key 478 * - we return -EAGAIN if we didn't find any matching key
470 * - we return -ENOKEY if we only found negative matching keys 479 * - we return -ENOKEY if we only found negative matching keys
471 */ 480 */
472struct key *keyring_search(struct key *keyring, 481key_ref_t keyring_search(key_ref_t keyring,
473 struct key_type *type, 482 struct key_type *type,
474 const char *description) 483 const char *description)
475{ 484{
476 if (!type->match) 485 if (!type->match)
477 return ERR_PTR(-ENOKEY); 486 return ERR_PTR(-ENOKEY);
@@ -488,15 +497,19 @@ EXPORT_SYMBOL(keyring_search);
488 * search the given keyring only (no recursion) 497 * search the given keyring only (no recursion)
489 * - keyring must be locked by caller 498 * - keyring must be locked by caller
490 */ 499 */
491struct key *__keyring_search_one(struct key *keyring, 500key_ref_t __keyring_search_one(key_ref_t keyring_ref,
492 const struct key_type *ktype, 501 const struct key_type *ktype,
493 const char *description, 502 const char *description,
494 key_perm_t perm) 503 key_perm_t perm)
495{ 504{
496 struct keyring_list *klist; 505 struct keyring_list *klist;
497 struct key *key; 506 unsigned long possessed;
507 struct key *keyring, *key;
498 int loop; 508 int loop;
499 509
510 keyring = key_ref_to_ptr(keyring_ref);
511 possessed = is_key_possessed(keyring_ref);
512
500 rcu_read_lock(); 513 rcu_read_lock();
501 514
502 klist = rcu_dereference(keyring->payload.subscriptions); 515 klist = rcu_dereference(keyring->payload.subscriptions);
@@ -507,21 +520,21 @@ struct key *__keyring_search_one(struct key *keyring,
507 if (key->type == ktype && 520 if (key->type == ktype &&
508 (!key->type->match || 521 (!key->type->match ||
509 key->type->match(key, description)) && 522 key->type->match(key, description)) &&
510 key_permission(key, perm) && 523 key_permission(make_key_ref(key, possessed),
524 perm) &&
511 !test_bit(KEY_FLAG_REVOKED, &key->flags) 525 !test_bit(KEY_FLAG_REVOKED, &key->flags)
512 ) 526 )
513 goto found; 527 goto found;
514 } 528 }
515 } 529 }
516 530
517 key = ERR_PTR(-ENOKEY); 531 rcu_read_unlock();
518 goto error; 532 return ERR_PTR(-ENOKEY);
519 533
520 found: 534 found:
521 atomic_inc(&key->usage); 535 atomic_inc(&key->usage);
522 error:
523 rcu_read_unlock(); 536 rcu_read_unlock();
524 return key; 537 return make_key_ref(key, possessed);
525 538
526} /* end __keyring_search_one() */ 539} /* end __keyring_search_one() */
527 540
@@ -603,7 +616,8 @@ struct key *find_keyring_by_name(const char *name, key_serial_t bound)
603 if (strcmp(keyring->description, name) != 0) 616 if (strcmp(keyring->description, name) != 0)
604 continue; 617 continue;
605 618
606 if (!key_permission(keyring, KEY_SEARCH)) 619 if (!key_permission(make_key_ref(keyring, 0),
620 KEY_SEARCH))
607 continue; 621 continue;
608 622
609 /* found a potential candidate, but we still need to 623 /* found a potential candidate, but we still need to
diff --git a/security/keys/proc.c b/security/keys/proc.c
index c55cf1fd0826..12b750e51fbf 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -167,7 +167,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
167#define showflag(KEY, LETTER, FLAG) \ 167#define showflag(KEY, LETTER, FLAG) \
168 (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-') 168 (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-')
169 169
170 seq_printf(m, "%08x %c%c%c%c%c%c %5d %4s %06x %5d %5d %-9.9s ", 170 seq_printf(m, "%08x %c%c%c%c%c%c %5d %4s %08x %5d %5d %-9.9s ",
171 key->serial, 171 key->serial,
172 showflag(key, 'I', KEY_FLAG_INSTANTIATED), 172 showflag(key, 'I', KEY_FLAG_INSTANTIATED),
173 showflag(key, 'R', KEY_FLAG_REVOKED), 173 showflag(key, 'R', KEY_FLAG_REVOKED),
