diff options
-rw-r--r-- | security/keys/compat.c | 13 | ||||
-rw-r--r-- | security/keys/gc.c | 14 | ||||
-rw-r--r-- | security/keys/internal.h | 26 | ||||
-rw-r--r-- | security/keys/key.c | 240 | ||||
-rw-r--r-- | security/keys/keyctl.c | 278 | ||||
-rw-r--r-- | security/keys/keyring.c | 231 | ||||
-rw-r--r-- | security/keys/permission.c | 25 | ||||
-rw-r--r-- | security/keys/proc.c | 10 | ||||
-rw-r--r-- | security/keys/process_keys.c | 112 | ||||
-rw-r--r-- | security/keys/request_key.c | 164 | ||||
-rw-r--r-- | security/keys/request_key_auth.c | 30 |
11 files changed, 777 insertions, 366 deletions
diff --git a/security/keys/compat.c b/security/keys/compat.c index 3cedf6305179..07a5f35e3970 100644 --- a/security/keys/compat.c +++ b/security/keys/compat.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* compat.c: 32-bit compatibility syscall for 64-bit systems | 1 | /* 32-bit compatibility syscall for 64-bit systems |
2 | * | 2 | * |
3 | * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. | 3 | * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. |
4 | * Written by David Howells (dhowells@redhat.com) | 4 | * Written by David Howells (dhowells@redhat.com) |
@@ -15,11 +15,12 @@ | |||
15 | #include "internal.h" | 15 | #include "internal.h" |
16 | 16 | ||
17 | /* | 17 | /* |
18 | * the key control system call, 32-bit compatibility version for 64-bit archs | 18 | * The key control system call, 32-bit compatibility version for 64-bit archs |
19 | * - this should only be called if the 64-bit arch uses weird pointers in | 19 | * |
20 | * 32-bit mode or doesn't guarantee that the top 32-bits of the argument | 20 | * This should only be called if the 64-bit arch uses weird pointers in 32-bit |
21 | * registers on taking a 32-bit syscall are zero | 21 | * mode or doesn't guarantee that the top 32-bits of the argument registers on |
22 | * - if you can, you should call sys_keyctl directly | 22 | * taking a 32-bit syscall are zero. If you can, you should call sys_keyctl() |
23 | * directly. | ||
23 | */ | 24 | */ |
24 | asmlinkage long compat_sys_keyctl(u32 option, | 25 | asmlinkage long compat_sys_keyctl(u32 option, |
25 | u32 arg2, u32 arg3, u32 arg4, u32 arg5) | 26 | u32 arg2, u32 arg3, u32 arg4, u32 arg5) |
diff --git a/security/keys/gc.c b/security/keys/gc.c index a46e825cbf02..89df6b5f203c 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c | |||
@@ -32,8 +32,8 @@ static time_t key_gc_next_run = LONG_MAX; | |||
32 | static time_t key_gc_new_timer; | 32 | static time_t key_gc_new_timer; |
33 | 33 | ||
34 | /* | 34 | /* |
35 | * Schedule a garbage collection run | 35 | * Schedule a garbage collection run. |
36 | * - precision isn't particularly important | 36 | * - time precision isn't particularly important |
37 | */ | 37 | */ |
38 | void key_schedule_gc(time_t gc_at) | 38 | void key_schedule_gc(time_t gc_at) |
39 | { | 39 | { |
@@ -61,8 +61,9 @@ static void key_gc_timer_func(unsigned long data) | |||
61 | } | 61 | } |
62 | 62 | ||
63 | /* | 63 | /* |
64 | * Garbage collect pointers from a keyring | 64 | * Garbage collect pointers from a keyring. |
65 | * - return true if we altered the keyring | 65 | * |
66 | * Return true if we altered the keyring. | ||
66 | */ | 67 | */ |
67 | static bool key_gc_keyring(struct key *keyring, time_t limit) | 68 | static bool key_gc_keyring(struct key *keyring, time_t limit) |
68 | __releases(key_serial_lock) | 69 | __releases(key_serial_lock) |
@@ -107,9 +108,8 @@ do_gc: | |||
107 | } | 108 | } |
108 | 109 | ||
109 | /* | 110 | /* |
110 | * Garbage collector for keys | 111 | * Garbage collector for keys. This involves scanning the keyrings for dead, |
111 | * - this involves scanning the keyrings for dead, expired and revoked keys | 112 | * expired and revoked keys that have overstayed their welcome |
112 | * that have overstayed their welcome | ||
113 | */ | 113 | */ |
114 | static void key_garbage_collector(struct work_struct *work) | 114 | static void key_garbage_collector(struct work_struct *work) |
115 | { | 115 | { |
diff --git a/security/keys/internal.h b/security/keys/internal.h index 56a133d8f37d..edfa50dbd6f5 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* internal.h: authentication token and access key management internal defs | 1 | /* Authentication token and access key management internal defs |
2 | * | 2 | * |
3 | * Copyright (C) 2003-5, 2007 Red Hat, Inc. All Rights Reserved. | 3 | * Copyright (C) 2003-5, 2007 Red Hat, Inc. All Rights Reserved. |
4 | * Written by David Howells (dhowells@redhat.com) | 4 | * Written by David Howells (dhowells@redhat.com) |
@@ -35,10 +35,12 @@ extern struct key_type key_type_user; | |||
35 | 35 | ||
36 | /*****************************************************************************/ | 36 | /*****************************************************************************/ |
37 | /* | 37 | /* |
38 | * keep track of keys for a user | 38 | * Keep track of keys for a user. |
39 | * - this needs to be separate to user_struct to avoid a refcount-loop | 39 | * |
40 | * (user_struct pins some keyrings which pin this struct) | 40 | * This needs to be separate to user_struct to avoid a refcount-loop |
41 | * - this also keeps track of keys under request from userspace for this UID | 41 | * (user_struct pins some keyrings which pin this struct). |
42 | * | ||
43 | * We also keep track of keys under request from userspace for this UID here. | ||
42 | */ | 44 | */ |
43 | struct key_user { | 45 | struct key_user { |
44 | struct rb_node node; | 46 | struct rb_node node; |
@@ -62,7 +64,7 @@ extern struct key_user *key_user_lookup(uid_t uid, | |||
62 | extern void key_user_put(struct key_user *user); | 64 | extern void key_user_put(struct key_user *user); |
63 | 65 | ||
64 | /* | 66 | /* |
65 | * key quota limits | 67 | * Key quota limits. |
66 | * - root has its own separate limits to everyone else | 68 | * - root has its own separate limits to everyone else |
67 | */ | 69 | */ |
68 | extern unsigned key_quota_root_maxkeys; | 70 | extern unsigned key_quota_root_maxkeys; |
@@ -146,13 +148,13 @@ extern unsigned key_gc_delay; | |||
146 | extern void keyring_gc(struct key *keyring, time_t limit); | 148 | extern void keyring_gc(struct key *keyring, time_t limit); |
147 | extern void key_schedule_gc(time_t expiry_at); | 149 | extern void key_schedule_gc(time_t expiry_at); |
148 | 150 | ||
149 | /* | ||
150 | * check to see whether permission is granted to use a key in the desired way | ||
151 | */ | ||
152 | extern int key_task_permission(const key_ref_t key_ref, | 151 | extern int key_task_permission(const key_ref_t key_ref, |
153 | const struct cred *cred, | 152 | const struct cred *cred, |
154 | key_perm_t perm); | 153 | key_perm_t perm); |
155 | 154 | ||
155 | /* | ||
156 | * Check to see whether permission is granted to use a key in the desired way. | ||
157 | */ | ||
156 | static inline int key_permission(const key_ref_t key_ref, key_perm_t perm) | 158 | static inline int key_permission(const key_ref_t key_ref, key_perm_t perm) |
157 | { | 159 | { |
158 | return key_task_permission(key_ref, current_cred(), perm); | 160 | return key_task_permission(key_ref, current_cred(), perm); |
@@ -168,7 +170,7 @@ static inline int key_permission(const key_ref_t key_ref, key_perm_t perm) | |||
168 | #define KEY_ALL 0x3f /* all the above permissions */ | 170 | #define KEY_ALL 0x3f /* all the above permissions */ |
169 | 171 | ||
170 | /* | 172 | /* |
171 | * request_key authorisation | 173 | * Authorisation record for request_key(). |
172 | */ | 174 | */ |
173 | struct request_key_auth { | 175 | struct request_key_auth { |
174 | struct key *target_key; | 176 | struct key *target_key; |
@@ -188,7 +190,7 @@ extern struct key *request_key_auth_new(struct key *target, | |||
188 | extern struct key *key_get_instantiation_authkey(key_serial_t target_id); | 190 | extern struct key *key_get_instantiation_authkey(key_serial_t target_id); |
189 | 191 | ||
190 | /* | 192 | /* |
191 | * keyctl functions | 193 | * keyctl() functions |
192 | */ | 194 | */ |
193 | extern long keyctl_get_keyring_ID(key_serial_t, int); | 195 | extern long keyctl_get_keyring_ID(key_serial_t, int); |
194 | extern long keyctl_join_session_keyring(const char __user *); | 196 | extern long keyctl_join_session_keyring(const char __user *); |
@@ -214,7 +216,7 @@ extern long keyctl_get_security(key_serial_t keyid, char __user *buffer, | |||
214 | extern long keyctl_session_to_parent(void); | 216 | extern long keyctl_session_to_parent(void); |
215 | 217 | ||
216 | /* | 218 | /* |
217 | * debugging key validation | 219 | * Debugging key validation |
218 | */ | 220 | */ |
219 | #ifdef KEY_DEBUGGING | 221 | #ifdef KEY_DEBUGGING |
220 | extern void __key_check(const struct key *); | 222 | extern void __key_check(const struct key *); |
diff --git a/security/keys/key.c b/security/keys/key.c index 3a92d7365870..84d4eb568b08 100644 --- a/security/keys/key.c +++ b/security/keys/key.c | |||
@@ -39,10 +39,10 @@ static DECLARE_RWSEM(key_types_sem); | |||
39 | static void key_cleanup(struct work_struct *work); | 39 | static void key_cleanup(struct work_struct *work); |
40 | static DECLARE_WORK(key_cleanup_task, key_cleanup); | 40 | static DECLARE_WORK(key_cleanup_task, key_cleanup); |
41 | 41 | ||
42 | /* we serialise key instantiation and link */ | 42 | /* We serialise key instantiation and link */ |
43 | DEFINE_MUTEX(key_construction_mutex); | 43 | DEFINE_MUTEX(key_construction_mutex); |
44 | 44 | ||
45 | /* any key who's type gets unegistered will be re-typed to this */ | 45 | /* Any key who's type gets unegistered will be re-typed to this */ |
46 | static struct key_type key_type_dead = { | 46 | static struct key_type key_type_dead = { |
47 | .name = "dead", | 47 | .name = "dead", |
48 | }; | 48 | }; |
@@ -57,8 +57,8 @@ void __key_check(const struct key *key) | |||
57 | #endif | 57 | #endif |
58 | 58 | ||
59 | /* | 59 | /* |
60 | * get the key quota record for a user, allocating a new record if one doesn't | 60 | * Get the key quota record for a user, allocating a new record if one doesn't |
61 | * already exist | 61 | * already exist. |
62 | */ | 62 | */ |
63 | struct key_user *key_user_lookup(uid_t uid, struct user_namespace *user_ns) | 63 | struct key_user *key_user_lookup(uid_t uid, struct user_namespace *user_ns) |
64 | { | 64 | { |
@@ -66,7 +66,7 @@ struct key_user *key_user_lookup(uid_t uid, struct user_namespace *user_ns) | |||
66 | struct rb_node *parent = NULL; | 66 | struct rb_node *parent = NULL; |
67 | struct rb_node **p; | 67 | struct rb_node **p; |
68 | 68 | ||
69 | try_again: | 69 | try_again: |
70 | p = &key_user_tree.rb_node; | 70 | p = &key_user_tree.rb_node; |
71 | spin_lock(&key_user_lock); | 71 | spin_lock(&key_user_lock); |
72 | 72 | ||
@@ -123,16 +123,16 @@ struct key_user *key_user_lookup(uid_t uid, struct user_namespace *user_ns) | |||
123 | goto out; | 123 | goto out; |
124 | 124 | ||
125 | /* okay - we found a user record for this UID */ | 125 | /* okay - we found a user record for this UID */ |
126 | found: | 126 | found: |
127 | atomic_inc(&user->usage); | 127 | atomic_inc(&user->usage); |
128 | spin_unlock(&key_user_lock); | 128 | spin_unlock(&key_user_lock); |
129 | kfree(candidate); | 129 | kfree(candidate); |
130 | out: | 130 | out: |
131 | return user; | 131 | return user; |
132 | } | 132 | } |
133 | 133 | ||
134 | /* | 134 | /* |
135 | * dispose of a user structure | 135 | * Dispose of a user structure |
136 | */ | 136 | */ |
137 | void key_user_put(struct key_user *user) | 137 | void key_user_put(struct key_user *user) |
138 | { | 138 | { |
@@ -146,9 +146,8 @@ void key_user_put(struct key_user *user) | |||
146 | } | 146 | } |
147 | 147 | ||
148 | /* | 148 | /* |
149 | * assign a key the next unique serial number | 149 | * Allocate a serial number for a key. These are assigned randomly to avoid |
150 | * - these are assigned randomly to avoid security issues through covert | 150 | * security issues through covert channel problems. |
151 | * channel problems | ||
152 | */ | 151 | */ |
153 | static inline void key_alloc_serial(struct key *key) | 152 | static inline void key_alloc_serial(struct key *key) |
154 | { | 153 | { |
@@ -208,14 +207,34 @@ serial_exists: | |||
208 | } | 207 | } |
209 | } | 208 | } |
210 | 209 | ||
211 | /* | 210 | /** |
212 | * allocate a key of the specified type | 211 | * key_alloc - Allocate a key of the specified type. |
213 | * - update the user's quota to reflect the existence of the key | 212 | * @type: The type of key to allocate. |
214 | * - called from a key-type operation with key_types_sem read-locked by | 213 | * @desc: The key description to allow the key to be searched out. |
215 | * key_create_or_update() | 214 | * @uid: The owner of the new key. |
216 | * - this prevents unregistration of the key type | 215 | * @gid: The group ID for the new key's group permissions. |
217 | * - upon return the key is as yet uninstantiated; the caller needs to either | 216 | * @cred: The credentials specifying UID namespace. |
218 | * instantiate the key or discard it before returning | 217 | * @perm: The permissions mask of the new key. |
218 | * @flags: Flags specifying quota properties. | ||
219 | * | ||
220 | * Allocate a key of the specified type with the attributes given. The key is | ||
221 | * returned in an uninstantiated state and the caller needs to instantiate the | ||
222 | * key before returning. | ||
223 | * | ||
224 | * The user's key count quota is updated to reflect the creation of the key and | ||
225 | * the user's key data quota has the default for the key type reserved. The | ||
226 | * instantiation function should amend this as necessary. If insufficient | ||
227 | * quota is available, -EDQUOT will be returned. | ||
228 | * | ||
229 | * The LSM security modules can prevent a key being created, in which case | ||
230 | * -EACCES will be returned. | ||
231 | * | ||
232 | * Returns a pointer to the new key if successful and an error code otherwise. | ||
233 | * | ||
234 | * Note that the caller needs to ensure the key type isn't uninstantiated. | ||
235 | * Internally this can be done by locking key_types_sem. Externally, this can | ||
