diff options
author | David Howells <dhowells@redhat.com> | 2008-11-13 18:39:16 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-11-13 18:39:16 -0500 |
commit | b6dff3ec5e116e3af6f537d4caedcad6b9e5082a (patch) | |
tree | 9e76f972eb7ce9b84e0146c8e4126a3f86acb428 /security/keys/process_keys.c | |
parent | 15a2460ed0af7538ca8e6c610fe607a2cd9da142 (diff) |
CRED: Separate task security context from task_struct
Separate the task security context from task_struct. At this point, the
security data is temporarily embedded in the task_struct with two pointers
pointing to it.
Note that the Alpha arch is altered as it refers to (E)UID and (E)GID in
entry.S via asm-offsets.
With comment fixes Signed-off-by: Marc Dionne <marc.c.dionne@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/keys/process_keys.c')
-rw-r--r-- | security/keys/process_keys.c | 98 |
1 files changed, 51 insertions, 47 deletions
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index 1c793b7090a7..b0904cdda2e7 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c | |||
@@ -42,7 +42,7 @@ struct key_user root_key_user = { | |||
42 | */ | 42 | */ |
43 | int install_user_keyrings(void) | 43 | int install_user_keyrings(void) |
44 | { | 44 | { |
45 | struct user_struct *user = current->user; | 45 | struct user_struct *user = current->cred->user; |
46 | struct key *uid_keyring, *session_keyring; | 46 | struct key *uid_keyring, *session_keyring; |
47 | char buf[20]; | 47 | char buf[20]; |
48 | int ret; | 48 | int ret; |
@@ -156,7 +156,7 @@ int install_thread_keyring(void) | |||
156 | 156 | ||
157 | sprintf(buf, "_tid.%u", tsk->pid); | 157 | sprintf(buf, "_tid.%u", tsk->pid); |
158 | 158 | ||
159 | keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk, | 159 | keyring = keyring_alloc(buf, tsk->cred->uid, tsk->cred->gid, tsk, |
160 | KEY_ALLOC_QUOTA_OVERRUN, NULL); | 160 | KEY_ALLOC_QUOTA_OVERRUN, NULL); |
161 | if (IS_ERR(keyring)) { | 161 | if (IS_ERR(keyring)) { |
162 | ret = PTR_ERR(keyring); | 162 | ret = PTR_ERR(keyring); |
@@ -164,8 +164,8 @@ int install_thread_keyring(void) | |||
164 | } | 164 | } |
165 | 165 | ||
166 | task_lock(tsk); | 166 | task_lock(tsk); |
167 | old = tsk->thread_keyring; | 167 | old = tsk->cred->thread_keyring; |
168 | tsk->thread_keyring = keyring; | 168 | tsk->cred->thread_keyring = keyring; |
169 | task_unlock(tsk); | 169 | task_unlock(tsk); |
170 | 170 | ||
171 | ret = 0; | 171 | ret = 0; |
@@ -192,7 +192,7 @@ int install_process_keyring(void) | |||
192 | if (!tsk->signal->process_keyring) { | 192 | if (!tsk->signal->process_keyring) { |
193 | sprintf(buf, "_pid.%u", tsk->tgid); | 193 | sprintf(buf, "_pid.%u", tsk->tgid); |
194 | 194 | ||
195 | keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk, | 195 | keyring = keyring_alloc(buf, tsk->cred->uid, tsk->cred->gid, tsk, |
196 | KEY_ALLOC_QUOTA_OVERRUN, NULL); | 196 | KEY_ALLOC_QUOTA_OVERRUN, NULL); |
197 | if (IS_ERR(keyring)) { | 197 | if (IS_ERR(keyring)) { |
198 | ret = PTR_ERR(keyring); | 198 | ret = PTR_ERR(keyring); |
@@ -238,7 +238,7 @@ static int install_session_keyring(struct key *keyring) | |||
238 | if (tsk->signal->session_keyring) | 238 | if (tsk->signal->session_keyring) |