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index c089f78fb94e..d42d2158ce13 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -39,7 +39,7 @@ struct key root_user_keyring = {
39 .type = &key_type_keyring, 39 .type = &key_type_keyring,
40 .user = &root_key_user, 40 .user = &root_key_user,
41 .sem = __RWSEM_INITIALIZER(root_user_keyring.sem), 41 .sem = __RWSEM_INITIALIZER(root_user_keyring.sem),
42 .perm = KEY_USR_ALL, 42 .perm = KEY_POS_ALL | KEY_USR_ALL,
43 .flags = 1 << KEY_FLAG_INSTANTIATED, 43 .flags = 1 << KEY_FLAG_INSTANTIATED,
44 .description = "_uid.0", 44 .description = "_uid.0",
45#ifdef KEY_DEBUGGING 45#ifdef KEY_DEBUGGING
@@ -54,7 +54,7 @@ struct key root_session_keyring = {
54 .type = &key_type_keyring, 54 .type = &key_type_keyring,
55 .user = &root_key_user, 55 .user = &root_key_user,
56 .sem = __RWSEM_INITIALIZER(root_session_keyring.sem), 56 .sem = __RWSEM_INITIALIZER(root_session_keyring.sem),
57 .perm = KEY_USR_ALL, 57 .perm = KEY_POS_ALL | KEY_USR_ALL,
58 .flags = 1 << KEY_FLAG_INSTANTIATED, 58 .flags = 1 << KEY_FLAG_INSTANTIATED,
59 .description = "_uid_ses.0", 59 .description = "_uid_ses.0",
60#ifdef KEY_DEBUGGING 60#ifdef KEY_DEBUGGING
@@ -98,7 +98,7 @@ int alloc_uid_keyring(struct user_struct *user)
98 user->session_keyring = session_keyring; 98 user->session_keyring = session_keyring;
99 ret = 0; 99 ret = 0;
100 100
101 error: 101error:
102 return ret; 102 return ret;
103 103
104} /* end alloc_uid_keyring() */ 104} /* end alloc_uid_keyring() */
@@ -156,7 +156,7 @@ int install_thread_keyring(struct task_struct *tsk)
156 ret = 0; 156 ret = 0;
157 157
158 key_put(old); 158 key_put(old);
159 error: 159error:
160 return ret; 160 return ret;
161 161
162} /* end install_thread_keyring() */ 162} /* end install_thread_keyring() */
@@ -193,7 +193,7 @@ int install_process_keyring(struct task_struct *tsk)
193 } 193 }
194 194
195 ret = 0; 195 ret = 0;
196 error: 196error:
197 return ret; 197 return ret;
198 198
199} /* end install_process_keyring() */ 199} /* end install_process_keyring() */
@@ -236,7 +236,7 @@ static int install_session_keyring(struct task_struct *tsk,
236 /* we're using RCU on the pointer */ 236 /* we're using RCU on the pointer */
237 synchronize_rcu(); 237 synchronize_rcu();
238 key_put(old); 238 key_put(old);
239 error: 239error:
240 return ret; 240 return ret;
241 241
242} /* end install_session_keyring() */ 242} /* end install_session_keyring() */
@@ -376,13 +376,13 @@ void key_fsgid_changed(struct task_struct *tsk)
376 * - we return -EAGAIN if we didn't find any matching key 376 * - we return -EAGAIN if we didn't find any matching key
377 * - we return -ENOKEY if we found only negative matching keys 377 * - we return -ENOKEY if we found only negative matching keys
378 */ 378 */
379struct key *search_process_keyrings(struct key_type *type, 379key_ref_t search_process_keyrings(struct key_type *type,
380 const void *description, 380 const void *description,
381 key_match_func_t match, 381 key_match_func_t match,
382 struct task_struct *context) 382 struct task_struct *context)
383{ 383{
384 struct request_key_auth *rka; 384 struct request_key_auth *rka;
385 struct key *key, *ret, *err, *instkey; 385 key_ref_t key_ref, ret, err, instkey_ref;
386 386
387 /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were 387 /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
388 * searchable, but we failed to find a key or we found a negative key; 388 * searchable, but we failed to find a key or we found a negative key;
@@ -391,46 +391,48 @@ struct key *search_process_keyrings(struct key_type *type,
391 * 391 *
392 * in terms of priority: success > -ENOKEY > -EAGAIN > other error 392 * in terms of priority: success > -ENOKEY > -EAGAIN > other error