236 | * be done by either never unregistering the key type, or making sure | ||
237 | * key_alloc() calls don't race with module unloading. | ||
219 | */ | 238 | */ |
220 | struct key *key_alloc(struct key_type *type, const char *desc, | 239 | struct key *key_alloc(struct key_type *type, const char *desc, |
221 | uid_t uid, gid_t gid, const struct cred *cred, | 240 | uid_t uid, gid_t gid, const struct cred *cred, |
@@ -338,11 +357,18 @@ no_quota: | |||
338 | key = ERR_PTR(-EDQUOT); | 357 | key = ERR_PTR(-EDQUOT); |
339 | goto error; | 358 | goto error; |
340 | } | 359 | } |
341 | |||
342 | EXPORT_SYMBOL(key_alloc); | 360 | EXPORT_SYMBOL(key_alloc); |
343 | 361 | ||
344 | /* | 362 | /** |
345 | * reserve an amount of quota for the key's payload | 363 | * key_payload_reserve - Adjust data quota reservation for the key's payload |
364 | * @key: The key to make the reservation for. | ||
365 | * @datalen: The amount of data payload the caller now wants. | ||
366 | * | ||
367 | * Adjust the amount of the owning user's key data quota that a key reserves. | ||
368 | * If the amount is increased, then -EDQUOT may be returned if there isn't | ||
369 | * enough free quota available. | ||
370 | * | ||
371 | * If successful, 0 is returned. | ||
346 | */ | 372 | */ |
347 | int key_payload_reserve(struct key *key, size_t datalen) | 373 | int key_payload_reserve(struct key *key, size_t datalen) |
348 | { | 374 | { |
@@ -376,12 +402,13 @@ int key_payload_reserve(struct key *key, size_t datalen) | |||
376 | 402 | ||
377 | return ret; | 403 | return ret; |
378 | } | 404 | } |
379 | |||
380 | EXPORT_SYMBOL(key_payload_reserve); | 405 | EXPORT_SYMBOL(key_payload_reserve); |
381 | 406 | ||
382 | /* | 407 | /* |
383 | * instantiate a key and link it into the target keyring atomically | 408 | * Instantiate a key and link it into the target keyring atomically. Must be |
384 | * - called with the target keyring's semaphore writelocked | 409 | * called with the target keyring's semaphore writelocked. The target key's |
410 | * semaphore need not be locked as instantiation is serialised by | ||
411 | * key_construction_mutex. | ||
385 | */ | 412 | */ |
386 | static int __key_instantiate_and_link(struct key *key, | 413 | static int __key_instantiate_and_link(struct key *key, |
387 | const void *data, | 414 | const void *data, |
@@ -432,8 +459,21 @@ static int __key_instantiate_and_link(struct key *key, | |||
432 | return ret; | 459 | return ret; |
433 | } | 460 | } |
434 | 461 | ||
435 | /* | 462 | /** |
436 | * instantiate a key and link it into the target keyring atomically | 463 | * key_instantiate_and_link - Instantiate a key and link it into the keyring. |
464 | * @key: The key to instantiate. | ||
465 | * @data: The data to use to instantiate the keyring. | ||
466 | * @datalen: The length of @data. | ||
467 | * @keyring: Keyring to create a link in on success (or NULL). | ||
468 | * @authkey: The authorisation token permitting instantiation. | ||
469 | * | ||
470 | * Instantiate a key that's in the uninstantiated state using the provided data | ||
471 | * and, if successful, link it in to the destination keyring if one is | ||
472 | * supplied. | ||
473 | * | ||
474 | * If successful, 0 is returned, the authorisation token is revoked and anyone | ||
475 | * waiting for the key is woken up. If the key was already instantiated, | ||
476 | * -EBUSY will be returned. | ||
437 | */ | 477 | */ |
438 | int key_instantiate_and_link(struct key *key, | 478 | int key_instantiate_and_link(struct key *key, |
439 | const void *data, | 479 | const void *data, |
@@ -462,8 +502,24 @@ int key_instantiate_and_link(struct key *key, | |||
462 | 502 | ||
463 | EXPORT_SYMBOL(key_instantiate_and_link); | 503 | EXPORT_SYMBOL(key_instantiate_and_link); |
464 | 504 | ||
465 | /* | 505 | /** |
466 | * negatively instantiate a key and link it into the target keyring atomically | 506 | * key_negate_and_link - Negatively instantiate a key and link it into the keyring. |
507 | * @key: The key to instantiate. | ||
508 | * @timeout: The timeout on the negative key. | ||
509 | * @keyring: Keyring to create a link in on success (or NULL). | ||
510 | * @authkey: The authorisation token permitting instantiation. | ||
511 | * | ||
512 | * Negatively instantiate a key that's in the uninstantiated state and, if | ||
513 | * successful, set its timeout and link it in to the destination keyring if one | ||
514 | * is supplied. The key and any links to the key will be automatically garbage | ||
515 | * collected after the timeout expires. | ||
516 | * | ||
517 | * Negative keys are used to rate limit repeated request_key() calls by causing | ||
518 | * them to return -ENOKEY until the negative key expires. | ||
519 | * | ||
520 | * If successful, 0 is returned, the authorisation token is revoked and anyone | ||
521 | * waiting for the key is woken up. If the key was already instantiated, | ||
522 | * -EBUSY will be returned. | ||
467 | */ | 523 | */ |
468 | int key_negate_and_link(struct key *key, | 524 | int key_negate_and_link(struct key *key, |
469 | unsigned timeout, | 525 | unsigned timeout, |
@@ -525,15 +581,18 @@ int key_negate_and_link(struct key *key, | |||
525 | EXPORT_SYMBOL(key_negate_and_link); | 581 | EXPORT_SYMBOL(key_negate_and_link); |
526 | 582 | ||
527 | /* | 583 | /* |
528 | * do cleaning up in process context so that we don't have to disable | 584 | * Garbage collect keys in process context so that we don't have to disable |
529 | * interrupts all over the place | 585 | * interrupts all over the place. |
586 | * | ||
587 | * key_put() schedules this rather than trying to do the cleanup itself, which | ||
588 | * means key_put() doesn't have to sleep. | ||
530 | */ | 589 | */ |
531 | static void key_cleanup(struct work_struct *work) | 590 | static void key_cleanup(struct work_struct *work) |
532 | { | 591 | { |
533 | struct rb_node *_n; | 592 | struct rb_node *_n; |
534 | struct key *key; | 593 | struct key *key; |
535 | 594 | ||
536 | go_again: | 595 | go_again: |
537 | /* look for a dead key in the tree */ | 596 | /* look for a dead key in the tree */ |
538 | spin_lock(&key_serial_lock); | 597 | spin_lock(&key_serial_lock); |
539 | 598 | ||
@@ -547,7 +606,7 @@ static void key_cleanup(struct work_struct *work) | |||
547 | spin_unlock(&key_serial_lock); | 606 | spin_unlock(&key_serial_lock); |
548 | return; | 607 | return; |
549 | 608 | ||
550 | found_dead_key: | 609 | found_dead_key: |
551 | /* we found a dead key - once we've removed it from the tree, we can | 610 | /* we found a dead key - once we've removed it from the tree, we can |
552 | * drop the lock */ | 611 | * drop the lock */ |
553 | rb_erase(&key->serial_node, &key_serial_tree); | 612 | rb_erase(&key->serial_node, &key_serial_tree); |
@@ -586,10 +645,13 @@ static void key_cleanup(struct work_struct *work) | |||
586 | goto go_again; | 645 | goto go_again; |
587 | } | 646 | } |
588 | 647 | ||
589 | /* | 648 | /** |
590 | * dispose of a reference to a key | 649 | * key_put - Discard a reference to a key. |
591 | * - when all the references are gone, we schedule the cleanup task to come and | 650 | * @key: The key to discard a reference from. |
592 | * pull it out of the tree in definite process context | 651 | * |
652 | * Discard a reference to a key, and when all the references are gone, we | ||
653 | * schedule the cleanup task to come and pull it out of the tree in process | ||
654 | * context at some later time. | ||
593 | */ | 655 | */ |
594 | void key_put(struct key *key) | 656 | void key_put(struct key *key) |
595 | { | 657 | { |
@@ -600,11 +662,10 @@ void key_put(struct key *key) | |||
600 | schedule_work(&key_cleanup_task); | 662 | schedule_work(&key_cleanup_task); |
601 | } | 663 | } |
602 | } | 664 | } |
603 | |||
604 | EXPORT_SYMBOL(key_put); | 665 | EXPORT_SYMBOL(key_put); |
605 | 666 | ||
606 | /* | 667 | /* |
607 | * find a key by its serial number | 668 | * Find a key by its serial number. |
608 | */ | 669 | */ |
609 | struct key *key_lookup(key_serial_t id) | 670 | struct key *key_lookup(key_serial_t id) |
610 | { | 671 | { |
@@ -626,11 +687,11 @@ struct key *key_lookup(key_serial_t id) | |||
626 | goto found; | 687 | goto found; |
627 | } | 688 | } |
628 | 689 | ||
629 | not_found: | 690 | not_found: |
630 | key = ERR_PTR(-ENOKEY); | 691 | key = ERR_PTR(-ENOKEY); |
631 | goto error; | 692 | goto error; |
632 | 693 | ||
633 | found: | 694 | found: |
634 | /* pretend it doesn't exist if it is awaiting deletion */ | 695 | /* pretend it doesn't exist if it is awaiting deletion */ |
635 | if (atomic_read(&key->usage) == 0) | 696 | if (atomic_read(&key->usage) == 0) |
636 | goto not_found; | 697 | goto not_found; |
@@ -640,14 +701,16 @@ struct key *key_lookup(key_serial_t id) | |||
640 | */ | 701 | */ |
641 | atomic_inc(&key->usage); | 702 | atomic_inc(&key->usage); |
642 | 703 | ||
643 | error: | 704 | error: |
644 | spin_unlock(&key_serial_lock); | 705 | spin_unlock(&key_serial_lock); |
645 | return key; | 706 | return key; |
646 | } | 707 | } |
647 | 708 | ||
648 | /* | 709 | /* |
649 | * find and lock the specified key type against removal | 710 | * Find and lock the specified key type against removal. |
650 | * - we return with the sem readlocked | 711 | * |
712 | * We return with the sem read-locked if successful. If the type wasn't | ||
713 | * available -ENOKEY is returned instead. | ||
651 | */ | 714 | */ |
652 | struct key_type *key_type_lookup(const char *type) | 715 | struct key_type *key_type_lookup(const char *type) |
653 | { | 716 | { |
@@ -665,12 +728,12 @@ struct key_type *key_type_lookup(const char *type) | |||
665 | up_read(&key_types_sem); | 728 | up_read(&key_types_sem); |
666 | ktype = ERR_PTR(-ENOKEY); | 729 | ktype = ERR_PTR(-ENOKEY); |
667 | 730 | ||
668 | found_kernel_type: | 731 | found_kernel_type: |
669 | return ktype; | 732 | return ktype; |
670 | } | 733 | } |
671 | 734 | ||
672 | /* | 735 | /* |
673 | * unlock a key type | 736 | * Unlock a key type locked by key_type_lookup(). |
674 | */ | 737 | */ |
675 | void key_type_put(struct key_type *ktype) | 738 | void key_type_put(struct key_type *ktype) |
676 | { | 739 | { |
@@ -678,9 +741,10 @@ void key_type_put(struct key_type *ktype) | |||
678 | } | 741 | } |
679 | 742 | ||
680 | /* | 743 | /* |
681 | * attempt to update an existing key | 744 | * Attempt to update an existing key. |
682 | * - the key has an incremented refcount | 745 | * |
683 | * - we need to put the key if we get an error | 746 | * The key is given to us with an incremented refcount that we need to discard |
747 | * if we get an error. | ||
684 | */ | 748 | */ |
685 | static inline key_ref_t __key_update(key_ref_t key_ref, | 749 | static inline key_ref_t __key_update(key_ref_t key_ref, |
686 | const void *payload, size_t plen) | 750 | const void *payload, size_t plen) |
@@ -717,9 +781,30 @@ error: | |||
717 | goto out; | 781 | goto out; |
718 | } | 782 | } |
719 | 783 | ||
720 | /* | 784 | /** |
721 | * search the specified keyring for a key of the same description; if one is | 785 | * key_create_or_update - Update or create and instantiate a key. |
722 | * found, update it, otherwise add a new one | 786 | * @keyring_ref: A pointer to the destination keyring with possession flag. |
787 | * @type: The type of key. | ||
788 | * @description: The searchable description for the key. | ||
789 | * @payload: The data to use to instantiate or update the key. | ||
790 | * @plen: The length of @payload. | ||
791 | * @perm: The permissions mask for a new key. | ||
792 | * @flags: The quota flags for a new key. | ||
793 | * | ||
794 | * Search the destination keyring for a key of the same description and if one | ||
795 | * is found, update it, otherwise create and instantiate a new one and create a | ||
796 | * link to it from that keyring. | ||
797 | * | ||
798 | * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be | ||
799 | * concocted. | ||
800 | * | ||
801 | * Returns a pointer to the new key if successful, -ENODEV if the key type | ||
802 | * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the | ||
803 | * caller isn't permitted to modify the keyring or the LSM did not permit | ||
804 | * creation of the key. | ||
805 | * | ||
806 | * On success, the possession flag from the keyring ref will be tacked on to | ||
807 | * the key ref before it is returned. | ||
723 | */ | 808 | */ |
724 | key_ref_t key_create_or_update(key_ref_t keyring_ref, | 809 | key_ref_t key_create_or_update(key_ref_t keyring_ref, |
725 | const char *type, | 810 | const char *type, |
@@ -827,11 +912,20 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, | |||
827 | key_ref = __key_update(key_ref, payload, plen); | 912 | key_ref = __key_update(key_ref, payload, plen); |
828 | goto error; | 913 | goto error; |
829 | } | 914 | } |
830 | |||
831 | EXPORT_SYMBOL(key_create_or_update); | 915 | EXPORT_SYMBOL(key_create_or_update); |
832 | 916 | ||
833 | /* | 917 | /** |
834 | * update a key | 918 | * key_update - Update a key's contents. |
919 | * @key_ref: The pointer (plus possession flag) to the key. | ||
920 | * @payload: The data to be used to update the key. | ||
921 | * @plen: The length of @payload. | ||
922 | * | ||
923 | * Attempt to update the contents of a key with the given payload data. The | ||
924 | * caller must be granted Write permission on the key. Negative keys can be | ||
925 | * instantiated by this method. | ||
926 | * | ||
927 | * Returns 0 on success, -EACCES if not permitted and -EOPNOTSUPP if the key | ||
928 | * type does not support updating. The key type may return other errors. | ||
835 | */ | 929 | */ |
836 | int key_update(key_ref_t key_ref, const void *payload, size_t plen) | 930 | int key_update(key_ref_t key_ref, const void *payload, size_t plen) |
837 | { | 931 | { |
@@ -861,11 +955,16 @@ int key_update(key_ref_t key_ref, const void *payload, size_t plen) | |||
861 | error: | 955 | error: |
862 | return ret; | 956 | return ret; |
863 | } | 957 | } |
864 | |||
865 | EXPORT_SYMBOL(key_update); | 958 | EXPORT_SYMBOL(key_update); |
866 | 959 | ||
867 | /* | 960 | /** |
868 | * revoke a key | 961 | * key_revoke - Revoke a key. |
962 | * @key: The key to be revoked. | ||