239 | flags = KEY_ALLOC_IN_QUOTA; | 239 | flags = KEY_ALLOC_IN_QUOTA; |
240 | 240 | ||
241 | keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk, | 241 | keyring = keyring_alloc(buf, tsk->cred->uid, tsk->cred->gid, tsk, |
242 | flags, NULL); | 242 | flags, NULL); |
243 | if (IS_ERR(keyring)) | 243 | if (IS_ERR(keyring)) |
244 | return PTR_ERR(keyring); | 244 | return PTR_ERR(keyring); |
@@ -292,14 +292,14 @@ int copy_thread_group_keys(struct task_struct *tsk) | |||
292 | */ | 292 | */ |
293 | int copy_keys(unsigned long clone_flags, struct task_struct *tsk) | 293 | int copy_keys(unsigned long clone_flags, struct task_struct *tsk) |
294 | { | 294 | { |
295 | key_check(tsk->thread_keyring); | 295 | key_check(tsk->cred->thread_keyring); |
296 | key_check(tsk->request_key_auth); | 296 | key_check(tsk->cred->request_key_auth); |
297 | 297 | ||
298 | /* no thread keyring yet */ | 298 | /* no thread keyring yet */ |
299 | tsk->thread_keyring = NULL; | 299 | tsk->cred->thread_keyring = NULL; |
300 | 300 | ||
301 | /* copy the request_key() authorisation for this thread */ | 301 | /* copy the request_key() authorisation for this thread */ |
302 | key_get(tsk->request_key_auth); | 302 | key_get(tsk->cred->request_key_auth); |
303 | 303 | ||
304 | return 0; | 304 | return 0; |
305 | 305 | ||
@@ -322,8 +322,8 @@ void exit_thread_group_keys(struct signal_struct *tg) | |||
322 | */ | 322 | */ |
323 | void exit_keys(struct task_struct *tsk) | 323 | void exit_keys(struct task_struct *tsk) |
324 | { | 324 | { |
325 | key_put(tsk->thread_keyring); | 325 | key_put(tsk->cred->thread_keyring); |
326 | key_put(tsk->request_key_auth); | 326 | key_put(tsk->cred->request_key_auth); |
327 | 327 | ||
328 | } /* end exit_keys() */ | 328 | } /* end exit_keys() */ |
329 | 329 | ||
@@ -337,8 +337,8 @@ int exec_keys(struct task_struct *tsk) | |||
337 | 337 | ||
338 | /* newly exec'd tasks don't get a thread keyring */ | 338 | /* newly exec'd tasks don't get a thread keyring */ |
339 | task_lock(tsk); | 339 | task_lock(tsk); |
340 | old = tsk->thread_keyring; | 340 | old = tsk->cred->thread_keyring; |
341 | tsk->thread_keyring = NULL; | 341 | tsk->cred->thread_keyring = NULL; |
342 | task_unlock(tsk); | 342 | task_unlock(tsk); |
343 | 343 | ||
344 | key_put(old); | 344 | key_put(old); |
@@ -373,10 +373,11 @@ int suid_keys(struct task_struct *tsk) | |||
373 | void key_fsuid_changed(struct task_struct *tsk) | 373 | void key_fsuid_changed(struct task_struct *tsk) |
374 | { | 374 | { |
375 | /* update the ownership of the thread keyring */ | 375 | /* update the ownership of the thread keyring */ |
376 | if (tsk->thread_keyring) { | 376 | BUG_ON(!tsk->cred); |
377 | down_write(&tsk->thread_keyring->sem); | 377 | if (tsk->cred->thread_keyring) { |
378 | tsk->thread_keyring->uid = tsk->fsuid; | 378 | down_write(&tsk->cred->thread_keyring->sem); |
379 | up_write(&tsk->thread_keyring->sem); | 379 | tsk->cred->thread_keyring->uid = tsk->cred->fsuid; |
380 | up_write(&tsk->cred->thread_keyring->sem); | ||
380 | } | 381 | } |
381 | 382 | ||
382 | } /* end key_fsuid_changed() */ | 383 | } /* end key_fsuid_changed() */ |
