Merge tag 'v3.13-rc4' into core/locking

Merge Linux 3.13-rc4, to refresh this rather old tree with the latest fixes. Signed-off-by: Ingo Molnar <mingo@kernel.org>
author: Ingo Molnar <mingo@kernel.org> 2013-12-17 09:27:08 -0500
committer: Ingo Molnar <mingo@kernel.org> 2013-12-17 09:27:08 -0500
commit: bb799d3b980eb803ca2da4a4eefbd9308f8d988a (patch)
tree: 69fbe0cd6d47b23a50f5e1d87bf7489532fae149 /security/keys/persistent.c
parent: 919fc6e34831d1c2b58bfb5ae261dc3facc9b269 (diff)
parent: 319e2e3f63c348a9b66db4667efa73178e18b17d (diff)
1 files changed, 167 insertions, 0 deletions
diff --git a/security/keys/persistent.c b/security/keys/persistent.c
new file mode 100644
index 000000000000..0ad3ee283781
--- /dev/null
+++ b/security/keys/persistent.c
@@ -0,0 +1,167 @@
+/* General persistent per-UID keyrings register
+ *
+ * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+#include <linux/user_namespace.h>
+#include "internal.h"
+unsigned persistent_keyring_expiry = 3 * 24 * 3600; /* Expire after 3 days of non-use */
+/*
+ * Create the persistent keyring register for the current user namespace.
+ *
+ * Called with the namespace's sem locked for writing.
+ */
+static int key_create_persistent_register(struct user_namespace *ns)
+{
+        struct key *reg = keyring_alloc(".persistent_register",
+                                        KUIDT_INIT(0), KGIDT_INIT(0),
+                                        current_cred(),
+                                        ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
+                                         KEY_USR_VIEW | KEY_USR_READ),
+                                        KEY_ALLOC_NOT_IN_QUOTA, NULL);
+        if (IS_ERR(reg))
+                return PTR_ERR(reg);
+        ns->persistent_keyring_register = reg;
+        return 0;
+}
+/*
+ * Create the persistent keyring for the specified user.
+ *
+ * Called with the namespace's sem locked for writing.
+ */
+static key_ref_t key_create_persistent(struct user_namespace *ns, kuid_t uid,
+                                       struct keyring_index_key *index_key)
+{
+        struct key *persistent;
+        key_ref_t reg_ref, persistent_ref;
+        if (!ns->persistent_keyring_register) {
+                long err = key_create_persistent_register(ns);
+                if (err < 0)
+                        return ERR_PTR(err);
+        } else {
+                reg_ref = make_key_ref(ns->persistent_keyring_register, true);
+                persistent_ref = find_key_to_update(reg_ref, index_key);
+                if (persistent_ref)
+                        return persistent_ref;
+        }
+        persistent = keyring_alloc(index_key->description,
+                                   uid, INVALID_GID, current_cred(),
+                                   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
+                                    KEY_USR_VIEW | KEY_USR_READ),
+                                   KEY_ALLOC_NOT_IN_QUOTA,
+                                   ns->persistent_keyring_register);
+        if (IS_ERR(persistent))
+                return ERR_CAST(persistent);
+        return make_key_ref(persistent, true);
+}
+/*
+ * Get the persistent keyring for a specific UID and link it to the nominated
+ * keyring.
+ */
+static long key_get_persistent(struct user_namespace *ns, kuid_t uid,
+                               key_ref_t dest_ref)
+{
+        struct keyring_index_key index_key;
+        struct key *persistent;
+        key_ref_t reg_ref, persistent_ref;
+        char buf[32];
+        long ret;
+        /* Look in the register if it exists */
+        index_key.type = &key_type_keyring;
+        index_key.description = buf;
+        index_key.desc_len = sprintf(buf, "_persistent.%u", from_kuid(ns, uid));
+        if (ns->persistent_keyring_register) {
+                reg_ref = make_key_ref(ns->persistent_keyring_register, true);
+                down_read(&ns->persistent_keyring_register_sem);
+                persistent_ref = find_key_to_update(reg_ref, &index_key);
+                up_read(&ns->persistent_keyring_register_sem);
+                if (persistent_ref)
+                        goto found;
+        }
+        /* It wasn't in the register, so we'll need to create it.  We might
+         * also need to create the register.