963 | * | ||
964 | * Mark a key as being revoked and ask the type to free up its resources. The | ||
965 | * revocation timeout is set and the key and all its links will be | ||
966 | * automatically garbage collected after key_gc_delay amount of time if they | ||
967 | * are not manually dealt with first. | ||
869 | */ | 968 | */ |
870 | void key_revoke(struct key *key) | 969 | void key_revoke(struct key *key) |
871 | { | 970 | { |
@@ -894,11 +993,15 @@ void key_revoke(struct key *key) | |||
894 | 993 | ||
895 | up_write(&key->sem); | 994 | up_write(&key->sem); |
896 | } | 995 | } |
897 | |||
898 | EXPORT_SYMBOL(key_revoke); | 996 | EXPORT_SYMBOL(key_revoke); |
899 | 997 | ||
900 | /* | 998 | /** |
901 | * register a type of key | 999 | * register_key_type - Register a type of key. |
1000 | * @ktype: The new key type. | ||
1001 | * | ||
1002 | * Register a new key type. | ||
1003 | * | ||
1004 | * Returns 0 on success or -EEXIST if a type of this name already exists. | ||
902 | */ | 1005 | */ |
903 | int register_key_type(struct key_type *ktype) | 1006 | int register_key_type(struct key_type *ktype) |
904 | { | 1007 | { |
@@ -918,15 +1021,19 @@ int register_key_type(struct key_type *ktype) | |||
918 | list_add(&ktype->link, &key_types_list); | 1021 | list_add(&ktype->link, &key_types_list); |
919 | ret = 0; | 1022 | ret = 0; |
920 | 1023 | ||
921 | out: | 1024 | out: |
922 | up_write(&key_types_sem); | 1025 | up_write(&key_types_sem); |
923 | return ret; | 1026 | return ret; |
924 | } | 1027 | } |
925 | |||
926 | EXPORT_SYMBOL(register_key_type); | 1028 | EXPORT_SYMBOL(register_key_type); |
927 | 1029 | ||
928 | /* | 1030 | /** |
929 | * unregister a type of key | 1031 | * unregister_key_type - Unregister a type of key. |
1032 | * @ktype: The key type. | ||
1033 | * | ||
1034 | * Unregister a key type and mark all the extant keys of this type as dead. | ||
1035 | * Those keys of this type are then destroyed to get rid of their payloads and | ||
1036 | * they and their links will be garbage collected as soon as possible. | ||
930 | */ | 1037 | */ |
931 | void unregister_key_type(struct key_type *ktype) | 1038 | void unregister_key_type(struct key_type *ktype) |
932 | { | 1039 | { |
@@ -974,11 +1081,10 @@ void unregister_key_type(struct key_type *ktype) | |||
974 | 1081 | ||
975 | key_schedule_gc(0); | 1082 | key_schedule_gc(0); |
976 | } | 1083 | } |
977 | |||
978 | EXPORT_SYMBOL(unregister_key_type); | 1084 | EXPORT_SYMBOL(unregister_key_type); |
979 | 1085 | ||
980 | /* | 1086 | /* |
981 | * initialise the key management stuff | 1087 | * Initialise the key management state. |
982 | */ | 1088 | */ |
983 | void __init key_init(void) | 1089 | void __init key_init(void) |
984 | { | 1090 | { |
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 83ec98b7e98d..31a0fd8189f1 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* keyctl.c: userspace keyctl operations | 1 | /* Userspace key control operations |
2 | * | 2 | * |
3 | * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. | 3 | * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. |
4 | * Written by David Howells (dhowells@redhat.com) | 4 | * Written by David Howells (dhowells@redhat.com) |
@@ -31,27 +31,24 @@ static int key_get_type_from_user(char *type, | |||
31 | int ret; | 31 | int ret; |
32 | 32 | ||
33 | ret = strncpy_from_user(type, _type, len); | 33 | ret = strncpy_from_user(type, _type, len); |
34 | |||
35 | if (ret < 0) | 34 | if (ret < 0) |
36 | return ret; | 35 | return ret; |
37 | |||
38 | if (ret == 0 || ret >= len) | 36 | if (ret == 0 || ret >= len) |
39 | return -EINVAL; | 37 | return -EINVAL; |
40 | |||
41 | if (type[0] == '.') | 38 | if (type[0] == '.') |
42 | return -EPERM; | 39 | return -EPERM; |
43 | |||
44 | type[len - 1] = '\0'; | 40 | type[len - 1] = '\0'; |
45 | |||
46 | return 0; | 41 | return 0; |
47 | } | 42 | } |
48 | 43 | ||
49 | /* | 44 | /* |
50 | * extract the description of a new key from userspace and either add it as a | 45 | * Extract the description of a new key from userspace and either add it as a |
51 | * new key to the specified keyring or update a matching key in that keyring | 46 | * new key to the specified keyring or update a matching key in that keyring. |
52 | * - the keyring must be writable | 47 | * |
53 | * - returns the new key's serial number | 48 | * The keyring must be writable so that we can attach the key to it. |
54 | * - implements add_key() | 49 | * |
50 | * If successful, the new key's serial number is returned, otherwise an error | ||
51 | * code is returned. | ||
55 | */ | 52 | */ |
56 | SYSCALL_DEFINE5(add_key, const char __user *, _type, | 53 | SYSCALL_DEFINE5(add_key, const char __user *, _type, |
57 | const char __user *, _description, | 54 | const char __user *, _description, |
@@ -134,14 +131,17 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type, | |||
134 | } | 131 | } |
135 | 132 | ||
136 | /* | 133 | /* |
137 | * search the process keyrings for a matching key | 134 | * Search the process keyrings and keyring trees linked from those for a |
138 | * - nested keyrings may also be searched if they have Search permission | 135 | * matching key. Keyrings must have appropriate Search permission to be |
139 | * - if a key is found, it will be attached to the destination keyring if | 136 | * searched. |
140 | * there's one specified | 137 | * |
141 | * - /sbin/request-key will be invoked if _callout_info is non-NULL | 138 | * If a key is found, it will be attached to the destination keyring if there's |
142 | * - the _callout_info string will be passed to /sbin/request-key | 139 | * one specified and the serial number of the key will be returned. |
143 | * - if the _callout_info string is empty, it will be rendered as "-" | 140 | * |
144 | * - implements request_key() | 141 | * If no key is found, /sbin/request-key will be invoked if _callout_info is |
142 | * non-NULL in an attempt to create a key. The _callout_info string will be | ||
143 | * passed to /sbin/request-key to aid with completing the request. If the | ||
144 | * _callout_info string is "" then it will be changed to "-". | ||
145 | */ | 145 | */ |
146 | SYSCALL_DEFINE4(request_key, const char __user *, _type, | 146 | SYSCALL_DEFINE4(request_key, const char __user *, _type, |
147 | const char __user *, _description, | 147 | const char __user *, _description, |
@@ -222,9 +222,11 @@ error: | |||
222 | } | 222 | } |
223 | 223 | ||
224 | /* | 224 | /* |
225 | * get the ID of the specified process keyring | 225 | * Get the ID of the specified process keyring. |
226 | * - the keyring must have search permission to be found | 226 | * |
227 | * - implements keyctl(KEYCTL_GET_KEYRING_ID) | 227 | * The requested keyring must have search permission to be found. |
228 | * | ||
229 | * If successful, the ID of the requested keyring will be returned. | ||
228 | */ | 230 | */ |
229 | long keyctl_get_keyring_ID(key_serial_t id, int create) | 231 | long keyctl_get_keyring_ID(key_serial_t id, int create) |
230 | { | 232 | { |
@@ -243,12 +245,17 @@ long keyctl_get_keyring_ID(key_serial_t id, int create) | |||
243 | key_ref_put(key_ref); | 245 | key_ref_put(key_ref); |
244 | error: | 246 | error: |
245 | return ret; | 247 | return ret; |
246 | 248 | } | |
247 | } /* end keyctl_get_keyring_ID() */ | ||
248 | 249 | ||
249 | /* | 250 | /* |
250 | * join the session keyring | 251 | * Join a (named) session keyring. |
251 | * - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING) | 252 | * |
253 | * Create and join an anonymous session keyring or join a named session | ||
254 | * keyring, creating it if necessary. A named session keyring must have Search | ||
255 | * permission for it to be joined. Session keyrings without this permit will | ||
256 | * be skipped over. | ||
257 | * | ||
258 | * If successful, the ID of the joined session keyring will be returned. | ||
252 | */ | 259 | */ |
253 | long keyctl_join_session_keyring(const char __user *_name) | 260 | long keyctl_join_session_keyring(const char __user *_name) |
254 | { | 261 | { |
@@ -274,9 +281,14 @@ error: | |||
274 | } | 281 | } |
275 | 282 | ||
276 | /* | 283 | /* |
277 | * update a key's data payload | 284 | * Update a key's data payload from the given data. |
278 | * - the key must be writable | 285 | * |
279 | * - implements keyctl(KEYCTL_UPDATE) | 286 | * The key must grant the caller Write permission and the key type must support |
287 | * updating for this to work. A negative key can be positively instantiated | ||
288 | * with this call. | ||
289 | * | ||
290 | * If successful, 0 will be returned. If the key type does not support | ||
291 | * updating, then -EOPNOTSUPP will be returned. | ||
280 | */ | 292 | */ |
281 | long keyctl_update_key(key_serial_t id, | 293 | long keyctl_update_key(key_serial_t id, |
282 | const void __user *_payload, | 294 | const void __user *_payload, |
@@ -321,9 +333,14 @@ error: | |||
321 | } | 333 | } |
322 | 334 | ||
323 | /* | 335 | /* |
324 | * revoke a key | 336 | * Revoke a key. |
325 | * - the key must be writable | 337 | * |
326 | * - implements keyctl(KEYCTL_REVOKE) | 338 | * The key must be grant the caller Write or Setattr permission for this to |
339 | * work. The key type should give up its quota claim when revoked. The key | ||
340 | * and any links to the key will be automatically garbage collected after a | ||
341 | * certain amount of time (/proc/sys/kernel/keys/gc_delay). | ||
342 | * | ||
343 | * If successful, 0 is returned. | ||
327 | */ | 344 | */ |
328 | long keyctl_revoke_key(key_serial_t id) | 345 | long keyctl_revoke_key(key_serial_t id) |
329 | { | 346 | { |
@@ -351,9 +368,11 @@ error: | |||
351 | } | 368 | } |
352 | 369 | ||
353 | /* | 370 | /* |
354 | * clear the specified process keyring | 371 | * Clear the specified keyring, creating an empty process keyring if one of the |
355 | * - the keyring must be writable | 372 | * special keyring IDs is used. |
356 | * - implements keyctl(KEYCTL_CLEAR) | 373 | * |
374 | * The keyring must grant the caller Write permission for this to work. If | ||
375 | * successful, 0 will be returned. | ||
357 | */ | 376 | */ |
358 | long keyctl_keyring_clear(key_serial_t ringid) | 377 | long keyctl_keyring_clear(key_serial_t ringid) |
359 | { | 378 | { |
@@ -374,10 +393,15 @@ error: | |||
374 | } | 393 | } |
375 | 394 | ||
376 | /* | 395 | /* |
377 | * link a key into a keyring | 396 | * Create a link from a keyring to a key if there's no matching key in the |
378 | * - the keyring must be writable | 397 | * keyring, otherwise replace the link to the matching key with a link to the |
379 | * - the key must be linkable | 398 | * new key. |
380 | * - implements keyctl(KEYCTL_LINK) | 399 | * |
400 | * The key must grant the caller Link permission and the the keyring must grant | ||
401 | * the caller Write permission. Furthermore, if an additional link is created, | ||
402 | * the keyring's quota will be extended. | ||
403 | * | ||
404 | * If successful, 0 will be returned. | ||
381 | */ | 405 | */ |
382 | long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) | 406 | long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) |
383 | { | 407 | { |
@@ -406,10 +430,13 @@ error: | |||
406 | } | 430 | } |
407 | 431 | ||
408 | /* | 432 | /* |
409 | * unlink the first attachment of a key from a keyring | 433 | * Unlink a key from a keyring. |
410 | * - the keyring must be writable | 434 | * |
411 | * - we don't need any permissions on the key | 435 | * The keyring must grant the caller Write permission for this to work; the key |
412 | * - implements keyctl(KEYCTL_UNLINK) | 436 | * itself need not grant the caller anything. If the last link to a key is |
437 | * removed then that key will be scheduled for destruction. | ||
438 | * | ||
439 | * If successful, 0 will be returned. | ||
413 | */ | 440 | */ |
414 | long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) | 441 | long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) |
415 | { | 442 | { |
@@ -438,14 +465,17 @@ error: | |||
438 | } | 465 | } |
439 | 466 | ||
440 | /* | 467 | /* |
441 | * describe a user key | 468 | * Return a description of a key to userspace. |
442 | * - the key must have view permission | 469 | * |
443 | * - if there's a buffer, we place up to buflen bytes of data into it | 470 | * The key must grant the caller View permission for this to work. |
444 | * - unless there's an error, we return the amount of description available, | 471 | * |
445 | * irrespective of how much we may have copied | 472 | * If there's a buffer, we place up to buflen bytes of data into it formatted |
446 | * - the description is formatted thus: | 473 | * in the following way: |
474 | * | ||
447 | * type;uid;gid;perm;description<NUL> | 475 | * type;uid;gid;perm;description<NUL> |
448 | * - implements keyctl(KEYCTL_DESCRIBE) | 476 | * |
477 | * If successful, we return the amount of description available, irrespective | ||
478 | * of how much we may have copied into the buffer. | ||
449 | */ | 479 | */ |
450 | long keyctl_describe_key(key_serial_t keyid, | 480 | long keyctl_describe_key(key_serial_t keyid, |
451 | char __user *buffer, | 481 | char __user *buffer, |
@@ -516,13 +546,14 @@ error: | |||
516 | } | 546 | } |
517 | 547 | ||
518 | /* | 548 | /* |
519 | * search the specified keyring for a matching key | 549 | * Search the specified keyring and any keyrings it links to for a matching |
520 | * - the start keyring must be searchable | 550 | * key. Only keyrings that grant the caller Search permission will be searched |
521 | * - nested keyrings may also be searched if they are searchable | 551 | * (this includes the starting keyring). Only keys with Search permission can |
522 | * - only keys with search permission may be found | 552 | * be found. |
523 | * - if a key is found, it will be attached to the destination keyring if | 553 | * |
524 | * there's one specified | 554 | * If successful, the found key will be linked to the destination keyring if |
525 | * - implements keyctl(KEYCTL_SEARCH) | 555 | * supplied and the key has Link permission, and the found key ID will be |
556 | * returned. | ||
526 | */ | 557 | */ |