@@ -388,10 +389,11 @@ void key_fsuid_changed(struct task_struct *tsk) | |||
388 | void key_fsgid_changed(struct task_struct *tsk) | 389 | void key_fsgid_changed(struct task_struct *tsk) |
389 | { | 390 | { |
390 | /* update the ownership of the thread keyring */ | 391 | /* update the ownership of the thread keyring */ |
391 | if (tsk->thread_keyring) { | 392 | BUG_ON(!tsk->cred); |
392 | down_write(&tsk->thread_keyring->sem); | 393 | if (tsk->cred->thread_keyring) { |
393 | tsk->thread_keyring->gid = tsk->fsgid; | 394 | down_write(&tsk->cred->thread_keyring->sem); |
394 | up_write(&tsk->thread_keyring->sem); | 395 | tsk->cred->thread_keyring->gid = tsk->cred->fsgid; |
396 | up_write(&tsk->cred->thread_keyring->sem); | ||
395 | } | 397 | } |
396 | 398 | ||
397 | } /* end key_fsgid_changed() */ | 399 | } /* end key_fsgid_changed() */ |
@@ -426,9 +428,9 @@ key_ref_t search_process_keyrings(struct key_type *type, | |||
426 | err = ERR_PTR(-EAGAIN); | 428 | err = ERR_PTR(-EAGAIN); |
427 | 429 | ||
428 | /* search the thread keyring first */ | 430 | /* search the thread keyring first */ |
429 | if (context->thread_keyring) { | 431 | if (context->cred->thread_keyring) { |
430 | key_ref = keyring_search_aux( | 432 | key_ref = keyring_search_aux( |
431 | make_key_ref(context->thread_keyring, 1), | 433 | make_key_ref(context->cred->thread_keyring, 1), |
432 | context, type, description, match); | 434 | context, type, description, match); |
433 | if (!IS_ERR(key_ref)) | 435 | if (!IS_ERR(key_ref)) |
434 | goto found; | 436 | goto found; |
@@ -493,9 +495,9 @@ key_ref_t search_process_keyrings(struct key_type *type, | |||
493 | } | 495 | } |
494 | } | 496 | } |
495 | /* or search the user-session keyring */ | 497 | /* or search the user-session keyring */ |
496 | else if (context->user->session_keyring) { | 498 | else if (context->cred->user->session_keyring) { |
497 | key_ref = keyring_search_aux( | 499 | key_ref = keyring_search_aux( |
498 | make_key_ref(context->user->session_keyring, 1), | 500 | make_key_ref(context->cred->user->session_keyring, 1), |
499 | context, type, description, match); | 501 | context, type, description, match); |
500 | if (!IS_ERR(key_ref)) | 502 | if (!IS_ERR(key_ref)) |
501 | goto found; | 503 | goto found; |
@@ -517,20 +519,20 @@ key_ref_t search_process_keyrings(struct key_type *type, | |||
517 | * search the keyrings of the process mentioned there | 519 | * search the keyrings of the process mentioned there |
518 | * - we don't permit access to request_key auth keys via this method | 520 | * - we don't permit access to request_key auth keys via this method |
519 | */ | 521 | */ |
520 | if (context->request_key_auth && | 522 | if (context->cred->request_key_auth && |
521 | context == current && | 523 | context == current && |
522 | type != &key_type_request_key_auth | 524 | type != &key_type_request_key_auth |
523 | ) { | 525 | ) { |
524 | /* defend against the auth key being revoked */ | 526 | /* defend against the auth key being revoked */ |
525 | down_read(&context->request_key_auth->sem); | 527 | down_read(&context->cred->request_key_auth->sem); |
526 | 528 | ||
