KEYS: Add a keyctl to install a process's session keyring on its parent [try #6]

Add a keyctl to install a process's session keyring onto its parent. This replaces the parent's session keyring. Because the COW credential code does not permit one process to change another process's credentials directly, the change is deferred until userspace next starts executing again. Normally this will be after a wait*() syscall. To support this, three new security hooks have been provided: cred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in the blank security creds and key_session_to_parent() - which asks the LSM if the process may replace its parent's session keyring. The replacement may only happen if the process has the same ownership details as its parent, and the process has LINK permission on the session keyring, and the session keyring is owned by the process, and the LSM permits it. Note that this requires alteration to each architecture's notify_resume path. This has been done for all arches barring blackfin, m68k* and xtensa, all of which need assembly alteration to support TIF_NOTIFY_RESUME. This allows the replacement to be performed at the point the parent process resumes userspace execution. This allows the userspace AFS pioctl emulation to fully emulate newpag() and the VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to alter the parent process's PAG membership. However, since kAFS doesn't use PAGs per se, but rather dumps the keys into the session keyring, the session keyring of the parent must be replaced if, for example, VIOCSETTOK is passed the newpag flag. This can be tested with the following program: #include <stdio.h> #include <stdlib.h> #include <keyutils.h> #define KEYCTL_SESSION_TO_PARENT 18 #define OSERROR(X, S) do { if ((long)(X) == -1) { perror(S); exit(1); } } while(0) int main(int argc, char **argv) { key_serial_t keyring, key; long ret; keyring = keyctl_join_session_keyring(argv[1]); OSERROR(keyring, "keyctl_join_session_keyring"); key = add_key("user", "a", "b", 1, keyring); OSERROR(key, "add_key"); ret = keyctl(KEYCTL_SESSION_TO_PARENT); OSERROR(ret, "KEYCTL_SESSION_TO_PARENT"); return 0; } Compiled and linked with -lkeyutils, you should see something like: [dhowells@andromeda ~]$ keyctl show Session Keyring -3 --alswrv 4043 4043 keyring: _ses 355907932 --alswrv 4043 -1 \_ keyring: _uid.4043 [dhowells@andromeda ~]$ /tmp/newpag [dhowells@andromeda ~]$ keyctl show Session Keyring -3 --alswrv 4043 4043 keyring: _ses 1055658746 --alswrv 4043 4043 \_ user: a [dhowells@andromeda ~]$ /tmp/newpag hello [dhowells@andromeda ~]$ keyctl show Session Keyring -3 --alswrv 4043 4043 keyring: hello 340417692 --alswrv 4043 4043 \_ user: a Where the test program creates a new session keyring, sticks a user key named 'a' into it and then installs it on its parent. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
author: David Howells <dhowells@redhat.com> 2009-09-02 04:14:21 -0400
committer: James Morris <jmorris@namei.org> 2009-09-02 07:29:22 -0400
commit: ee18d64c1f632043a02e6f5ba5e045bb26a5465f (patch)
tree: 80b5a4d530ec7d5fd69799920f0db7b78aba6b9d /security/keys
parent: d0420c83f39f79afb82010c2d2cafd150eef651b (diff)
5 files changed, 156 insertions, 0 deletions
diff --git a/security/keys/compat.c b/security/keys/compat.c
index c766c68a63bc..792c0a611a6d 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -82,6 +82,9 @@ asmlinkage long compat_sys_keyctl(u32 option,
        case KEYCTL_GET_SECURITY:
                return keyctl_get_security(arg2, compat_ptr(arg3), arg4);
+        case KEYCTL_SESSION_TO_PARENT:
+                return keyctl_session_to_parent();
        default:
                return -EOPNOTSUPP;
        }
diff --git a/security/keys/gc.c b/security/keys/gc.c