527 | long keyctl_keyring_search(key_serial_t ringid, | 558 | long keyctl_keyring_search(key_serial_t ringid, |
528 | const char __user *_type, | 559 | const char __user *_type, |
@@ -609,13 +640,14 @@ error: | |||
609 | } | 640 | } |
610 | 641 | ||
611 | /* | 642 | /* |
612 | * read a user key's payload | 643 | * Read a key's payload. |
613 | * - the keyring must be readable or the key must be searchable from the | 644 | * |
614 | * process's keyrings | 645 | * The key must either grant the caller Read permission, or it must grant the |
615 | * - if there's a buffer, we place up to buflen bytes of data into it | 646 | * caller Search permission when searched for from the process keyrings. |
616 | * - unless there's an error, we return the amount of data in the key, | 647 | * |
617 | * irrespective of how much we may have copied | 648 | * If successful, we place up to buflen bytes of data into the buffer, if one |
618 | * - implements keyctl(KEYCTL_READ) | 649 | * is provided, and return the amount of data that is available in the key, |
650 | * irrespective of how much we copied into the buffer. | ||
619 | */ | 651 | */ |
620 | long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) | 652 | long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) |
621 | { | 653 | { |
@@ -669,10 +701,19 @@ error: | |||
669 | } | 701 | } |
670 | 702 | ||
671 | /* | 703 | /* |
672 | * change the ownership of a key | 704 | * Change the ownership of a key |
673 | * - the keyring owned by the changer | 705 | * |
674 | * - if the uid or gid is -1, then that parameter is not changed | 706 | * The key must grant the caller Setattr permission for this to work, though |
675 | * - implements keyctl(KEYCTL_CHOWN) | 707 | * the key need not be fully instantiated yet. For the UID to be changed, or |
708 | * for the GID to be changed to a group the caller is not a member of, the | ||
709 | * caller must have sysadmin capability. If either uid or gid is -1 then that | ||
710 | * attribute is not changed. | ||
711 | * | ||
712 | * If the UID is to be changed, the new user must have sufficient quota to | ||
713 | * accept the key. The quota deduction will be removed from the old user to | ||
714 | * the new user should the attribute be changed. | ||
715 | * | ||
716 | * If successful, 0 will be returned. | ||
676 | */ | 717 | */ |
677 | long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) | 718 | long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) |
678 | { | 719 | { |
@@ -775,9 +816,11 @@ quota_overrun: | |||
775 | } | 816 | } |
776 | 817 | ||
777 | /* | 818 | /* |
778 | * change the permission mask on a key | 819 | * Change the permission mask on a key. |
779 | * - the keyring owned by the changer | 820 | * |
780 | * - implements keyctl(KEYCTL_SETPERM) | 821 | * The key must grant the caller Setattr permission for this to work, though |
822 | * the key need not be fully instantiated yet. If the caller does not have | ||
823 | * sysadmin capability, it may only change the permission on keys that it owns. | ||
781 | */ | 824 | */ |
782 | long keyctl_setperm_key(key_serial_t id, key_perm_t perm) | 825 | long keyctl_setperm_key(key_serial_t id, key_perm_t perm) |
783 | { | 826 | { |
@@ -815,7 +858,8 @@ error: | |||
815 | } | 858 | } |
816 | 859 | ||
817 | /* | 860 | /* |
818 | * get the destination keyring for instantiation | 861 | * Get the destination keyring for instantiation and check that the caller has |
862 | * Write permission on it. | ||
819 | */ | 863 | */ |
820 | static long get_instantiation_keyring(key_serial_t ringid, | 864 | static long get_instantiation_keyring(key_serial_t ringid, |
821 | struct request_key_auth *rka, | 865 | struct request_key_auth *rka, |
@@ -852,7 +896,7 @@ static long get_instantiation_keyring(key_serial_t ringid, | |||
852 | } | 896 | } |
853 | 897 | ||
854 | /* | 898 | /* |
855 | * change the request_key authorisation key on the current process | 899 | * Change the request_key authorisation key on the current process. |
856 | */ | 900 | */ |
857 | static int keyctl_change_reqkey_auth(struct key *key) | 901 | static int keyctl_change_reqkey_auth(struct key *key) |
858 | { | 902 | { |
@@ -869,8 +913,13 @@ static int keyctl_change_reqkey_auth(struct key *key) | |||
869 | } | 913 | } |
870 | 914 | ||
871 | /* | 915 | /* |
872 | * instantiate the key with the specified payload, and, if one is given, link | 916 | * Instantiate a key with the specified payload and link the key into the |
873 | * the key into the keyring | 917 | * destination keyring if one is given. |
918 | * | ||
919 | * The caller must have the appropriate instantiation permit set for this to | ||
920 | * work (see keyctl_assume_authority). No other permissions are required. | ||
921 | * | ||
922 | * If successful, 0 will be returned. | ||
874 | */ | 923 | */ |
875 | long keyctl_instantiate_key(key_serial_t id, | 924 | long keyctl_instantiate_key(key_serial_t id, |
876 | const void __user *_payload, | 925 | const void __user *_payload, |
@@ -948,8 +997,19 @@ error: | |||
948 | } | 997 | } |
949 | 998 | ||
950 | /* | 999 | /* |
951 | * negatively instantiate the key with the given timeout (in seconds), and, if | 1000 | * Negatively instantiate the key with the given timeout (in seconds) and link |
952 | * one is given, link the key into the keyring | 1001 | * the key into the destination keyring if one is given. |
1002 | * | ||
1003 | * The caller must have the appropriate instantiation permit set for this to | ||
1004 | * work (see keyctl_assume_authority). No other permissions are required. | ||
1005 | * | ||
1006 | * The key and any links to the key will be automatically garbage collected | ||
1007 | * after the timeout expires. | ||
1008 | * | ||
1009 | * Negative keys are used to rate limit repeated request_key() calls by causing | ||
1010 | * them to return -ENOKEY until the negative key expires. | ||
1011 | * | ||
1012 | * If successful, 0 will be returned. | ||
953 | */ | 1013 | */ |
954 | long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) | 1014 | long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) |
955 | { | 1015 | { |
@@ -993,8 +1053,11 @@ error: | |||
993 | } | 1053 | } |
994 | 1054 | ||
995 | /* | 1055 | /* |
996 | * set the default keyring in which request_key() will cache keys | 1056 | * Read or set the default keyring in which request_key() will cache keys and |
997 | * - return the old setting | 1057 | * return the old setting. |
1058 | * | ||
1059 | * If a process keyring is specified then this will be created if it doesn't | ||
1060 | * yet exist. The old setting will be returned if successful. | ||
998 | */ | 1061 | */ |
999 | long keyctl_set_reqkey_keyring(int reqkey_defl) | 1062 | long keyctl_set_reqkey_keyring(int reqkey_defl) |
1000 | { | 1063 | { |
@@ -1050,7 +1113,16 @@ error: | |||
1050 | } | 1113 | } |
1051 | 1114 | ||
1052 | /* | 1115 | /* |
1053 | * set or clear the timeout for a key | 1116 | * Set or clear the timeout on a key. |
1117 | * | ||
1118 | * Either the key must grant the caller Setattr permission or else the caller | ||
1119 | * must hold an instantiation authorisation token for the key. | ||
1120 | * | ||
1121 | * The timeout is either 0 to clear the timeout, or a number of seconds from | ||
1122 | * the current time. The key and any links to the key will be automatically | ||
1123 | * garbage collected after the timeout expires. | ||
1124 | * | ||
1125 | * If successful, 0 is returned. | ||
1054 | */ | 1126 | */ |
1055 | long keyctl_set_timeout(key_serial_t id, unsigned timeout) | 1127 | long keyctl_set_timeout(key_serial_t id, unsigned timeout) |
1056 | { | 1128 | { |
@@ -1105,7 +1177,21 @@ error: | |||
1105 | } | 1177 | } |
1106 | 1178 | ||
1107 | /* | 1179 | /* |
1108 | * assume the authority to instantiate the specified key | 1180 | * Assume (or clear) the authority to instantiate the specified key. |
1181 | * | ||
1182 | * This sets the authoritative token currently in force for key instantiation. | ||
1183 | * This must be done for a key to be instantiated. It has the effect of making | ||
1184 | * available all the keys from the caller of the request_key() that created a | ||
1185 | * key to request_key() calls made by the caller of this function. | ||
1186 | * | ||
1187 | * The caller must have the instantiation key in their process keyrings with a | ||
1188 | * Search permission grant available to the caller. | ||
1189 | * | ||
1190 | * If the ID given is 0, then the setting will be cleared and 0 returned. | ||
1191 | * | ||
1192 | * If the ID given has a matching an authorisation key, then that key will be | ||
1193 | * set and its ID will be returned. The authorisation key can be read to get | ||
1194 | * the callout information passed to request_key(). | ||
1109 | */ | 1195 | */ |
1110 | long keyctl_assume_authority(key_serial_t id) | 1196 | long keyctl_assume_authority(key_serial_t id) |
1111 | { | 1197 | { |
@@ -1145,12 +1231,14 @@ error: | |||
1145 | } | 1231 | } |
1146 | 1232 | ||
1147 | /* | 1233 | /* |
1148 | * get the security label of a key | 1234 | * Get a key's the LSM security label. |
1149 | * - the key must grant us view permission | 1235 | * |
1150 | * - if there's a buffer, we place up to buflen bytes of data into it | 1236 | * The key must grant the caller View permission for this to work. |
1151 | * - unless there's an error, we return the amount of information available, | 1237 | * |
1152 | * irrespective of how much we may have copied (including the terminal NUL) | 1238 | * If there's a buffer, then up to buflen bytes of data will be placed into it. |
1153 | * - implements keyctl(KEYCTL_GET_SECURITY) | 1239 | * |
1240 | * If successful, the amount of information available will be returned, | ||
1241 | * irrespective of how much was copied (including the terminal NUL). | ||
1154 | */ | 1242 | */ |
1155 | long keyctl_get_security(key_serial_t keyid, | 1243 | long keyctl_get_security(key_serial_t keyid, |
1156 | char __user *buffer, | 1244 | char __user *buffer, |
@@ -1205,10 +1293,16 @@ long keyctl_get_security(key_serial_t keyid, | |||
1205 | } | 1293 | } |
1206 | 1294 | ||
1207 | /* | 1295 | /* |
1208 | * attempt to install the calling process's session keyring on the process's | 1296 | * Attempt to install the calling process's session keyring on the process's |
1209 | * parent process | 1297 | * parent process. |
1210 | * - the keyring must exist and must grant us LINK permission | 1298 | * |
1211 | * - implements keyctl(KEYCTL_SESSION_TO_PARENT) | 1299 | * The keyring must exist and must grant the caller LINK permission, and the |
1300 | * parent process must be single-threaded and must have the same effective | ||
1301 | * ownership as this process and mustn't be SUID/SGID. | ||
1302 | * | ||
1303 | * The keyring will be emplaced on the parent when it next resumes userspace. | ||
1304 | * | ||
1305 | * If successful, 0 will be returned. | ||
1212 | */ | 1306 | */ |
1213 | long keyctl_session_to_parent(void) | 1307 | long keyctl_session_to_parent(void) |
1214 | { | 1308 | { |
@@ -1312,7 +1406,7 @@ error_keyring: | |||
1312 | } | 1406 | } |
1313 | 1407 | ||
1314 | /* | 1408 | /* |
1315 | * the key control system call | 1409 | * The key control system call |
1316 | */ | 1410 | */ |
1317 | SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, | 1411 | SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, |
1318 | unsigned long, arg4, unsigned long, arg5) | 1412 | unsigned long, arg4, unsigned long, arg5) |
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 0a2b8e916d97..92024ed12e0a 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c | |||
@@ -26,13 +26,13 @@ | |||
26 | rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem))) | 26 | rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem))) |
27 | 27 | ||
28 | /* | 28 | /* |
29 | * when plumbing the depths of the key tree, this sets a hard limit set on how | 29 | * When plumbing the depths of the key tree, this sets a hard limit |
30 | * deep we're willing to go | 30 | * set on how deep we're willing to go. |
31 | */ | 31 | */ |
32 | #define KEYRING_SEARCH_MAX_DEPTH 6 | 32 | #define KEYRING_SEARCH_MAX_DEPTH 6 |
33 | 33 | ||
34 | /* | 34 | /* |
35 | * we keep all named keyrings in a hash to speed looking them up | 35 | * We keep all named keyrings in a hash to speed looking them up. |
36 | */ | 36 | */ |
37 | #define KEYRING_NAME_HASH_SIZE (1 << 5) | 37 | #define KEYRING_NAME_HASH_SIZE (1 << 5) |
38 | 38 | ||
@@ -50,7 +50,9 @@ static inline unsigned keyring_hash(const char *desc) | |||
50 | } | 50 | } |
51 | 51 | ||
52 | /* | 52 | /* |
53 | * the keyring type definition | 53 | * The keyring key type definition. Keyrings are simply keys of this type and |
54 | * can be treated as ordinary keys in addition to having their own special | ||
55 | * operations. | ||
54 | */ | 56 | */ |
55 | static int keyring_instantiate(struct key *keyring, | 57 | static int keyring_instantiate(struct key *keyring, |
56 | const void *data, size_t datalen); | 58 | const void *data, size_t datalen); |
@@ -71,18 +73,17 @@ struct key_type key_type_keyring = { | |||
71 | .describe = keyring_describe, | 73 | .describe = keyring_describe, |
72 | .read = keyring_read, | 74 | .read = keyring_read, |
73 | }; | 75 | }; |
74 | |||
75 | EXPORT_SYMBOL(key_type_keyring); | 76 | EXPORT_SYMBOL(key_type_keyring); |
76 | 77 | ||
77 | /* | 78 | /* |
78 | * semaphore to serialise link/link calls to prevent two link calls in parallel | 79 | * Semaphore to serialise link/link calls to prevent two link calls in parallel |
79 | * introducing a cycle | 80 | * introducing a cycle. |
80 | */ | 81 | */ |
81 | static DECLARE_RWSEM(keyring_serialise_link_sem); | 82 | static DECLARE_RWSEM(keyring_serialise_link_sem); |
82 | 83 | ||
83 | /* | 84 | /* |
84 | * publish the name of a keyring so that it can be found by name (if it has | 85 | * Publish the name of a keyring so that it can be found by name (if it has |
85 | * one) | 86 | * one). |
86 | */ | 87 | */ |
87 | static void keyring_publish_name(struct key *keyring) | 88 | static void keyring_publish_name(struct key *keyring) |
88 | { | 89 | { |
@@ -104,8 +105,9 @@ static void keyring_publish_name(struct key *keyring) | |||