393 */ 393 */
394 key = NULL; 394 key_ref = NULL;
395 ret = NULL; 395 ret = NULL;
396 err = ERR_PTR(-EAGAIN); 396 err = ERR_PTR(-EAGAIN);
397 397
398 /* search the thread keyring first */ 398 /* search the thread keyring first */
399 if (context->thread_keyring) { 399 if (context->thread_keyring) {
400 key = keyring_search_aux(context->thread_keyring, 400 key_ref = keyring_search_aux(
401 context, type, description, match); 401 make_key_ref(context->thread_keyring, 1),
402 if (!IS_ERR(key)) 402 context, type, description, match);
403 if (!IS_ERR(key_ref))
403 goto found; 404 goto found;
404 405
405 switch (PTR_ERR(key)) { 406 switch (PTR_ERR(key_ref)) {
406 case -EAGAIN: /* no key */ 407 case -EAGAIN: /* no key */
407 if (ret) 408 if (ret)
408 break; 409 break;
409 case -ENOKEY: /* negative key */ 410 case -ENOKEY: /* negative key */
410 ret = key; 411 ret = key_ref;
411 break; 412 break;
412 default: 413 default:
413 err = key; 414 err = key_ref;
414 break; 415 break;
415 } 416 }
416 } 417 }
417 418
418 /* search the process keyring second */ 419 /* search the process keyring second */
419 if (context->signal->process_keyring) { 420 if (context->signal->process_keyring) {
420 key = keyring_search_aux(context->signal->process_keyring, 421 key_ref = keyring_search_aux(
421 context, type, description, match); 422 make_key_ref(context->signal->process_keyring, 1),
422 if (!IS_ERR(key)) 423 context, type, description, match);
424 if (!IS_ERR(key_ref))
423 goto found; 425 goto found;
424 426
425 switch (PTR_ERR(key)) { 427 switch (PTR_ERR(key_ref)) {
426 case -EAGAIN: /* no key */ 428 case -EAGAIN: /* no key */
427 if (ret) 429 if (ret)
428 break; 430 break;
429 case -ENOKEY: /* negative key */ 431 case -ENOKEY: /* negative key */
430 ret = key; 432 ret = key_ref;
431 break; 433 break;
432 default: 434 default:
433 err = key; 435 err = key_ref;
434 break; 436 break;
435 } 437 }
436 } 438 }
@@ -438,23 +440,25 @@ struct key *search_process_keyrings(struct key_type *type,
438 /* search the session keyring */ 440 /* search the session keyring */
439 if (context->signal->session_keyring) { 441 if (context->signal->session_keyring) {
440 rcu_read_lock(); 442 rcu_read_lock();
441 key = keyring_search_aux( 443 key_ref = keyring_search_aux(
442 rcu_dereference(context->signal->session_keyring), 444 make_key_ref(rcu_dereference(
445 context->signal->session_keyring),
446 1),
443 context, type, description, match); 447 context, type, description, match);
444 rcu_read_unlock(); 448 rcu_read_unlock();
445 449
446 if (!IS_ERR(key)) 450 if (!IS_ERR(key_ref))
447 goto found; 451 goto found;
448 452
449 switch (PTR_ERR(key)) { 453 switch (PTR_ERR(key_ref)) {
450 case -EAGAIN: /* no key */ 454 case -EAGAIN: /* no key */
451 if (ret) 455 if (ret)
452 break; 456 break;
453 case -ENOKEY: /* negative key */ 457 case -ENOKEY: /* negative key */
454 ret = key; 458 ret = key_ref;
455 break; 459 break;
456 default: 460 default:
457 err = key; 461 err = key_ref;
458 break; 462 break;
459 } 463 }
460 464
@@ -465,51 +469,54 @@ struct key *search_process_keyrings(struct key_type *type,
465 goto no_key; 469 goto no_key;
466 470
467 rcu_read_lock(); 471 rcu_read_lock();
468 instkey = __keyring_search_one( 472 instkey_ref = __keyring_search_one(
469 rcu_dereference(context->signal->session_keyring), 473 make_key_ref(rcu_dereference(
474 context->signal->session_keyring),
475 1),
470 &key_type_request_key_auth, NULL, 0); 476 &key_type_request_key_auth, NULL, 0);
471 rcu_read_unlock(); 477 rcu_read_unlock();
472 478
473 if (IS_ERR(instkey)) 479 if (IS_ERR(instkey_ref))
474 goto no_key; 480 goto no_key;
475 481