index 44adc325e15c..1e616aef55fd 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -65,6 +65,7 @@ static void key_gc_timer_func(unsigned long data)
 * - return true if we altered the keyring
 */
 static bool key_gc_keyring(struct key *keyring, time_t limit)
+        __releases(key_serial_lock)
 {
        struct keyring_list *klist;
        struct key *key;
diff --git a/security/keys/internal.h b/security/keys/internal.h
index fb830514c337..24ba0307b7ad 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -201,6 +201,7 @@ extern long keyctl_set_timeout(key_serial_t, unsigned);
 extern long keyctl_assume_authority(key_serial_t);
 extern long keyctl_get_security(key_serial_t keyid, char __user *buffer,
                                size_t buflen);
+extern long keyctl_session_to_parent(void);
 /*
 * debugging key validation
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 736d7800f97f..74c968524592 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1228,6 +1228,105 @@ long keyctl_get_security(key_serial_t keyid,
        return ret;
 }
+/*
+ * attempt to install the calling process's session keyring on the process's
+ * parent process
+ * - the keyring must exist and must grant us LINK permission
+ * - implements keyctl(KEYCTL_SESSION_TO_PARENT)
+ */
+long keyctl_session_to_parent(void)
+{
+        struct task_struct *me, *parent;
+        const struct cred *mycred, *pcred;
+        struct cred *cred, *oldcred;
+        key_ref_t keyring_r;
+        int ret;
+        keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_LINK);
+        if (IS_ERR(keyring_r))
+                return PTR_ERR(keyring_r);
+        /* our parent is going to need a new cred struct, a new tgcred struct
+         * and new security data, so we allocate them here to prevent ENOMEM in
+         * our parent */
+        ret = -ENOMEM;
+        cred = cred_alloc_blank();
+        if (!cred)
+                goto error_keyring;
+        cred->tgcred->session_keyring = key_ref_to_ptr(keyring_r);
+        keyring_r = NULL;
+        me = current;
+        write_lock_irq(&tasklist_lock);
+        parent = me->real_parent;
+        ret = -EPERM;
+        /* the parent mustn't be init and mustn't be a kernel thread */
+        if (parent->pid <= 1 || !parent->mm)
+                goto not_permitted;
+        /* the parent must be single threaded */
+        if (atomic_read(&parent->signal->count) != 1)
+                goto not_permitted;
+        /* the parent and the child must have different session keyrings or
+         * there's no point */
+        mycred = current_cred();
+        pcred = __task_cred(parent);
+        if (mycred == pcred ||
+            mycred->tgcred->session_keyring == pcred->tgcred->session_keyring)
+                goto already_same;
+        /* the parent must have the same effective ownership and mustn't be
+         * SUID/SGID */
+        if (pcred-> uid != mycred->euid ||
+            pcred->euid != mycred->euid ||
+            pcred->suid != mycred->euid ||
+            pcred-> gid != mycred->egid ||
+            pcred->egid != mycred->egid ||
+            pcred->sgid != mycred->egid)
+                goto not_permitted;
+        /* the keyrings must have the same UID */
+        if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
+            mycred->tgcred->session_keyring->uid != mycred->euid)
+                goto not_permitted;
+        /* the LSM must permit the replacement of the parent's keyring with the
+         * keyring from this process */
+        ret = security_key_session_to_parent(mycred, pcred,
+                                             key_ref_to_ptr(keyring_r));
+        if (ret < 0)
+                goto not_permitted;
+        /* if there's an already pending keyring replacement, then we replace
+         * that */