104 | } | 105 | } |
105 | 106 | ||
106 | /* | 107 | /* |
107 | * initialise a keyring | 108 | * Initialise a keyring. |
108 | * - we object if we were given any data | 109 | * |
110 | * Returns 0 on success, -EINVAL if given any data. | ||
109 | */ | 111 | */ |
110 | static int keyring_instantiate(struct key *keyring, | 112 | static int keyring_instantiate(struct key *keyring, |
111 | const void *data, size_t datalen) | 113 | const void *data, size_t datalen) |
@@ -123,7 +125,7 @@ static int keyring_instantiate(struct key *keyring, | |||
123 | } | 125 | } |
124 | 126 | ||
125 | /* | 127 | /* |
126 | * match keyrings on their name | 128 | * Match keyrings on their name |
127 | */ | 129 | */ |
128 | static int keyring_match(const struct key *keyring, const void *description) | 130 | static int keyring_match(const struct key *keyring, const void *description) |
129 | { | 131 | { |
@@ -132,7 +134,8 @@ static int keyring_match(const struct key *keyring, const void *description) | |||
132 | } | 134 | } |
133 | 135 | ||
134 | /* | 136 | /* |
135 | * dispose of the data dangling from the corpse of a keyring | 137 | * Clean up a keyring when it is destroyed. Unpublish its name if it had one |
138 | * and dispose of its data. | ||
136 | */ | 139 | */ |
137 | static void keyring_destroy(struct key *keyring) | 140 | static void keyring_destroy(struct key *keyring) |
138 | { | 141 | { |
@@ -160,7 +163,7 @@ static void keyring_destroy(struct key *keyring) | |||
160 | } | 163 | } |
161 | 164 | ||
162 | /* | 165 | /* |
163 | * describe the keyring | 166 | * Describe a keyring for /proc. |
164 | */ | 167 | */ |
165 | static void keyring_describe(const struct key *keyring, struct seq_file *m) | 168 | static void keyring_describe(const struct key *keyring, struct seq_file *m) |
166 | { | 169 | { |
@@ -181,8 +184,9 @@ static void keyring_describe(const struct key *keyring, struct seq_file *m) | |||
181 | } | 184 | } |
182 | 185 | ||
183 | /* | 186 | /* |
184 | * read a list of key IDs from the keyring's contents | 187 | * Read a list of key IDs from the keyring's contents in binary form |
185 | * - the keyring's semaphore is read-locked | 188 | * |
189 | * The keyring's semaphore is read-locked by the caller. | ||
186 | */ | 190 | */ |
187 | static long keyring_read(const struct key *keyring, | 191 | static long keyring_read(const struct key *keyring, |
188 | char __user *buffer, size_t buflen) | 192 | char __user *buffer, size_t buflen) |
@@ -233,7 +237,7 @@ error: | |||
233 | } | 237 | } |
234 | 238 | ||
235 | /* | 239 | /* |
236 | * allocate a keyring and link into the destination keyring | 240 | * Allocate a keyring and link into the destination keyring. |
237 | */ | 241 | */ |
238 | struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, | 242 | struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, |
239 | const struct cred *cred, unsigned long flags, | 243 | const struct cred *cred, unsigned long flags, |
@@ -258,16 +262,40 @@ struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, | |||
258 | return keyring; | 262 | return keyring; |
259 | } | 263 | } |
260 | 264 | ||
261 | /* | 265 | /** |
262 | * search the supplied keyring tree for a key that matches the criterion | 266 | * keyring_search_aux - Search a keyring tree for a key matching some criteria |
263 | * - perform a breadth-then-depth search up to the prescribed limit | 267 | * @keyring_ref: A pointer to the keyring with possession indicator. |
264 | * - we only find keys on which we have search permission | 268 | * @cred: The credentials to use for permissions checks. |
265 | * - we use the supplied match function to see if the description (or other | 269 | * @type: The type of key to search for. |
266 | * feature of interest) matches | 270 | * @description: Parameter for @match. |
267 | * - we rely on RCU to prevent the keyring lists from disappearing on us | 271 | * @match: Function to rule on whether or not a key is the one required. |
268 | * - we return -EAGAIN if we didn't find any matching key | 272 | * |
269 | * - we return -ENOKEY if we only found negative matching keys | 273 | * Search the supplied keyring tree for a key that matches the criteria given. |
270 | * - we propagate the possession attribute from the keyring ref to the key ref | 274 | * The root keyring and any linked keyrings must grant Search permission to the |
275 | * caller to be searchable and keys can only be found if they too grant Search | ||
276 | * to the caller. The possession flag on the root keyring pointer controls use | ||
277 | * of the possessor bits in permissions checking of the entire tree. In | ||
278 | * addition, the LSM gets to forbid keyring searches and key matches. | ||
279 | * | ||
280 | * The search is performed as a breadth-then-depth search up to the prescribed | ||
281 | * limit (KEYRING_SEARCH_MAX_DEPTH). | ||
282 | * | ||
283 | * Keys are matched to the type provided and are then filtered by the match | ||
284 | * function, which is given the description to use in any way it sees fit. The | ||
285 | * match function may use any attributes of a key that it wishes to to | ||
286 | * determine the match. Normally the match function from the key type would be | ||
287 | * used. | ||
288 | * | ||
289 | * RCU is used to prevent the keyring key lists from disappearing without the | ||
290 | * need to take lots of locks. | ||
291 | * | ||
292 | * Returns a pointer to the found key and increments the key usage count if | ||
293 | * successful; -EAGAIN if no matching keys were found, or if expired or revoked | ||
294 | * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the | ||
295 | * specified keyring wasn't a keyring. | ||
296 | * | ||
297 | * In the case of a successful return, the possession attribute from | ||
298 | * @keyring_ref is propagated to the returned key reference. | ||
271 | */ | 299 | */ |
272 | key_ref_t keyring_search_aux(key_ref_t keyring_ref, | 300 | key_ref_t keyring_search_aux(key_ref_t keyring_ref, |
273 | const struct cred *cred, | 301 | const struct cred *cred, |
@@ -431,13 +459,14 @@ error: | |||
431 | return key_ref; | 459 | return key_ref; |
432 | } | 460 | } |
433 | 461 | ||
434 | /* | 462 | /** |
435 | * search the supplied keyring tree for a key that matches the criterion | 463 | * keyring_search - Search the supplied keyring tree for a matching key |
436 | * - perform a breadth-then-depth search up to the prescribed limit | 464 | * @keyring: The root of the keyring tree to be searched. |
437 | * - we only find keys on which we have search permission | 465 | * @type: The type of keyring we want to find. |
438 | * - we readlock the keyrings as we search down the tree | 466 | * @description: The name of the keyring we want to find. |
439 | * - we return -EAGAIN if we didn't find any matching key | 467 | * |
440 | * - we return -ENOKEY if we only found negative matching keys | 468 | * As keyring_search_aux() above, but using the current task's credentials and |
469 | * type's default matching function. | ||
441 | */ | 470 | */ |
442 | key_ref_t keyring_search(key_ref_t keyring, | 471 | key_ref_t keyring_search(key_ref_t keyring, |
443 | struct key_type *type, | 472 | struct key_type *type, |
@@ -449,13 +478,22 @@ key_ref_t keyring_search(key_ref_t keyring, | |||
449 | return keyring_search_aux(keyring, current->cred, | 478 | return keyring_search_aux(keyring, current->cred, |
450 | type, description, type->match); | 479 | type, description, type->match); |
451 | } | 480 | } |
452 | |||
453 | EXPORT_SYMBOL(keyring_search); | 481 | EXPORT_SYMBOL(keyring_search); |
454 | 482 | ||
455 | /* | 483 | /* |
456 | * search the given keyring only (no recursion) | 484 | * Search the given keyring only (no recursion). |
457 | * - keyring must be locked by caller | 485 | * |
458 | * - caller must guarantee that the keyring is a keyring | 486 | * The caller must guarantee that the keyring is a keyring and that the |
487 | * permission is granted to search the keyring as no check is made here. | ||
488 | * | ||
489 | * RCU is used to make it unnecessary to lock the keyring key list here. | ||
490 | * | ||
491 | * Returns a pointer to the found key with usage count incremented if | ||
492 | * successful and returns -ENOKEY if not found. Revoked keys and keys not | ||
493 | * providing the requested permission are skipped over. | ||
494 | * | ||
495 | * If successful, the possession indicator is propagated from the keyring ref | ||
496 | * to the returned key reference. | ||
459 | */ | 497 | */ |
460 | key_ref_t __keyring_search_one(key_ref_t keyring_ref, | 498 | key_ref_t __keyring_search_one(key_ref_t keyring_ref, |
461 | const struct key_type *ktype, | 499 | const struct key_type *ktype, |
@@ -498,9 +536,15 @@ found: | |||
498 | } | 536 | } |
499 | 537 | ||
500 | /* | 538 | /* |
501 | * find a keyring with the specified name | 539 | * Find a keyring with the specified name. |
502 | * - all named keyrings are searched | 540 | * |
503 | * - normally only finds keyrings with search permission for the current process | 541 | * All named keyrings in the current user namespace are searched, provided they |
542 | * grant Search permission directly to the caller (unless this check is | ||
543 | * skipped). Keyrings whose usage points have reached zero or who have been | ||
544 | * revoked are skipped. | ||
545 | * | ||
546 | * Returns a pointer to the keyring with the keyring's refcount having being | ||
547 | * incremented on success. -ENOKEY is returned if a key could not be found. | ||
504 | */ | 548 | */ |
505 | struct key *find_keyring_by_name(const char *name, bool skip_perm_check) | 549 | struct key *find_keyring_by_name(const char *name, bool skip_perm_check) |
506 | { | 550 | { |
@@ -551,10 +595,11 @@ out: | |||
551 | } | 595 | } |
552 | 596 | ||
553 | /* | 597 | /* |
554 | * see if a cycle will will be created by inserting acyclic tree B in acyclic | 598 | * See if a cycle will will be created by inserting acyclic tree B in acyclic |
555 | * tree A at the topmost level (ie: as a direct child of A) | 599 | * tree A at the topmost level (ie: as a direct child of A). |
556 | * - since we are adding B to A at the top level, checking for cycles should | 600 | * |
557 | * just be a matter of seeing if node A is somewhere in tree B | 601 | * Since we are adding B to A at the top level, checking for cycles should just |
602 | * be a matter of seeing if node A is somewhere in tree B. | ||
558 | */ | 603 | */ |
559 | static int keyring_detect_cycle(struct key *A, struct key *B) | 604 | static int keyring_detect_cycle(struct key *A, struct key *B) |
560 | { | 605 | { |
@@ -637,7 +682,7 @@ cycle_detected: | |||
637 | } | 682 | } |
638 | 683 | ||
639 | /* | 684 | /* |
640 | * dispose of a keyring list after the RCU grace period, freeing the unlinked | 685 | * Dispose of a keyring list after the RCU grace period, freeing the unlinked |
641 | * key | 686 | * key |
642 | */ | 687 | */ |
643 | static void keyring_unlink_rcu_disposal(struct rcu_head *rcu) | 688 | static void keyring_unlink_rcu_disposal(struct rcu_head *rcu) |
@@ -651,7 +696,7 @@ static void keyring_unlink_rcu_disposal(struct rcu_head *rcu) | |||
651 | } | 696 | } |
652 | 697 | ||
653 | /* | 698 | /* |
654 | * preallocate memory so that a key can be linked into to a keyring | 699 | * Preallocate memory so that a key can be linked into to a keyring. |
655 | */ | 700 | */ |
656 | int __key_link_begin(struct key *keyring, const struct key_type *type, | 701 | int __key_link_begin(struct key *keyring, const struct key_type *type, |
657 | const char *description, | 702 | const char *description, |
@@ -768,10 +813,10 @@ error_krsem: | |||
768 | } | 813 | } |
769 | 814 | ||
770 | /* | 815 | /* |
771 | * check already instantiated keys aren't going to be a problem | 816 | * Check already instantiated keys aren't going to be a problem. |
772 | * - the caller must have called __key_link_begin() | 817 | * |
773 | * - don't need to call this for keys that were created since __key_link_begin() | 818 | * The caller must have called __key_link_begin(). Don't need to call this for |
774 | * was called | 819 | * keys that were created since __key_link_begin() was called. |
775 | */ | 820 | */ |
776 | int __key_link_check_live_key(struct key *keyring, struct key *key) | 821 | int __key_link_check_live_key(struct key *keyring, struct key *key) |
777 | { | 822 | { |
@@ -783,9 +828,12 @@ int __key_link_check_live_key(struct key *keyring, struct key *key) | |||
783 | } | 828 | } |
784 | 829 | ||
785 | /* | 830 | /* |
786 | * link a key into to a keyring | 831 | * Link a key into to a keyring. |
787 | * - must be called with __key_link_begin() having being called | 832 | * |
788 | * - discard already extant link to matching key if there is one | 833 | * Must be called with __key_link_begin() having being called. Discards any |
834 | * already extant link to matching key if there is one, so that each keyring | ||
835 | * holds at most one link to any given key of a particular type+description | ||
836 | * combination. | ||
789 | */ | 837 | */ |
790 | void __key_link(struct key *keyring, struct key *key, | 838 | void __key_link(struct key *keyring, struct key *key, |
791 | struct keyring_list **_prealloc) | 839 | struct keyring_list **_prealloc) |
@@ -828,8 +876,9 @@ void __key_link(struct key *keyring, struct key *key, | |||
828 | } | 876 | } |
829 | 877 | ||
830 | /* | 878 | /* |
831 | * finish linking a key into to a keyring | 879 | * Finish linking a key into to a keyring. |
832 | * - must be called with __key_link_begin() having being called | 880 | * |
881 | * Must be called with __key_link_begin() having being called. | ||
833 | */ | 882 | */ |
834 | void __key_link_end(struct key *keyring, struct key_type *type, | 883 | void __key_link_end(struct key *keyring, struct key_type *type, |
835 | struct keyring_list *prealloc) | 884 | struct keyring_list *prealloc) |
@@ -850,8 +899,25 @@ void __key_link_end(struct key *keyring, struct key_type *type, | |||
850 | up_write(&keyring->sem); | 899 | up_write(&keyring->sem); |
851 | } | 900 | } |
852 | 901 | ||
853 | /* | 902 | /** |
854 | * link a key to a keyring | 903 | * key_link - Link a key to a keyring |