476 rka = instkey->payload.data; 482 rka = key_ref_to_ptr(instkey_ref)->payload.data;
477 483
478 key = search_process_keyrings(type, description, match, 484 key_ref = search_process_keyrings(type, description, match,
479 rka->context); 485 rka->context);
480 key_put(instkey); 486 key_ref_put(instkey_ref);
481 487
482 if (!IS_ERR(key)) 488 if (!IS_ERR(key_ref))
483 goto found; 489 goto found;
484 490
485 switch (PTR_ERR(key)) { 491 switch (PTR_ERR(key_ref)) {
486 case -EAGAIN: /* no key */ 492 case -EAGAIN: /* no key */
487 if (ret) 493 if (ret)
488 break; 494 break;
489 case -ENOKEY: /* negative key */ 495 case -ENOKEY: /* negative key */
490 ret = key; 496 ret = key_ref;
491 break; 497 break;
492 default: 498 default:
493 err = key; 499 err = key_ref;
494 break; 500 break;
495 } 501 }
496 } 502 }
497 /* or search the user-session keyring */ 503 /* or search the user-session keyring */
498 else { 504 else {
499 key = keyring_search_aux(context->user->session_keyring, 505 key_ref = keyring_search_aux(
500 context, type, description, match); 506 make_key_ref(context->user->session_keyring, 1),
501 if (!IS_ERR(key)) 507 context, type, description, match);
508 if (!IS_ERR(key_ref))
502 goto found; 509 goto found;
503 510
504 switch (PTR_ERR(key)) { 511 switch (PTR_ERR(key_ref)) {
505 case -EAGAIN: /* no key */ 512 case -EAGAIN: /* no key */
506 if (ret) 513 if (ret)
507 break; 514 break;
508 case -ENOKEY: /* negative key */ 515 case -ENOKEY: /* negative key */
509 ret = key; 516 ret = key_ref;
510 break; 517 break;
511 default: 518 default:
512 err = key; 519 err = key_ref;
513 break; 520 break;
514 } 521 }
515 } 522 }
@@ -517,29 +524,40 @@ struct key *search_process_keyrings(struct key_type *type,
517 524
518no_key: 525no_key:
519 /* no key - decide on the error we're going to go for */ 526 /* no key - decide on the error we're going to go for */
520 key = ret ? ret : err; 527 key_ref = ret ? ret : err;
521 528
522found: 529found:
523 return key; 530 return key_ref;
524 531
525} /* end search_process_keyrings() */ 532} /* end search_process_keyrings() */
526 533
527/*****************************************************************************/ 534/*****************************************************************************/
528/* 535/*
536 * see if the key we're looking at is the target key
537 */
538static int lookup_user_key_possessed(const struct key *key, const void *target)
539{
540 return key == target;
541
542} /* end lookup_user_key_possessed() */
543
544/*****************************************************************************/
545/*
529 * lookup a key given a key ID from userspace with a given permissions mask 546 * lookup a key given a key ID from userspace with a given permissions mask
530 * - don't create special keyrings unless so requested 547 * - don't create special keyrings unless so requested
531 * - partially constructed keys aren't found unless requested 548 * - partially constructed keys aren't found unless requested
532 */ 549 */
533struct key *lookup_user_key(struct task_struct *context, key_serial_t id, 550key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id,
534 int create, int partial, key_perm_t perm) 551 int create, int partial, key_perm_t perm)
535{ 552{
553 key_ref_t key_ref, skey_ref;
536 struct key *key; 554 struct key *key;
537 int ret; 555 int ret;
538 556
539 if (!context) 557 if (!context)
540 context = current; 558 context = current;
541 559
542 key = ERR_PTR(-ENOKEY); 560 key_ref = ERR_PTR(-ENOKEY);
543 561
544 switch (id) { 562 switch (id) {
545 case KEY_SPEC_THREAD_KEYRING: 563 case KEY_SPEC_THREAD_KEYRING:
@@ -556,6 +574,7 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
556 574