+        oldcred = parent->replacement_session_keyring;
+        /* the replacement session keyring is applied just prior to userspace
+         * restarting */
+        parent->replacement_session_keyring = cred;
+        cred = NULL;
+        set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
+        write_unlock_irq(&tasklist_lock);
+        if (oldcred)
+                put_cred(oldcred);
+        return 0;
+already_same:
+        ret = 0;
+not_permitted:
+        put_cred(cred);
+        return ret;
+error_keyring:
+        key_ref_put(keyring_r);
+        return ret;
+}
 /*****************************************************************************/
 /*
 * the key control system call
@@ -1313,6 +1412,9 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
                                           (char __user *) arg3,
                                           (size_t) arg4);
+        case KEYCTL_SESSION_TO_PARENT:
+                return keyctl_session_to_parent();
        default:
                return -EOPNOTSUPP;
        }
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 4739cfbb41b7..5c23afb31ece 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -17,6 +17,7 @@
 #include <linux/fs.h>
 #include <linux/err.h>
 #include <linux/mutex.h>
+#include <linux/security.h>
 #include <linux/user_namespace.h>
 #include <asm/uaccess.h>
 #include "internal.h"
@@ -768,3 +769,51 @@ error:
        abort_creds(new);
        return ret;
 }
+/*
+ * Replace a process's session keyring when that process resumes userspace on
+ * behalf of one of its children
+ */
+void key_replace_session_keyring(void)
+{
+        const struct cred *old;
+        struct cred *new;
+        if (!current->replacement_session_keyring)
+                return;
+        write_lock_irq(&tasklist_lock);
+        new = current->replacement_session_keyring;
+        current->replacement_session_keyring = NULL;
+        write_unlock_irq(&tasklist_lock);
+        if (!new)
+                return;
+        old = current_cred();
+        new->  uid      = old->  uid;
+        new-> euid      = old-> euid;
+        new-> suid      = old-> suid;
+        new->fsuid      = old->fsuid;
+        new->  gid      = old->  gid;
+        new-> egid      = old-> egid;
+        new-> sgid      = old-> sgid;
+        new->fsgid      = old->fsgid;
+        new->user       = get_uid(old->user);
+        new->group_info = get_group_info(old->group_info);
+        new->securebits = old->securebits;
+        new->cap_inheritable    = old->cap_inheritable;
+        new->cap_permitted      = old->cap_permitted;
+        new->cap_effective      = old->cap_effective;
+        new->cap_bset           = old->cap_bset;
+        new->jit_keyring        = old->jit_keyring;
+        new->thread_keyring     = key_get(old->thread_keyring);
+        new->tgcred->tgid       = old->tgcred->tgid;
+        new->tgcred->process_keyring = key_get(old->tgcred->process_keyring);
+        security_transfer_creds(new, old);
+        commit_creds(new);
+}
author	David Howells <dhowells@redhat.com>	2009-09-02 04:14:21 -0400
committer	James Morris <jmorris@namei.org>	2009-09-02 07:29:22 -0400
commit	ee18d64c1f632043a02e6f5ba5e045bb26a5465f (patch)
tree	80b5a4d530ec7d5fd69799920f0db7b78aba6b9d /security/keys
parent	d0420c83f39f79afb82010c2d2cafd150eef651b (diff)

diff --git a/security/keys/compat.c b/security/keys/compat.c index c766c68a63bc..792c0a611a6d 100644 --- a/security/keys/compat.c +++ b/security/keys/compat.c
@@ -82,6 +82,9 @@ asmlinkage long compat_sys_keyctl(u32 option,
82	case KEYCTL_GET_SECURITY:	82	case KEYCTL_GET_SECURITY:
83	return keyctl_get_security(arg2, compat_ptr(arg3), arg4);	83	return keyctl_get_security(arg2, compat_ptr(arg3), arg4);
84		84
		85	case KEYCTL_SESSION_TO_PARENT:
		86	return keyctl_session_to_parent();