904 | * @keyring: The keyring to make the link in. | ||
905 | * @key: The key to link to. | ||
906 | * | ||
907 | * Make a link in a keyring to a key, such that the keyring holds a reference | ||
908 | * on that key and the key can potentially be found by searching that keyring. | ||
909 | * | ||
910 | * This function will write-lock the keyring's semaphore and will consume some | ||
911 | * of the user's key data quota to hold the link. | ||
912 | * | ||
913 | * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, | ||
914 | * -EKEYREVOKED if the keyring has been revoked, -ENFILE if the keyring is | ||
915 | * full, -EDQUOT if there is insufficient key data quota remaining to add | ||
916 | * another link or -ENOMEM if there's insufficient memory. | ||
917 | * | ||
918 | * It is assumed that the caller has checked that it is permitted for a link to | ||
919 | * be made (the keyring should have Write permission and the key Link | ||
920 | * permission). | ||
855 | */ | 921 | */ |
856 | int key_link(struct key *keyring, struct key *key) | 922 | int key_link(struct key *keyring, struct key *key) |
857 | { | 923 | { |
@@ -871,11 +937,24 @@ int key_link(struct key *keyring, struct key *key) | |||
871 | 937 | ||
872 | return ret; | 938 | return ret; |
873 | } | 939 | } |
874 | |||
875 | EXPORT_SYMBOL(key_link); | 940 | EXPORT_SYMBOL(key_link); |
876 | 941 | ||
877 | /* | 942 | /** |
878 | * unlink the first link to a key from a keyring | 943 | * key_unlink - Unlink the first link to a key from a keyring. |
944 | * @keyring: The keyring to remove the link from. | ||
945 | * @key: The key the link is to. | ||
946 | * | ||
947 | * Remove a link from a keyring to a key. | ||
948 | * | ||
949 | * This function will write-lock the keyring's semaphore. | ||
950 | * | ||
951 | * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, -ENOENT if | ||
952 | * the key isn't linked to by the keyring or -ENOMEM if there's insufficient | ||
953 | * memory. | ||
954 | * | ||
955 | * It is assumed that the caller has checked that it is permitted for a link to | ||
956 | * be removed (the keyring should have Write permission; no permissions are | ||
957 | * required on the key). | ||
879 | */ | 958 | */ |
880 | int key_unlink(struct key *keyring, struct key *key) | 959 | int key_unlink(struct key *keyring, struct key *key) |
881 | { | 960 | { |
@@ -944,12 +1023,11 @@ nomem: | |||
944 | up_write(&keyring->sem); | 1023 | up_write(&keyring->sem); |
945 | goto error; | 1024 | goto error; |
946 | } | 1025 | } |
947 | |||
948 | EXPORT_SYMBOL(key_unlink); | 1026 | EXPORT_SYMBOL(key_unlink); |
949 | 1027 | ||
950 | /* | 1028 | /* |
951 | * dispose of a keyring list after the RCU grace period, releasing the keys it | 1029 | * Dispose of a keyring list after the RCU grace period, releasing the keys it |
952 | * links to | 1030 | * links to. |
953 | */ | 1031 | */ |
954 | static void keyring_clear_rcu_disposal(struct rcu_head *rcu) | 1032 | static void keyring_clear_rcu_disposal(struct rcu_head *rcu) |
955 | { | 1033 | { |
@@ -964,9 +1042,13 @@ static void keyring_clear_rcu_disposal(struct rcu_head *rcu) | |||
964 | kfree(klist); | 1042 | kfree(klist); |
965 | } | 1043 | } |
966 | 1044 | ||
967 | /* | 1045 | /** |
968 | * clear the specified process keyring | 1046 | * keyring_clear - Clear a keyring |
969 | * - implements keyctl(KEYCTL_CLEAR) | 1047 | * @keyring: The keyring to clear. |
1048 | * | ||
1049 | * Clear the contents of the specified keyring. | ||
1050 | * | ||
1051 | * Returns 0 if successful or -ENOTDIR if the keyring isn't a keyring. | ||
970 | */ | 1052 | */ |
971 | int keyring_clear(struct key *keyring) | 1053 | int keyring_clear(struct key *keyring) |
972 | { | 1054 | { |
@@ -999,12 +1081,12 @@ int keyring_clear(struct key *keyring) | |||
999 | 1081 | ||
1000 | return ret; | 1082 | return ret; |
1001 | } | 1083 | } |
1002 | |||
1003 | EXPORT_SYMBOL(keyring_clear); | 1084 | EXPORT_SYMBOL(keyring_clear); |
1004 | 1085 | ||
1005 | /* | 1086 | /* |
1006 | * dispose of the links from a revoked keyring | 1087 | * Dispose of the links from a revoked keyring. |
1007 | * - called with the key sem write-locked | 1088 | * |
1089 | * This is called with the key sem write-locked. | ||
1008 | */ | 1090 | */ |
1009 | static void keyring_revoke(struct key *keyring) | 1091 | static void keyring_revoke(struct key *keyring) |
1010 | { | 1092 | { |
@@ -1022,7 +1104,7 @@ static void keyring_revoke(struct key *keyring) | |||
1022 | } | 1104 | } |
1023 | 1105 | ||
1024 | /* | 1106 | /* |
1025 | * Determine whether a key is dead | 1107 | * Determine whether a key is dead. |
1026 | */ | 1108 | */ |
1027 | static bool key_is_dead(struct key *key, time_t limit) | 1109 | static bool key_is_dead(struct key *key, time_t limit) |
1028 | { | 1110 | { |
@@ -1031,7 +1113,12 @@ static bool key_is_dead(struct key *key, time_t limit) | |||
1031 | } | 1113 | } |
1032 | 1114 | ||
1033 | /* | 1115 | /* |
1034 | * Collect garbage from the contents of a keyring | 1116 | * Collect garbage from the contents of a keyring, replacing the old list with |
1117 | * a new one with the pointers all shuffled down. | ||
1118 | * | ||
1119 | * Dead keys are classed as oned that are flagged as being dead or are revoked, | ||
1120 | * expired or negative keys that were revoked or expired before the specified | ||
1121 | * limit. | ||
1035 | */ | 1122 | */ |
1036 | void keyring_gc(struct key *keyring, time_t limit) | 1123 | void keyring_gc(struct key *keyring, time_t limit) |
1037 | { | 1124 | { |
diff --git a/security/keys/permission.c b/security/keys/permission.c index 6284b1496c29..c35b5229e3cd 100644 --- a/security/keys/permission.c +++ b/security/keys/permission.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* permission.c: key permission determination | 1 | /* Key permission checking |
2 | * | 2 | * |
3 | * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. | 3 | * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. |
4 | * Written by David Howells (dhowells@redhat.com) | 4 | * Written by David Howells (dhowells@redhat.com) |
@@ -15,15 +15,17 @@ | |||
15 | 15 | ||
16 | /** | 16 | /** |
17 | * key_task_permission - Check a key can be used | 17 | * key_task_permission - Check a key can be used |
18 | * @key_ref: The key to check | 18 | * @key_ref: The key to check. |
19 | * @cred: The credentials to use | 19 | * @cred: The credentials to use. |
20 | * @perm: The permissions to check for | 20 | * @perm: The permissions to check for. |
21 | * | 21 | * |
22 | * Check to see whether permission is granted to use a key in the desired way, | 22 | * Check to see whether permission is granted to use a key in the desired way, |
23 | * but permit the security modules to override. | 23 | * but permit the security modules to override. |
24 | * | 24 | * |
25 | * The caller must hold either a ref on cred or must hold the RCU readlock or a | 25 | * The caller must hold either a ref on cred or must hold the RCU readlock. |
26 | * spinlock. | 26 | * |
27 | * Returns 0 if successful, -EACCES if access is denied based on the | ||
28 | * permissions bits or the LSM check. | ||
27 | */ | 29 | */ |
28 | int key_task_permission(const key_ref_t key_ref, const struct cred *cred, | 30 | int key_task_permission(const key_ref_t key_ref, const struct cred *cred, |
29 | key_perm_t perm) | 31 | key_perm_t perm) |
@@ -79,11 +81,15 @@ use_these_perms: | |||
79 | /* let LSM be the final arbiter */ | 81 | /* let LSM be the final arbiter */ |
80 | return security_key_permission(key_ref, cred, perm); | 82 | return security_key_permission(key_ref, cred, perm); |
81 | } | 83 | } |
82 | |||
83 | EXPORT_SYMBOL(key_task_permission); | 84 | EXPORT_SYMBOL(key_task_permission); |
84 | 85 | ||
85 | /* | 86 | /** |
86 | * validate a key | 87 | * key_validate - Validate a key. |
88 | * @key: The key to be validated. | ||
89 | * | ||
90 | * Check that a key is valid, returning 0 if the key is okay, -EKEYREVOKED if | ||
91 | * the key's type has been removed or if the key has been revoked or | ||
92 | * -EKEYEXPIRED if the key has expired. | ||
87 | */ | 93 | */ |
88 | int key_validate(struct key *key) | 94 | int key_validate(struct key *key) |
89 | { | 95 | { |
@@ -109,5 +115,4 @@ int key_validate(struct key *key) | |||
109 | error: | 115 | error: |
110 | return ret; | 116 | return ret; |
111 | } | 117 | } |
112 | |||
113 | EXPORT_SYMBOL(key_validate); | 118 | EXPORT_SYMBOL(key_validate); |
diff --git a/security/keys/proc.c b/security/keys/proc.c index ad5f64e1b320..525cf8a29cdd 100644 --- a/security/keys/proc.c +++ b/security/keys/proc.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* proc.c: proc files for key database enumeration | 1 | /* procfs files for key database enumeration |
2 | * | 2 | * |
3 | * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved. | 3 | * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved. |
4 | * Written by David Howells (dhowells@redhat.com) | 4 | * Written by David Howells (dhowells@redhat.com) |
@@ -61,7 +61,7 @@ static const struct file_operations proc_key_users_fops = { | |||
61 | }; | 61 | }; |
62 | 62 | ||
63 | /* | 63 | /* |
64 | * declare the /proc files | 64 | * Declare the /proc files. |
65 | */ | 65 | */ |
66 | static int __init key_proc_init(void) | 66 | static int __init key_proc_init(void) |
67 | { | 67 | { |
@@ -83,7 +83,8 @@ static int __init key_proc_init(void) | |||
83 | __initcall(key_proc_init); | 83 | __initcall(key_proc_init); |
84 | 84 | ||
85 | /* | 85 | /* |
86 | * implement "/proc/keys" to provides a list of the keys on the system | 86 | * Implement "/proc/keys" to provide a list of the keys on the system that |
87 | * grant View permission to the caller. | ||
87 | */ | 88 | */ |
88 | #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS | 89 | #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS |
89 | 90 | ||
@@ -291,7 +292,8 @@ static struct rb_node *key_user_first(struct rb_root *r) | |||
291 | } | 292 | } |
292 | 293 | ||
293 | /* | 294 | /* |
294 | * implement "/proc/key-users" to provides a list of the key users | 295 | * Implement "/proc/key-users" to provides a list of the key users and their |
296 | * quotas. | ||
295 | */ | 297 | */ |
296 | static int proc_key_users_open(struct inode *inode, struct file *file) | 298 | static int proc_key_users_open(struct inode *inode, struct file *file) |
297 | { | 299 | { |
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index ea55cf9acf36..930634e45149 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* Management of a process's keyrings | 1 | /* Manage a process's keyrings |
2 | * | 2 | * |
3 | * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved. | 3 | * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved. |
4 | * Written by David Howells (dhowells@redhat.com) | 4 | * Written by David Howells (dhowells@redhat.com) |
@@ -21,13 +21,13 @@ | |||
21 | #include <asm/uaccess.h> | 21 | #include <asm/uaccess.h> |
22 | #include "internal.h" | 22 | #include "internal.h" |
23 | 23 | ||
24 | /* session keyring create vs join semaphore */ | 24 | /* Session keyring create vs join semaphore */ |
25 | static DEFINE_MUTEX(key_session_mutex); | 25 | static DEFINE_MUTEX(key_session_mutex); |
26 | 26 | ||
27 | /* user keyring creation semaphore */ | 27 | /* User keyring creation semaphore */ |
28 | static DEFINE_MUTEX(key_user_keyring_mutex); | 28 | static DEFINE_MUTEX(key_user_keyring_mutex); |
29 | 29 | ||
30 | /* the root user's tracking struct */ | 30 | /* The root user's tracking struct */ |
31 | struct key_user root_key_user = { | 31 | struct key_user root_key_user = { |
32 | .usage = ATOMIC_INIT(3), | 32 | .usage = ATOMIC_INIT(3), |
33 | .cons_lock = __MUTEX_INITIALIZER(root_key_user.cons_lock), | 33 | .cons_lock = __MUTEX_INITIALIZER(root_key_user.cons_lock), |
@@ -39,7 +39,7 @@ struct key_user root_key_user = { | |||
39 | }; | 39 | }; |
40 | 40 | ||
41 | /* | 41 | /* |
42 | * install user and user session keyrings for a particular UID | 42 | * Install the user and user session keyrings for the current process's UID. |
43 | */ | 43 | */ |
44 | int install_user_keyrings(void) | 44 | int install_user_keyrings(void) |
45 | { | 45 | { |
@@ -121,7 +121,8 @@ error: | |||
121 | } | 121 | } |
122 | 122 | ||
123 | /* | 123 | /* |
124 | * install a fresh thread keyring directly to new credentials | 124 | * Install a fresh thread keyring directly to new credentials. This keyring is |
125 | * allowed to overrun the quota. | ||
125 | */ | 126 | */ |
126 | int install_thread_keyring_to_cred(struct cred *new) | 127 | int install_thread_keyring_to_cred(struct cred *new) |
127 | { | 128 | { |
@@ -137,7 +138,7 @@ int install_thread_keyring_to_cred(struct cred *new) | |||
137 | } | 138 | } |
138 | 139 | ||
139 | /* | 140 | /* |
140 | * install a fresh thread keyring, discarding the old one | 141 | * Install a fresh thread keyring, discarding the old one. |
141 | */ | 142 | */ |
142 | static int install_thread_keyring(void) | 143 | static int install_thread_keyring(void) |
143 | { | 144 | { |
@@ -160,9 +161,10 @@ static int install_thread_keyring(void) | |||
160 | } | 161 | } |
161 | 162 | ||
162 | /* | 163 | /* |
163 | * install a process keyring directly to a credentials struct | 164 | * Install a process keyring directly to a credentials struct. |
164 | * - returns -EEXIST if there was already a process keyring, 0 if one installed, | 165 | * |
165 | * and other -ve on any other error | 166 | * Returns -EEXIST if there was already a process keyring, 0 if one installed, |
167 | * and other value on any other error | ||
166 | */ | 168 | */ |
167 | int install_process_keyring_to_cred(struct cred *new) | 169 | int install_process_keyring_to_cred(struct cred *new) |
168 | { | 170 | { |
@@ -191,8 +193,11 @@ int install_process_keyring_to_cred(struct cred *new) | |||
191 | } | 193 | } |
192 | 194 | ||
193 | /* | 195 | /* |
194 | * make sure a process keyring is installed | 196 | * Make sure a process keyring is installed for the current process. The |
195 | * - we | 197 | * existing process keyring is not replaced. |
198 | * | ||
199 | * Returns 0 if there is a process keyring by the end of this function, some | ||