+         */
+        down_write(&ns->persistent_keyring_register_sem);
+        persistent_ref = key_create_persistent(ns, uid, &index_key);
+        up_write(&ns->persistent_keyring_register_sem);
+        if (!IS_ERR(persistent_ref))
+                goto found;
+        return PTR_ERR(persistent_ref);
+found:
+        ret = key_task_permission(persistent_ref, current_cred(), KEY_LINK);
+        if (ret == 0) {
+                persistent = key_ref_to_ptr(persistent_ref);
+                ret = key_link(key_ref_to_ptr(dest_ref), persistent);
+                if (ret == 0) {
+                        key_set_timeout(persistent, persistent_keyring_expiry);
+                        ret = persistent->serial;               
+                }
+        }
+        key_ref_put(persistent_ref);
+        return ret;
+}
+/*
+ * Get the persistent keyring for a specific UID and link it to the nominated
+ * keyring.
+ */
+long keyctl_get_persistent(uid_t _uid, key_serial_t destid)
+{
+        struct user_namespace *ns = current_user_ns();
+        key_ref_t dest_ref;
+        kuid_t uid;
+        long ret;
+        /* -1 indicates the current user */
+        if (_uid == (uid_t)-1) {
+                uid = current_uid();
+        } else {
+                uid = make_kuid(ns, _uid);
+                if (!uid_valid(uid))
+                        return -EINVAL;
+                /* You can only see your own persistent cache if you're not
+                 * sufficiently privileged.
+                 */
+                if (!uid_eq(uid, current_uid()) &&
+                    !uid_eq(uid, current_euid()) &&
+                    !ns_capable(ns, CAP_SETUID))
+                        return -EPERM;
+        }
+        /* There must be a destination keyring */
+        dest_ref = lookup_user_key(destid, KEY_LOOKUP_CREATE, KEY_WRITE);
+        if (IS_ERR(dest_ref))
+                return PTR_ERR(dest_ref);
+        if (key_ref_to_ptr(dest_ref)->type != &key_type_keyring) {
+                ret = -ENOTDIR;
+                goto out_put_dest;
+        }
+        ret = key_get_persistent(ns, uid, dest_ref);
+out_put_dest:
+        key_ref_put(dest_ref);
+        return ret;
+}
author	Ingo Molnar <mingo@kernel.org>	2013-12-17 09:27:08 -0500
committer	Ingo Molnar <mingo@kernel.org>	2013-12-17 09:27:08 -0500
commit	bb799d3b980eb803ca2da4a4eefbd9308f8d988a (patch)
tree	69fbe0cd6d47b23a50f5e1d87bf7489532fae149 /security/keys/persistent.c
parent	919fc6e34831d1c2b58bfb5ae261dc3facc9b269 (diff)
parent	319e2e3f63c348a9b66db4667efa73178e18b17d (diff)

diff --git a/security/keys/persistent.c b/security/keys/persistent.c new file mode 100644 index 000000000000..0ad3ee283781 --- /dev/null +++ b/security/keys/persistent.c
@@ -0,0 +1,167 @@
	1	/* General persistent per-UID keyrings register
	2	*
	3	* Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
	4	* Written by David Howells (dhowells@redhat.com)
	5	*
	6	* This program is free software; you can redistribute it and/or
	7	* modify it under the terms of the GNU General Public Licence
	8	* as published by the Free Software Foundation; either version
	9	* 2 of the Licence, or (at your option) any later version.
	10	*/
	11
	12	#include <linux/user_namespace.h>
	13	#include "internal.h"
	14
	15	unsigned persistent_keyring_expiry = 3 * 24 * 3600; /* Expire after 3 days of non-use */
	16
	17	/*
	18	* Create the persistent keyring register for the current user namespace.
	19	*
	20	* Called with the namespace's sem locked for writing.
	21	*/
	22	static int key_create_persistent_register(struct user_namespace *ns)
	23	{
	24	struct key *reg = keyring_alloc(".persistent_register",
	25	KUIDT_INIT(0), KGIDT_INIT(0),
	26	current_cred(),
	27	((KEY_POS_ALL & ~KEY_POS_SETATTR) \|
	28	KEY_USR_VIEW \| KEY_USR_READ),
	29	KEY_ALLOC_NOT_IN_QUOTA, NULL);
	30	if (IS_ERR(reg))
	31	return PTR_ERR(reg);
	32
	33	ns->persistent_keyring_register = reg;
	34	return 0;
	35	}
	36
	37	/*
	38	* Create the persistent keyring for the specified user.
	39	*
	40	* Called with the namespace's sem locked for writing.