557 key = context->thread_keyring; 575 key = context->thread_keyring;
558 atomic_inc(&key->usage); 576 atomic_inc(&key->usage);
577 key_ref = make_key_ref(key, 1);
559 break; 578 break;
560 579
561 case KEY_SPEC_PROCESS_KEYRING: 580 case KEY_SPEC_PROCESS_KEYRING:
@@ -572,6 +591,7 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
572 591
573 key = context->signal->process_keyring; 592 key = context->signal->process_keyring;
574 atomic_inc(&key->usage); 593 atomic_inc(&key->usage);
594 key_ref = make_key_ref(key, 1);
575 break; 595 break;
576 596
577 case KEY_SPEC_SESSION_KEYRING: 597 case KEY_SPEC_SESSION_KEYRING:
@@ -579,7 +599,7 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
579 /* always install a session keyring upon access if one 599 /* always install a session keyring upon access if one
580 * doesn't exist yet */ 600 * doesn't exist yet */
581 ret = install_session_keyring( 601 ret = install_session_keyring(
582 context, context->user->session_keyring); 602 context, context->user->session_keyring);
583 if (ret < 0) 603 if (ret < 0)
584 goto error; 604 goto error;
585 } 605 }
@@ -588,16 +608,19 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
588 key = rcu_dereference(context->signal->session_keyring); 608 key = rcu_dereference(context->signal->session_keyring);
589 atomic_inc(&key->usage); 609 atomic_inc(&key->usage);
590 rcu_read_unlock(); 610 rcu_read_unlock();
611 key_ref = make_key_ref(key, 1);
591 break; 612 break;
592 613
593 case KEY_SPEC_USER_KEYRING: 614 case KEY_SPEC_USER_KEYRING:
594 key = context->user->uid_keyring; 615 key = context->user->uid_keyring;
595 atomic_inc(&key->usage); 616 atomic_inc(&key->usage);
617 key_ref = make_key_ref(key, 1);
596 break; 618 break;
597 619
598 case KEY_SPEC_USER_SESSION_KEYRING: 620 case KEY_SPEC_USER_SESSION_KEYRING:
599 key = context->user->session_keyring; 621 key = context->user->session_keyring;
600 atomic_inc(&key->usage); 622 atomic_inc(&key->usage);
623 key_ref = make_key_ref(key, 1);
601 break; 624 break;
602 625
603 case KEY_SPEC_GROUP_KEYRING: 626 case KEY_SPEC_GROUP_KEYRING:
@@ -606,13 +629,28 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
606 goto error; 629 goto error;
607 630
608 default: 631 default:
609 key = ERR_PTR(-EINVAL); 632 key_ref = ERR_PTR(-EINVAL);
610 if (id < 1) 633 if (id < 1)
611 goto error; 634 goto error;
612 635
613 key = key_lookup(id); 636 key = key_lookup(id);
614 if (IS_ERR(key)) 637 if (IS_ERR(key)) {
638 key_ref = ERR_PTR(PTR_ERR(key));
615 goto error; 639 goto error;
640 }
641
642 key_ref = make_key_ref(key, 0);
643
644 /* check to see if we possess the key */
645 skey_ref = search_process_keyrings(key->type, key,
646 lookup_user_key_possessed,
647 current);
648
649 if (!IS_ERR(skey_ref)) {
650 key_put(key);
651 key_ref = skey_ref;
652 }
653
616 break; 654 break;
617 } 655 }
618 656
@@ -630,15 +668,15 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
630 /* check the permissions */ 668 /* check the permissions */
631 ret = -EACCES; 669 ret = -EACCES;
632 670
633 if (!key_task_permission(key, context, perm)) 671 if (!key_task_permission(key_ref, context, perm))
634 goto invalid_key; 672 goto invalid_key;
635 673
636 error: 674error:
637 return key; 675 return key_ref;
638 676
639 invalid_key: 677invalid_key:
640 key_put(key); 678 key_ref_put(key_ref);
641 key = ERR_PTR(ret); 679 key_ref = ERR_PTR(ret);
642 goto error; 680 goto error;
643 681
644} /* end lookup_user_key() */ 682} /* end lookup_user_key() */
@@ -694,9 +732,9 @@ long join_session_keyring(const char *name)
694 ret = keyring->serial; 732 ret = keyring->serial;
695 key_put(keyring); 733 key_put(keyring);
696 734
697 error2: 735error2:
698 up(&key_session_sem); 736 up(&key_session_sem);