200 | * error otherwise. | ||
196 | */ | 201 | */ |
197 | static int install_process_keyring(void) | 202 | static int install_process_keyring(void) |
198 | { | 203 | { |
@@ -213,7 +218,7 @@ static int install_process_keyring(void) | |||
213 | } | 218 | } |
214 | 219 | ||
215 | /* | 220 | /* |
216 | * install a session keyring directly to a credentials struct | 221 | * Install a session keyring directly to a credentials struct. |
217 | */ | 222 | */ |
218 | int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) | 223 | int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) |
219 | { | 224 | { |
@@ -253,8 +258,8 @@ int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) | |||
253 | } | 258 | } |
254 | 259 | ||
255 | /* | 260 | /* |
256 | * install a session keyring, discarding the old one | 261 | * Install a session keyring, discarding the old one. If a keyring is not |
257 | * - if a keyring is not supplied, an empty one is invented | 262 | * supplied, an empty one is invented. |
258 | */ | 263 | */ |
259 | static int install_session_keyring(struct key *keyring) | 264 | static int install_session_keyring(struct key *keyring) |
260 | { | 265 | { |
@@ -275,7 +280,7 @@ static int install_session_keyring(struct key *keyring) | |||
275 | } | 280 | } |
276 | 281 | ||
277 | /* | 282 | /* |
278 | * the filesystem user ID changed | 283 | * Handle the fsuid changing. |
279 | */ | 284 | */ |
280 | void key_fsuid_changed(struct task_struct *tsk) | 285 | void key_fsuid_changed(struct task_struct *tsk) |
281 | { | 286 | { |
@@ -289,7 +294,7 @@ void key_fsuid_changed(struct task_struct *tsk) | |||
289 | } | 294 | } |
290 | 295 | ||
291 | /* | 296 | /* |
292 | * the filesystem group ID changed | 297 | * Handle the fsgid changing. |
293 | */ | 298 | */ |
294 | void key_fsgid_changed(struct task_struct *tsk) | 299 | void key_fsgid_changed(struct task_struct *tsk) |
295 | { | 300 | { |
@@ -303,11 +308,25 @@ void key_fsgid_changed(struct task_struct *tsk) | |||
303 | } | 308 | } |
304 | 309 | ||
305 | /* | 310 | /* |
306 | * search only my process keyrings for the first matching key | 311 | * Search the process keyrings attached to the supplied cred for the first |
307 | * - we use the supplied match function to see if the description (or other | 312 | * matching key. |
308 | * feature of interest) matches | 313 | * |
309 | * - we return -EAGAIN if we didn't find any matching key | 314 | * The search criteria are the type and the match function. The description is |
310 | * - we return -ENOKEY if we found only negative matching keys | 315 | * given to the match function as a parameter, but doesn't otherwise influence |
316 | * the search. Typically the match function will compare the description | ||
317 | * parameter to the key's description. | ||
318 | * | ||
319 | * This can only search keyrings that grant Search permission to the supplied | ||
320 | * credentials. Keyrings linked to searched keyrings will also be searched if | ||
321 | * they grant Search permission too. Keys can only be found if they grant | ||
322 | * Search permission to the credentials. | ||
323 | * | ||
324 | * Returns a pointer to the key with the key usage count incremented if | ||
325 | * successful, -EAGAIN if we didn't find any matching key or -ENOKEY if we only | ||
326 | * matched negative keys. | ||
327 | * | ||
328 | * In the case of a successful return, the possession attribute is set on the | ||
329 | * returned key reference. | ||
311 | */ | 330 | */ |
312 | key_ref_t search_my_process_keyrings(struct key_type *type, | 331 | key_ref_t search_my_process_keyrings(struct key_type *type, |
313 | const void *description, | 332 | const void *description, |
@@ -423,11 +442,12 @@ found: | |||
423 | } | 442 | } |
424 | 443 | ||
425 | /* | 444 | /* |
426 | * search the process keyrings for the first matching key | 445 | * Search the process keyrings attached to the supplied cred for the first |
427 | * - we use the supplied match function to see if the description (or other | 446 | * matching key in the manner of search_my_process_keyrings(), but also search |
428 | * feature of interest) matches | 447 | * the keys attached to the assumed authorisation key using its credentials if |
429 | * - we return -EAGAIN if we didn't find any matching key | 448 | * one is available. |
430 | * - we return -ENOKEY if we found only negative matching keys | 449 | * |
450 | * Return same as search_my_process_keyrings(). | ||
431 | */ | 451 | */ |
432 | key_ref_t search_process_keyrings(struct key_type *type, | 452 | key_ref_t search_process_keyrings(struct key_type *type, |
433 | const void *description, | 453 | const void *description, |
@@ -485,7 +505,7 @@ found: | |||
485 | } | 505 | } |
486 | 506 | ||
487 | /* | 507 | /* |
488 | * see if the key we're looking at is the target key | 508 | * See if the key we're looking at is the target key. |
489 | */ | 509 | */ |
490 | int lookup_user_key_possessed(const struct key *key, const void *target) | 510 | int lookup_user_key_possessed(const struct key *key, const void *target) |
491 | { | 511 | { |
@@ -493,9 +513,22 @@ int lookup_user_key_possessed(const struct key *key, const void *target) | |||
493 | } | 513 | } |
494 | 514 | ||
495 | /* | 515 | /* |
496 | * lookup a key given a key ID from userspace with a given permissions mask | 516 | * Look up a key ID given us by userspace with a given permissions mask to get |
497 | * - don't create special keyrings unless so requested | 517 | * the key it refers to. |
498 | * - partially constructed keys aren't found unless requested | 518 | * |
519 | * Flags can be passed to request that special keyrings be created if referred | ||
520 | * to directly, to permit partially constructed keys to be found and to skip | ||
521 | * validity and permission checks on the found key. | ||
522 | * | ||
523 | * Returns a pointer to the key with an incremented usage count if successful; | ||
524 | * -EINVAL if the key ID is invalid; -ENOKEY if the key ID does not correspond | ||
525 | * to a key or the best found key was a negative key; -EKEYREVOKED or | ||
526 | * -EKEYEXPIRED if the best found key was revoked or expired; -EACCES if the | ||
527 | * found key doesn't grant the requested permit or the LSM denied access to it; | ||
528 | * or -ENOMEM if a special keyring couldn't be created. | ||
529 | * | ||
530 | * In the case of a successful return, the possession attribute is set on the | ||
531 | * returned key reference. | ||
499 | */ | 532 | */ |
500 | key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, | 533 | key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, |
501 | key_perm_t perm) | 534 | key_perm_t perm) |
@@ -703,10 +736,15 @@ reget_creds: | |||
703 | } | 736 | } |
704 | 737 | ||
705 | /* | 738 | /* |
706 | * join the named keyring as the session keyring if possible, or attempt to | 739 | * Join the named keyring as the session keyring if possible else attempt to |
707 | * create a new one of that name if not | 740 | * create a new one of that name and join that. |
708 | * - if the name is NULL, an empty anonymous keyring is installed instead | 741 | * |
709 | * - named session keyring joining is done with a semaphore held | 742 | * If the name is NULL, an empty anonymous keyring will be installed as the |
743 | * session keyring. | ||
744 | * | ||
745 | * Named session keyrings are joined with a semaphore held to prevent the | ||
746 | * keyrings from going away whilst the attempt is made to going them and also | ||
747 | * to prevent a race in creating compatible session keyrings. | ||
710 | */ | 748 | */ |
711 | long join_session_keyring(const char *name) | 749 | long join_session_keyring(const char *name) |
712 | { | 750 | { |
@@ -778,8 +816,8 @@ error: | |||
778 | } | 816 | } |
779 | 817 | ||
780 | /* | 818 | /* |
781 | * Replace a process's session keyring when that process resumes userspace on | 819 | * Replace a process's session keyring on behalf of one of its children when |
782 | * behalf of one of its children | 820 | * the target process is about to resume userspace execution. |
783 | */ | 821 | */ |
784 | void key_replace_session_keyring(void) | 822 | void key_replace_session_keyring(void) |
785 | { | 823 | { |
diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 0ea52d25a6bd..9a7fb3914b27 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c | |||
@@ -39,8 +39,14 @@ static int key_wait_bit_intr(void *flags) | |||
39 | return signal_pending(current) ? -ERESTARTSYS : 0; | 39 | return signal_pending(current) ? -ERESTARTSYS : 0; |
40 | } | 40 | } |
41 | 41 | ||
42 | /* | 42 | /** |
43 | * call to complete the construction of a key | 43 | * complete_request_key - Complete the construction of a key. |
44 | * @cons: The key construction record. | ||
45 | * @error: The success or failute of the construction. | ||
46 | * | ||
47 | * Complete the attempt to construct a key. The key will be negated | ||
48 | * if an error is indicated. The authorisation key will be revoked | ||
49 | * unconditionally. | ||
44 | */ | 50 | */ |
45 | void complete_request_key(struct key_construction *cons, int error) | 51 | void complete_request_key(struct key_construction *cons, int error) |
46 | { | 52 | { |
@@ -58,23 +64,33 @@ void complete_request_key(struct key_construction *cons, int error) | |||
58 | } | 64 | } |
59 | EXPORT_SYMBOL(complete_request_key); | 65 | EXPORT_SYMBOL(complete_request_key); |
60 | 66 | ||
67 | /* | ||
68 | * Initialise a usermode helper that is going to have a specific session | ||
69 | * keyring. | ||
70 | * | ||
71 | * This is called in context of freshly forked kthread before kernel_execve(), | ||
72 | * so we can simply install the desired session_keyring at this point. | ||
73 | */ | ||
61 | static int umh_keys_init(struct subprocess_info *info) | 74 | static int umh_keys_init(struct subprocess_info *info) |
62 | { | 75 | { |
63 | struct cred *cred = (struct cred*)current_cred(); | 76 | struct cred *cred = (struct cred*)current_cred(); |
64 | struct key *keyring = info->data; | 77 | struct key *keyring = info->data; |
65 | /* | 78 | |
66 | * This is called in context of freshly forked kthread before | ||
67 | * kernel_execve(), we can just change our ->session_keyring. | ||
68 | */ | ||
69 | return install_session_keyring_to_cred(cred, keyring); | 79 | return install_session_keyring_to_cred(cred, keyring); |
70 | } | 80 | } |
71 | 81 | ||
82 | /* | ||
83 | * Clean up a usermode helper with session keyring. | ||
84 | */ | ||
72 | static void umh_keys_cleanup(struct subprocess_info *info) | 85 | static void umh_keys_cleanup(struct subprocess_info *info) |
73 | { | 86 | { |
74 | struct key *keyring = info->data; | 87 | struct key *keyring = info->data; |
75 | key_put(keyring); | 88 | key_put(keyring); |
76 | } | 89 | } |
77 | 90 | ||
91 | /* | ||
92 | * Call a usermode helper with a specific session keyring. | ||
93 | */ | ||
78 | static int call_usermodehelper_keys(char *path, char **argv, char **envp, | 94 | static int call_usermodehelper_keys(char *path, char **argv, char **envp, |
79 | struct key *session_keyring, enum umh_wait wait) | 95 | struct key *session_keyring, enum umh_wait wait) |
80 | { | 96 | { |
@@ -91,7 +107,7 @@ static int call_usermodehelper_keys(char *path, char **argv, char **envp, | |||
91 | } | 107 | } |
92 | 108 | ||
93 | /* | 109 | /* |
94 | * request userspace finish the construction of a key | 110 | * Request userspace finish the construction of a key |
95 | * - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring>" | 111 | * - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring>" |
96 | */ | 112 | */ |
97 | static int call_sbin_request_key(struct key_construction *cons, | 113 | static int call_sbin_request_key(struct key_construction *cons, |
@@ -198,8 +214,9 @@ error_alloc: | |||
198 | } | 214 | } |
199 | 215 | ||
200 | /* | 216 | /* |
201 | * call out to userspace for key construction | 217 | * Call out to userspace for key construction. |
202 | * - we ignore program failure and go on key status instead | 218 | * |
219 | * Program failure is ignored in favour of key status. | ||
203 | */ | 220 | */ |
204 | static int construct_key(struct key *key, const void *callout_info, | 221 | static int construct_key(struct key *key, const void *callout_info, |
205 | size_t callout_len, void *aux, | 222 | size_t callout_len, void *aux, |
@@ -246,9 +263,10 @@ static int construct_key(struct key *key, const void *callout_info, | |||
246 | } | 263 | } |
247 | 264 | ||
248 | /* | 265 | /* |
249 | * get the appropriate destination keyring for the request | 266 | * Get the appropriate destination keyring for the request. |
250 | * - we return whatever keyring we select with an extra reference upon it which | 267 | * |
251 | * the caller must release | 268 | * The keyring selected is returned with an extra reference upon it which the |
269 | * caller must release. | ||
252 | */ | 270 | */ |
253 | static void construct_get_dest_keyring(struct key **_dest_keyring) | 271 | static void construct_get_dest_keyring(struct key **_dest_keyring) |
254 | { | 272 | { |
@@ -321,9 +339,11 @@ static void construct_get_dest_keyring(struct key **_dest_keyring) | |||
321 | } | 339 | } |
322 | 340 | ||
323 | /* | 341 | /* |
324 | * allocate a new key in under-construction state and attempt to link it in to | 342 | * Allocate a new key in under-construction state and attempt to link it in to |
325 | * the requested place | 343 | * the requested keyring. |
326 | * - may return a key that's already under construction instead | 344 | * |
345 | * May return a key that's already under construction instead if there was a | ||
346 | * race between two thread calling request_key(). | ||
327 | */ | 347 | */ |
328 | static int construct_alloc_key(struct key_type *type, | 348 | static int construct_alloc_key(struct key_type *type, |
329 | const char *description, | 349 | const char *description, |
@@ -414,7 +434,7 @@ alloc_failed: | |||
414 | } | 434 | } |
415 | 435 | ||
416 | /* | 436 | /* |
417 | * commence key construction | 437 | * Commence key construction. |
418 | */ | 438 | */ |
419 | static struct key *construct_key_and_link(struct key_type *type, | 439 | static struct key *construct_key_and_link(struct key_type *type, |