527 | if (key_validate(context->request_key_auth) == 0) { | 529 | if (key_validate(context->cred->request_key_auth) == 0) { |
528 | rka = context->request_key_auth->payload.data; | 530 | rka = context->cred->request_key_auth->payload.data; |
529 | 531 | ||
530 | key_ref = search_process_keyrings(type, description, | 532 | key_ref = search_process_keyrings(type, description, |
531 | match, rka->context); | 533 | match, rka->context); |
532 | 534 | ||
533 | up_read(&context->request_key_auth->sem); | 535 | up_read(&context->cred->request_key_auth->sem); |
534 | 536 | ||
535 | if (!IS_ERR(key_ref)) | 537 | if (!IS_ERR(key_ref)) |
536 | goto found; | 538 | goto found; |
@@ -547,7 +549,7 @@ key_ref_t search_process_keyrings(struct key_type *type, | |||
547 | break; | 549 | break; |
548 | } | 550 | } |
549 | } else { | 551 | } else { |
550 | up_read(&context->request_key_auth->sem); | 552 | up_read(&context->cred->request_key_auth->sem); |
551 | } | 553 | } |
552 | } | 554 | } |
553 | 555 | ||
@@ -580,15 +582,16 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
580 | { | 582 | { |
581 | struct request_key_auth *rka; | 583 | struct request_key_auth *rka; |
582 | struct task_struct *t = current; | 584 | struct task_struct *t = current; |
583 | key_ref_t key_ref, skey_ref; | 585 | struct cred *cred = t->cred; |
584 | struct key *key; | 586 | struct key *key; |
587 | key_ref_t key_ref, skey_ref; | ||
585 | int ret; | 588 | int ret; |
586 | 589 | ||
587 | key_ref = ERR_PTR(-ENOKEY); | 590 | key_ref = ERR_PTR(-ENOKEY); |
588 | 591 | ||
589 | switch (id) { | 592 | switch (id) { |
590 | case KEY_SPEC_THREAD_KEYRING: | 593 | case KEY_SPEC_THREAD_KEYRING: |
591 | if (!t->thread_keyring) { | 594 | if (!cred->thread_keyring) { |
592 | if (!create) | 595 | if (!create) |
593 | goto error; | 596 | goto error; |
594 | 597 | ||
@@ -599,7 +602,7 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
599 | } | 602 | } |
600 | } | 603 | } |
601 | 604 | ||
602 | key = t->thread_keyring; | 605 | key = cred->thread_keyring; |
603 | atomic_inc(&key->usage); | 606 | atomic_inc(&key->usage); |
604 | key_ref = make_key_ref(key, 1); | 607 | key_ref = make_key_ref(key, 1); |
605 | break; | 608 | break; |
@@ -628,7 +631,8 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
628 | ret = install_user_keyrings(); | 631 | ret = install_user_keyrings(); |
629 | if (ret < 0) | 632 | if (ret < 0) |
630 | goto error; | 633 | goto error; |
631 | ret = install_session_keyring(t->user->session_keyring); | 634 | ret = install_session_keyring( |
635 | cred->user->session_keyring); | ||
632 | if (ret < 0) | 636 | if (ret < 0) |
633 | goto error; | 637 | goto error; |
634 | } | 638 | } |
@@ -641,25 +645,25 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
641 | break; | 645 | break; |
642 | 646 | ||
643 | case KEY_SPEC_USER_KEYRING: | 647 | case KEY_SPEC_USER_KEYRING: |
644 | if (!t->user->uid_keyring) { | 648 | if (!cred->user->uid_keyring) { |
645 | ret = install_user_keyrings(); | 649 | ret = install_user_keyrings(); |
646 | if (ret < 0) | 650 | if (ret < 0) |
647 | goto error; | 651 | goto error; |
648 | } | 652 | } |
649 | 653 | ||