699 error: 737error:
700 return ret; 738 return ret;
701 739
702} /* end join_session_keyring() */ 740} /* end join_session_keyring() */
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index 90c1506d007c..e6dd366d43a3 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -129,7 +129,7 @@ static struct key *__request_key_construction(struct key_type *type,
129 129
130 /* create a key and add it to the queue */ 130 /* create a key and add it to the queue */
131 key = key_alloc(type, description, 131 key = key_alloc(type, description,
132 current->fsuid, current->fsgid, KEY_USR_ALL, 0); 132 current->fsuid, current->fsgid, KEY_POS_ALL, 0);
133 if (IS_ERR(key)) 133 if (IS_ERR(key))
134 goto alloc_failed; 134 goto alloc_failed;
135 135
@@ -365,14 +365,24 @@ struct key *request_key_and_link(struct key_type *type,
365{ 365{
366 struct key_user *user; 366 struct key_user *user;
367 struct key *key; 367 struct key *key;
368 key_ref_t key_ref;
368 369
369 kenter("%s,%s,%s,%p", 370 kenter("%s,%s,%s,%p",
370 type->name, description, callout_info, dest_keyring); 371 type->name, description, callout_info, dest_keyring);
371 372
372 /* search all the process keyrings for a key */ 373 /* search all the process keyrings for a key */
373 key = search_process_keyrings(type, description, type->match, current); 374 key_ref = search_process_keyrings(type, description, type->match,
375 current);
374 376
375 if (PTR_ERR(key) == -EAGAIN) { 377 kdebug("search 1: %p", key_ref);
378
379 if (!IS_ERR(key_ref)) {
380 key = key_ref_to_ptr(key_ref);
381 }
382 else if (PTR_ERR(key_ref) != -EAGAIN) {
383 key = ERR_PTR(PTR_ERR(key_ref));
384 }
385 else {
376 /* the search failed, but the keyrings were searchable, so we 386 /* the search failed, but the keyrings were searchable, so we
377 * should consult userspace if we can */ 387 * should consult userspace if we can */
378 key = ERR_PTR(-ENOKEY); 388 key = ERR_PTR(-ENOKEY);
@@ -384,7 +394,7 @@ struct key *request_key_and_link(struct key_type *type,
384 if (!user) 394 if (!user)
385 goto nomem; 395 goto nomem;
386 396
387 do { 397 for (;;) {
388 if (signal_pending(current)) 398 if (signal_pending(current))
389 goto interrupted; 399 goto interrupted;
390 400
@@ -397,10 +407,22 @@ struct key *request_key_and_link(struct key_type *type,
397 407
398 /* someone else made the key we want, so we need to 408 /* someone else made the key we want, so we need to
399 * search again as it might now be available to us */ 409 * search again as it might now be available to us */
400 key = search_process_keyrings(type, description, 410 key_ref = search_process_keyrings(type, description,
401 type->match, current); 411 type->match,
412 current);
413
414 kdebug("search 2: %p", key_ref);
402 415
403 } while (PTR_ERR(key) == -EAGAIN); 416 if (!IS_ERR(key_ref)) {
417 key = key_ref_to_ptr(key_ref);
418 break;
419 }
420
421 if (PTR_ERR(key_ref) != -EAGAIN) {
422 key = ERR_PTR(PTR_ERR(key_ref));
423 break;
424 }
425 }
404 426
405 key_user_put(user); 427 key_user_put(user);
406 428
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index f22264632229..1ecd3d3fa9f8 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -126,7 +126,7 @@ struct key *request_key_auth_new(struct key *target, struct key **_rkakey)
126 126
127 rkakey = key_alloc(&key_type_request_key_auth, desc, 127 rkakey = key_alloc(&key_type_request_key_auth, desc,
128 current->fsuid, current->fsgid, 128 current->fsuid, current->fsgid,
129 KEY_USR_VIEW, 1); 129 KEY_POS_VIEW | KEY_USR_VIEW, 1);
130 if (IS_ERR(rkakey)) { 130 if (IS_ERR(rkakey)) {
131 key_put(keyring); 131 key_put(keyring);
132 kleave("= %ld", PTR_ERR(rkakey)); 132 kleave("= %ld", PTR_ERR(rkakey));