420 | const char *description, | 440 | const char *description, |
@@ -465,12 +485,32 @@ construction_failed: | |||
465 | return ERR_PTR(ret); | 485 | return ERR_PTR(ret); |
466 | } | 486 | } |
467 | 487 | ||
468 | /* | 488 | /** |
469 | * request a key | 489 | * request_key_and_link - Request a key and cache it in a keyring. |
470 | * - search the process's keyrings | 490 | * @type: The type of key we want. |
471 | * - check the list of keys being created or updated | 491 | * @description: The searchable description of the key. |
472 | * - call out to userspace for a key if supplementary info was provided | 492 | * @callout_info: The data to pass to the instantiation upcall (or NULL). |
473 | * - cache the key in an appropriate keyring | 493 | * @callout_len: The length of callout_info. |
494 | * @aux: Auxiliary data for the upcall. | ||
495 | * @dest_keyring: Where to cache the key. | ||
496 | * @flags: Flags to key_alloc(). | ||
497 | * | ||
498 | * A key matching the specified criteria is searched for in the process's | ||
499 | * keyrings and returned with its usage count incremented if found. Otherwise, | ||
500 | * if callout_info is not NULL, a key will be allocated and some service | ||
501 | * (probably in userspace) will be asked to instantiate it. | ||
502 | * | ||
503 | * If successfully found or created, the key will be linked to the destination | ||
504 | * keyring if one is provided. | ||
505 | * | ||
506 | * Returns a pointer to the key if successful; -EACCES, -ENOKEY, -EKEYREVOKED | ||
507 | * or -EKEYEXPIRED if an inaccessible, negative, revoked or expired key was | ||
508 | * found; -ENOKEY if no key was found and no @callout_info was given; -EDQUOT | ||
509 | * if insufficient key quota was available to create a new key; or -ENOMEM if | ||
510 | * insufficient memory was available. | ||
511 | * | ||
512 | * If the returned key was created, then it may still be under construction, | ||
513 | * and wait_for_key_construction() should be used to wait for that to complete. | ||
474 | */ | 514 | */ |
475 | struct key *request_key_and_link(struct key_type *type, | 515 | struct key *request_key_and_link(struct key_type *type, |
476 | const char *description, | 516 | const char *description, |
@@ -524,8 +564,16 @@ error: | |||
524 | return key; | 564 | return key; |
525 | } | 565 | } |
526 | 566 | ||
527 | /* | 567 | /** |
528 | * wait for construction of a key to complete | 568 | * wait_for_key_construction - Wait for construction of a key to complete |
569 | * @key: The key being waited for. | ||
570 | * @intr: Whether to wait interruptibly. | ||
571 | * | ||
572 | * Wait for a key to finish being constructed. | ||
573 | * | ||
574 | * Returns 0 if successful; -ERESTARTSYS if the wait was interrupted; -ENOKEY | ||
575 | * if the key was negated; or -EKEYREVOKED or -EKEYEXPIRED if the key was | ||
576 | * revoked or expired. | ||
529 | */ | 577 | */ |
530 | int wait_for_key_construction(struct key *key, bool intr) | 578 | int wait_for_key_construction(struct key *key, bool intr) |
531 | { | 579 | { |
@@ -542,12 +590,19 @@ int wait_for_key_construction(struct key *key, bool intr) | |||
542 | } | 590 | } |
543 | EXPORT_SYMBOL(wait_for_key_construction); | 591 | EXPORT_SYMBOL(wait_for_key_construction); |
544 | 592 | ||
545 | /* | 593 | /** |
546 | * request a key | 594 | * request_key - Request a key and wait for construction |
547 | * - search the process's keyrings | 595 | * @type: Type of key. |
548 | * - check the list of keys being created or updated | 596 | * @description: The searchable description of the key. |
549 | * - call out to userspace for a key if supplementary info was provided | 597 | * @callout_info: The data to pass to the instantiation upcall (or NULL). |
550 | * - waits uninterruptible for creation to complete | 598 | * |
599 | * As for request_key_and_link() except that it does not add the returned key | ||
600 | * to a keyring if found, new keys are always allocated in the user's quota, | ||
601 | * the callout_info must be a NUL-terminated string and no auxiliary data can | ||
602 | * be passed. | ||
603 | * | ||
604 | * Furthermore, it then works as wait_for_key_construction() to wait for the | ||
605 | * completion of keys undergoing construction with a non-interruptible wait. | ||
551 | */ | 606 | */ |
552 | struct key *request_key(struct key_type *type, | 607 | struct key *request_key(struct key_type *type, |
553 | const char *description, | 608 | const char *description, |
@@ -572,12 +627,19 @@ struct key *request_key(struct key_type *type, | |||
572 | } | 627 | } |
573 | EXPORT_SYMBOL(request_key); | 628 | EXPORT_SYMBOL(request_key); |
574 | 629 | ||
575 | /* | 630 | /** |
576 | * request a key with auxiliary data for the upcaller | 631 | * request_key_with_auxdata - Request a key with auxiliary data for the upcaller |
577 | * - search the process's keyrings | 632 | * @type: The type of key we want. |
578 | * - check the list of keys being created or updated | 633 | * @description: The searchable description of the key. |
579 | * - call out to userspace for a key if supplementary info was provided | 634 | * @callout_info: The data to pass to the instantiation upcall (or NULL). |
580 | * - waits uninterruptible for creation to complete | 635 | * @callout_len: The length of callout_info. |
636 | * @aux: Auxiliary data for the upcall. | ||
637 | * | ||
638 | * As for request_key_and_link() except that it does not add the returned key | ||
639 | * to a keyring if found and new keys are always allocated in the user's quota. | ||
640 | * | ||
641 | * Furthermore, it then works as wait_for_key_construction() to wait for the | ||
642 | * completion of keys undergoing construction with a non-interruptible wait. | ||
581 | */ | 643 | */ |
582 | struct key *request_key_with_auxdata(struct key_type *type, | 644 | struct key *request_key_with_auxdata(struct key_type *type, |
583 | const char *description, | 645 | const char *description, |
@@ -602,10 +664,18 @@ struct key *request_key_with_auxdata(struct key_type *type, | |||
602 | EXPORT_SYMBOL(request_key_with_auxdata); | 664 | EXPORT_SYMBOL(request_key_with_auxdata); |
603 | 665 | ||
604 | /* | 666 | /* |
605 | * request a key (allow async construction) | 667 | * request_key_async - Request a key (allow async construction) |
606 | * - search the process's keyrings | 668 | * @type: Type of key. |
607 | * - check the list of keys being created or updated | 669 | * @description: The searchable description of the key. |
608 | * - call out to userspace for a key if supplementary info was provided | 670 | * @callout_info: The data to pass to the instantiation upcall (or NULL). |
671 | * @callout_len: The length of callout_info. | ||
672 | * | ||
673 | * As for request_key_and_link() except that it does not add the returned key | ||
674 | * to a keyring if found, new keys are always allocated in the user's quota and | ||
675 | * no auxiliary data can be passed. | ||
676 | * | ||
677 | * The caller should call wait_for_key_construction() to wait for the | ||
678 | * completion of the returned key if it is still undergoing construction. | ||
609 | */ | 679 | */ |
610 | struct key *request_key_async(struct key_type *type, | 680 | struct key *request_key_async(struct key_type *type, |
611 | const char *description, | 681 | const char *description, |
@@ -620,9 +690,17 @@ EXPORT_SYMBOL(request_key_async); | |||
620 | 690 | ||
621 | /* | 691 | /* |
622 | * request a key with auxiliary data for the upcaller (allow async construction) | 692 | * request a key with auxiliary data for the upcaller (allow async construction) |
623 | * - search the process's keyrings | 693 | * @type: Type of key. |
624 | * - check the list of keys being created or updated | 694 | * @description: The searchable description of the key. |
625 | * - call out to userspace for a key if supplementary info was provided | 695 | * @callout_info: The data to pass to the instantiation upcall (or NULL). |
696 | * @callout_len: The length of callout_info. | ||
697 | * @aux: Auxiliary data for the upcall. | ||
698 | * | ||
699 | * As for request_key_and_link() except that it does not add the returned key | ||
700 | * to a keyring if found and new keys are always allocated in the user's quota. | ||
701 | * | ||
702 | * The caller should call wait_for_key_construction() to wait for the | ||
703 | * completion of the returned key if it is still undergoing construction. | ||
626 | */ | 704 | */ |
627 | struct key *request_key_async_with_auxdata(struct key_type *type, | 705 | struct key *request_key_async_with_auxdata(struct key_type *type, |
628 | const char *description, | 706 | const char *description, |
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c index ba717b8163ab..68164031a74e 100644 --- a/security/keys/request_key_auth.c +++ b/security/keys/request_key_auth.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* request_key_auth.c: request key authorisation controlling key def | 1 | /* Request key authorisation token key definition. |
2 | * | 2 | * |
3 | * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. | 3 | * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. |
4 | * Written by David Howells (dhowells@redhat.com) | 4 | * Written by David Howells (dhowells@redhat.com) |
@@ -26,7 +26,7 @@ static void request_key_auth_destroy(struct key *); | |||
26 | static long request_key_auth_read(const struct key *, char __user *, size_t); | 26 | static long request_key_auth_read(const struct key *, char __user *, size_t); |
27 | 27 | ||
28 | /* | 28 | /* |
29 | * the request-key authorisation key type definition | 29 | * The request-key authorisation key type definition. |
30 | */ | 30 | */ |
31 | struct key_type key_type_request_key_auth = { | 31 | struct key_type key_type_request_key_auth = { |
32 | .name = ".request_key_auth", | 32 | .name = ".request_key_auth", |
@@ -39,7 +39,7 @@ struct key_type key_type_request_key_auth = { | |||
39 | }; | 39 | }; |
40 | 40 | ||
41 | /* | 41 | /* |
42 | * instantiate a request-key authorisation key | 42 | * Instantiate a request-key authorisation key. |
43 | */ | 43 | */ |
44 | static int request_key_auth_instantiate(struct key *key, | 44 | static int request_key_auth_instantiate(struct key *key, |
45 | const void *data, | 45 | const void *data, |
@@ -50,7 +50,7 @@ static int request_key_auth_instantiate(struct key *key, | |||
50 | } | 50 | } |
51 | 51 | ||
52 | /* | 52 | /* |
53 | * reading a request-key authorisation key retrieves the callout information | 53 | * Describe an authorisation token. |
54 | */ | 54 | */ |
55 | static void request_key_auth_describe(const struct key *key, | 55 | static void request_key_auth_describe(const struct key *key, |
56 | struct seq_file *m) | 56 | struct seq_file *m) |
@@ -63,7 +63,7 @@ static void request_key_auth_describe(const struct key *key, | |||
63 | } | 63 | } |
64 | 64 | ||
65 | /* | 65 | /* |
66 | * read the callout_info data | 66 | * Read the callout_info data (retrieves the callout information). |
67 | * - the key's semaphore is read-locked | 67 | * - the key's semaphore is read-locked |
68 | */ | 68 | */ |
69 | static long request_key_auth_read(const struct key *key, | 69 | static long request_key_auth_read(const struct key *key, |
@@ -89,8 +89,9 @@ static long request_key_auth_read(const struct key *key, | |||
89 | } | 89 | } |
90 | 90 | ||
91 | /* | 91 | /* |
92 | * handle revocation of an authorisation token key | 92 | * Handle revocation of an authorisation token key. |
93 | * - called with the key sem write-locked | 93 | * |
94 | * Called with the key sem write-locked. | ||
94 | */ | 95 | */ |
95 | static void request_key_auth_revoke(struct key *key) | 96 | static void request_key_auth_revoke(struct key *key) |
96 | { | 97 | { |
@@ -105,7 +106,7 @@ static void request_key_auth_revoke(struct key *key) | |||
105 | } | 106 | } |
106 | 107 | ||
107 | /* | 108 | /* |
108 | * destroy an instantiation authorisation token key | 109 | * Destroy an instantiation authorisation token key. |
109 | */ | 110 | */ |
110 | static void request_key_auth_destroy(struct key *key) | 111 | static void request_key_auth_destroy(struct key *key) |
111 | { | 112 | { |
@@ -125,8 +126,8 @@ static void request_key_auth_destroy(struct key *key) | |||
125 | } | 126 | } |
126 | 127 | ||
127 | /* | 128 | /* |
128 | * create an authorisation token for /sbin/request-key or whoever to gain | 129 | * Create an authorisation token for /sbin/request-key or whoever to gain |
129 | * access to the caller's security data | 130 | * access to the caller's security data. |
130 | */ | 131 | */ |
131 | struct key *request_key_auth_new(struct key *target, const void *callout_info, | 132 | struct key *request_key_auth_new(struct key *target, const void *callout_info, |
132 | size_t callout_len, struct key *dest_keyring) | 133 | size_t callout_len, struct key *dest_keyring) |
@@ -220,7 +221,7 @@ error_alloc: | |||
220 | } | 221 | } |
221 | 222 | ||
222 | /* | 223 | /* |
223 | * see if an authorisation key is associated with a particular key | 224 | * See if an authorisation key is associated with a particular key. |
224 | */ | 225 | */ |
225 | static int key_get_instantiation_authkey_match(const struct key *key, | 226 | static int key_get_instantiation_authkey_match(const struct key *key, |
226 | const void *_id) | 227 | const void *_id) |
@@ -232,11 +233,8 @@ static int key_get_instantiation_authkey_match(const struct key *key, | |||
232 | } | 233 | } |
233 | 234 | ||
234 | /* | 235 | /* |
235 | * get the authorisation key for instantiation of a specific key if attached to | 236 | * Search the current process's keyrings for the authorisation key for |
236 | * the current process's keyrings | 237 | * instantiation of a key. |
237 | * - this key is inserted into a keyring and that is set as /sbin/request-key's | ||
238 | * session keyring | ||
239 | * - a target_id of zero specifies any valid token | ||
240 | */ | 238 | */ |
241 | struct key *key_get_instantiation_authkey(key_serial_t target_id) | 239 | struct key *key_get_instantiation_authkey(key_serial_t target_id) |
242 | { | 240 | { |