650 | key = t->user->uid_keyring; | 654 | key = cred->user->uid_keyring; |
651 | atomic_inc(&key->usage); | 655 | atomic_inc(&key->usage); |
652 | key_ref = make_key_ref(key, 1); | 656 | key_ref = make_key_ref(key, 1); |
653 | break; | 657 | break; |
654 | 658 | ||
655 | case KEY_SPEC_USER_SESSION_KEYRING: | 659 | case KEY_SPEC_USER_SESSION_KEYRING: |
656 | if (!t->user->session_keyring) { | 660 | if (!cred->user->session_keyring) { |
657 | ret = install_user_keyrings(); | 661 | ret = install_user_keyrings(); |
658 | if (ret < 0) | 662 | if (ret < 0) |
659 | goto error; | 663 | goto error; |
660 | } | 664 | } |
661 | 665 | ||
662 | key = t->user->session_keyring; | 666 | key = cred->user->session_keyring; |
663 | atomic_inc(&key->usage); | 667 | atomic_inc(&key->usage); |
664 | key_ref = make_key_ref(key, 1); | 668 | key_ref = make_key_ref(key, 1); |
665 | break; | 669 | break; |
@@ -670,7 +674,7 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
670 | goto error; | 674 | goto error; |
671 | 675 | ||
672 | case KEY_SPEC_REQKEY_AUTH_KEY: | 676 | case KEY_SPEC_REQKEY_AUTH_KEY: |
673 | key = t->request_key_auth; | 677 | key = cred->request_key_auth; |
674 | if (!key) | 678 | if (!key) |
675 | goto error; | 679 | goto error; |
676 | 680 | ||
@@ -679,19 +683,19 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
679 | break; | 683 | break; |
680 | 684 | ||
681 | case KEY_SPEC_REQUESTOR_KEYRING: | 685 | case KEY_SPEC_REQUESTOR_KEYRING: |
682 | if (!t->request_key_auth) | 686 | if (!cred->request_key_auth) |
683 | goto error; | 687 | goto error; |
684 | 688 | ||
685 | down_read(&t->request_key_auth->sem); | 689 | down_read(&cred->request_key_auth->sem); |
686 | if (t->request_key_auth->flags & KEY_FLAG_REVOKED) { | 690 | if (cred->request_key_auth->flags & KEY_FLAG_REVOKED) { |
687 | key_ref = ERR_PTR(-EKEYREVOKED); | 691 | key_ref = ERR_PTR(-EKEYREVOKED); |
688 | key = NULL; | 692 | key = NULL; |
689 | } else { | 693 | } else { |
690 | rka = t->request_key_auth->payload.data; | 694 | rka = cred->request_key_auth->payload.data; |
691 | key = rka->dest_keyring; | 695 | key = rka->dest_keyring; |
692 | atomic_inc(&key->usage); | 696 | atomic_inc(&key->usage); |
693 | } | 697 | } |
694 | up_read(&t->request_key_auth->sem); | 698 | up_read(&cred->request_key_auth->sem); |
695 | if (!key) | 699 | if (!key) |
696 | goto error; | 700 | goto error; |
697 | key_ref = make_key_ref(key, 1); | 701 | key_ref = make_key_ref(key, 1); |
@@ -791,7 +795,7 @@ long join_session_keyring(const char *name) | |||
791 | keyring = find_keyring_by_name(name, false); | 795 | keyring = find_keyring_by_name(name, false); |
792 | if (PTR_ERR(keyring) == -ENOKEY) { | 796 | if (PTR_ERR(keyring) == -ENOKEY) { |
793 | /* not found - try and create a new one */ | 797 | /* not found - try and create a new one */ |
794 | keyring = keyring_alloc(name, tsk->uid, tsk->gid, tsk, | 798 | keyring = keyring_alloc(name, tsk->cred->uid, tsk->cred->gid, tsk, |
795 | KEY_ALLOC_IN_QUOTA, NULL); | 799 | KEY_ALLOC_IN_QUOTA, NULL); |
796 | if (IS_ERR(keyring)) { | 800 | if (IS_ERR(keyring)) { |
797 | ret = PTR_ERR(keyring); | 801 | ret = PTR_ERR(keyring); |