	41	*/
	42	static key_ref_t key_create_persistent(struct user_namespace *ns, kuid_t uid,
	43	struct keyring_index_key *index_key)
	44	{
	45	struct key *persistent;
	46	key_ref_t reg_ref, persistent_ref;
	47
	48	if (!ns->persistent_keyring_register) {
	49	long err = key_create_persistent_register(ns);
	50	if (err < 0)
	51	return ERR_PTR(err);
	52	} else {
	53	reg_ref = make_key_ref(ns->persistent_keyring_register, true);
	54	persistent_ref = find_key_to_update(reg_ref, index_key);
	55	if (persistent_ref)
	56	return persistent_ref;
	57	}
	58
	59	persistent = keyring_alloc(index_key->description,
	60	uid, INVALID_GID, current_cred(),
	61	((KEY_POS_ALL & ~KEY_POS_SETATTR) \|
	62	KEY_USR_VIEW \| KEY_USR_READ),
	63	KEY_ALLOC_NOT_IN_QUOTA,
	64	ns->persistent_keyring_register);
	65	if (IS_ERR(persistent))
	66	return ERR_CAST(persistent);
	67
	68	return make_key_ref(persistent, true);
	69	}
	70
	71	/*
	72	* Get the persistent keyring for a specific UID and link it to the nominated
	73	* keyring.
	74	*/
	75	static long key_get_persistent(struct user_namespace *ns, kuid_t uid,
	76	key_ref_t dest_ref)
	77	{
	78	struct keyring_index_key index_key;
	79	struct key *persistent;
	80	key_ref_t reg_ref, persistent_ref;
	81	char buf[32];
	82	long ret;
	83
	84	/* Look in the register if it exists */
	85	index_key.type = &key_type_keyring;
	86	index_key.description = buf;
	87	index_key.desc_len = sprintf(buf, "_persistent.%u", from_kuid(ns, uid));
	88
	89	if (ns->persistent_keyring_register) {
	90	reg_ref = make_key_ref(ns->persistent_keyring_register, true);
	91	down_read(&ns->persistent_keyring_register_sem);
	92	persistent_ref = find_key_to_update(reg_ref, &index_key);
	93	up_read(&ns->persistent_keyring_register_sem);
	94
	95	if (persistent_ref)
	96	goto found;
	97	}
	98
	99	/* It wasn't in the register, so we'll need to create it. We might
	100	* also need to create the register.
	101	*/
	102	down_write(&ns->persistent_keyring_register_sem);
	103	persistent_ref = key_create_persistent(ns, uid, &index_key);
	104	up_write(&ns->persistent_keyring_register_sem);
	105	if (!IS_ERR(persistent_ref))
	106	goto found;
	107
	108	return PTR_ERR(persistent_ref);
	109
	110	found:
	111	ret = key_task_permission(persistent_ref, current_cred(), KEY_LINK);
	112	if (ret == 0) {
	113	persistent = key_ref_to_ptr(persistent_ref);
	114	ret = key_link(key_ref_to_ptr(dest_ref), persistent);
	115	if (ret == 0) {
	116	key_set_timeout(persistent, persistent_keyring_expiry);
	117	ret = persistent->serial;
	118	}
	119	}
	120
	121	key_ref_put(persistent_ref);
	122	return ret;
	123	}
	124
	125	/*
	126	* Get the persistent keyring for a specific UID and link it to the nominated
	127	* keyring.
	128	*/
	129	long keyctl_get_persistent(uid_t _uid, key_serial_t destid)
	130	{
	131	struct user_namespace *ns = current_user_ns();
	132	key_ref_t dest_ref;
	133	kuid_t uid;
	134	long ret;
	135
	136	/* -1 indicates the current user */
	137	if (_uid == (uid_t)-1) {
	138	uid = current_uid();
	139	} else {
	140	uid = make_kuid(ns, _uid);
	141	if (!uid_valid(uid))
	142	return -EINVAL;
	143
	144	/* You can only see your own persistent cache if you're not
	145	* sufficiently privileged.
	146	*/
	147	if (!uid_eq(uid, current_uid()) &&
	148	!uid_eq(uid, current_euid()) &&
	149	!ns_capable(ns, CAP_SETUID))
	150	return -EPERM;
	151	}
	152
	153	/* There must be a destination keyring */
	154	dest_ref = lookup_user_key(destid, KEY_LOOKUP_CREATE, KEY_WRITE);
	155	if (IS_ERR(dest_ref))
	156	return PTR_ERR(dest_ref);
	157	if (key_ref_to_ptr(dest_ref)->type != &key_type_keyring) {
	158	ret = -ENOTDIR;
	159	goto out_put_dest;
	160	}
	161
	162	ret = key_get_persistent(ns, uid, dest_ref);
	163
	164	out_put_dest:
	165	key_ref_put(dest_ref);
	166	return ret;
	167	}