		87
85	default:	88	default:
86	return -EOPNOTSUPP;	89	return -EOPNOTSUPP;
87	}	90	}


diff --git a/security/keys/gc.c b/security/keys/gc.c index 44adc325e15c..1e616aef55fd 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c
@@ -65,6 +65,7 @@ static void key_gc_timer_func(unsigned long data)
65	* - return true if we altered the keyring	65	* - return true if we altered the keyring
66	*/	66	*/
67	static bool key_gc_keyring(struct key *keyring, time_t limit)	67	static bool key_gc_keyring(struct key *keyring, time_t limit)
		68	__releases(key_serial_lock)
68	{	69	{
69	struct keyring_list *klist;	70	struct keyring_list *klist;
70	struct key *key;	71	struct key *key;


diff --git a/security/keys/internal.h b/security/keys/internal.h index fb830514c337..24ba0307b7ad 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h
@@ -201,6 +201,7 @@ extern long keyctl_set_timeout(key_serial_t, unsigned);
201	extern long keyctl_assume_authority(key_serial_t);	201	extern long keyctl_assume_authority(key_serial_t);
202	extern long keyctl_get_security(key_serial_t keyid, char __user *buffer,	202	extern long keyctl_get_security(key_serial_t keyid, char __user *buffer,
203	size_t buflen);	203	size_t buflen);
		204	extern long keyctl_session_to_parent(void);
204		205
205	/*	206	/*
206	* debugging key validation	207	* debugging key validation


diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 736d7800f97f..74c968524592 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c
@@ -1228,6 +1228,105 @@ long keyctl_get_security(key_serial_t keyid,
1228	return ret;	1228	return ret;
1229	}	1229	}
1230		1230
		1231	/*
		1232	* attempt to install the calling process's session keyring on the process's
		1233	* parent process
		1234	* - the keyring must exist and must grant us LINK permission
		1235	* - implements keyctl(KEYCTL_SESSION_TO_PARENT)
		1236	*/
		1237	long keyctl_session_to_parent(void)
		1238	{
		1239	struct task_struct me, parent;
		1240	const struct cred mycred, pcred;
		1241	struct cred cred, oldcred;
		1242	key_ref_t keyring_r;
		1243	int ret;
		1244
		1245	keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_LINK);
		1246	if (IS_ERR(keyring_r))
		1247	return PTR_ERR(keyring_r);
		1248
		1249	/* our parent is going to need a new cred struct, a new tgcred struct
		1250	* and new security data, so we allocate them here to prevent ENOMEM in
		1251	* our parent */
		1252	ret = -ENOMEM;
		1253	cred = cred_alloc_blank();
		1254	if (!cred)
		1255	goto error_keyring;
		1256
		1257	cred->tgcred->session_keyring = key_ref_to_ptr(keyring_r);
		1258	keyring_r = NULL;
		1259
		1260	me = current;
		1261	write_lock_irq(&tasklist_lock);
		1262
		1263	parent = me->real_parent;
		1264	ret = -EPERM;
		1265
		1266	/* the parent mustn't be init and mustn't be a kernel thread */
		1267	if (parent->pid <= 1 \|\| !parent->mm)
		1268	goto not_permitted;
		1269
		1270	/* the parent must be single threaded */
		1271	if (atomic_read(&parent->signal->count) != 1)
		1272	goto not_permitted;
		1273
		1274	/* the parent and the child must have different session keyrings or
		1275	* there's no point */
		1276	mycred = current_cred();
		1277	pcred = __task_cred(parent);
		1278	if (mycred == pcred \|\|
		1279	mycred->tgcred->session_keyring == pcred->tgcred->session_keyring)
		1280	goto already_same;
		1281
		1282	/* the parent must have the same effective ownership and mustn't be
		1283	* SUID/SGID */
		1284	if (pcred-> uid != mycred->euid \|\|
		1285	pcred->euid != mycred->euid \|\|
		1286	pcred->suid != mycred->euid \|\|
		1287	pcred-> gid != mycred->egid \|\|
		1288	pcred->egid != mycred->egid \|\|
		1289	pcred->sgid != mycred->egid)
		1290	goto not_permitted;
		1291
		1292	/* the keyrings must have the same UID */
		1293	if (pcred ->tgcred->session_keyring->uid != mycred->euid \|\|
		1294	mycred->tgcred->session_keyring->uid != mycred->euid)
		1295	goto not_permitted;
		1296
		1297	/* the LSM must permit the replacement of the parent's keyring with the
		1298	* keyring from this process */
		1299	ret = security_key_session_to_parent(mycred, pcred,
		1300	key_ref_to_ptr(keyring_r));
		1301	if (ret < 0)
		1302	goto not_permitted;
		1303
		1304	/* if there's an already pending keyring replacement, then we replace
		1305	* that */
		1306	oldcred = parent->replacement_session_keyring;
		1307
		1308	/* the replacement session keyring is applied just prior to userspace
		1309	* restarting */
		1310	parent->replacement_session_keyring = cred;
		1311	cred = NULL;
		1312	set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
		1313
		1314	write_unlock_irq(&tasklist_lock);
		1315	if (oldcred)
		1316	put_cred(oldcred);
		1317	return 0;
		1318
		1319	already_same:
		1320	ret = 0;
		1321	not_permitted:
		1322	put_cred(cred);
		1323	return ret;
		1324
		1325	error_keyring:
		1326	key_ref_put(keyring_r);
		1327	return ret;
		1328	}
		1329
1231	/*****************************************************************************/	1330	/*****************************************************************************/
1232	/*	1331	/*
1233	* the key control system call	1332	* the key control system call
@@ -1313,6 +1412,9 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
1313	(char __user *) arg3,	1412	(char __user *) arg3,
1314	(size_t) arg4);	1413	(size_t) arg4);
1315		1414
		1415	case KEYCTL_SESSION_TO_PARENT:
		1416	return keyctl_session_to_parent();
		1417
1316	default:	1418	default:
1317	return -EOPNOTSUPP;	1419	return -EOPNOTSUPP;
1318	}	1420	}


diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index 4739cfbb41b7..5c23afb31ece 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c
@@ -17,6 +17,7 @@
17	#include <linux/fs.h>	17	#include <linux/fs.h>
18	#include <linux/err.h>	18	#include <linux/err.h>
19	#include <linux/mutex.h>	19	#include <linux/mutex.h>
		20	#include <linux/security.h>
20	#include <linux/user_namespace.h>	21	#include <linux/user_namespace.h>
21	#include <asm/uaccess.h>	22	#include <asm/uaccess.h>
22	#include "internal.h"	23	#include "internal.h"
@@ -768,3 +769,51 @@ error:
768	abort_creds(new);	769	abort_creds(new);
769	return ret;	770	return ret;
770	}	771	}
		772
		773	/*
		774	* Replace a process's session keyring when that process resumes userspace on
		775	* behalf of one of its children
		776	*/
		777	void key_replace_session_keyring(void)
		778	{
		779	const struct cred *old;
		780	struct cred *new;
		781
		782	if (!current->replacement_session_keyring)
		783	return;
		784
		785	write_lock_irq(&tasklist_lock);
		786	new = current->replacement_session_keyring;
		787	current->replacement_session_keyring = NULL;
		788	write_unlock_irq(&tasklist_lock);
		789
		790	if (!new)
		791	return;
		792
		793	old = current_cred();
		794	new-> uid = old-> uid;
		795	new-> euid = old-> euid;
		796	new-> suid = old-> suid;
		797	new->fsuid = old->fsuid;
		798	new-> gid = old-> gid;
		799	new-> egid = old-> egid;
		800	new-> sgid = old-> sgid;
		801	new->fsgid = old->fsgid;
		802	new->user = get_uid(old->user);
		803	new->group_info = get_group_info(old->group_info);
		804
		805	new->securebits = old->securebits;
		806	new->cap_inheritable = old->cap_inheritable;
		807	new->cap_permitted = old->cap_permitted;
		808	new->cap_effective = old->cap_effective;
		809	new->cap_bset = old->cap_bset;
		810
		811	new->jit_keyring = old->jit_keyring;
		812	new->thread_keyring = key_get(old->thread_keyring);
		813	new->tgcred->tgid = old->tgcred->tgid;
		814	new->tgcred->process_keyring = key_get(old->tgcred->process_keyring);
		815
		816	security_transfer_creds(new, old);
		817
		818	commit_creds(new);
		819	}