diff options
Diffstat (limited to 'security/keys/keyring.c')
-rw-r--r-- | security/keys/keyring.c | 231 |
1 files changed, 159 insertions, 72 deletions
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 0a2b8e916d97..92024ed12e0a 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c | |||
@@ -26,13 +26,13 @@ | |||
26 | rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem))) | 26 | rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem))) |
27 | 27 | ||
28 | /* | 28 | /* |
29 | * when plumbing the depths of the key tree, this sets a hard limit set on how | 29 | * When plumbing the depths of the key tree, this sets a hard limit |
30 | * deep we're willing to go | 30 | * set on how deep we're willing to go. |
31 | */ | 31 | */ |
32 | #define KEYRING_SEARCH_MAX_DEPTH 6 | 32 | #define KEYRING_SEARCH_MAX_DEPTH 6 |
33 | 33 | ||
34 | /* | 34 | /* |
35 | * we keep all named keyrings in a hash to speed looking them up | 35 | * We keep all named keyrings in a hash to speed looking them up. |
36 | */ | 36 | */ |
37 | #define KEYRING_NAME_HASH_SIZE (1 << 5) | 37 | #define KEYRING_NAME_HASH_SIZE (1 << 5) |
38 | 38 | ||
@@ -50,7 +50,9 @@ static inline unsigned keyring_hash(const char *desc) | |||
50 | } | 50 | } |
51 | 51 | ||
52 | /* | 52 | /* |
53 | * the keyring type definition | 53 | * The keyring key type definition. Keyrings are simply keys of this type and |
54 | * can be treated as ordinary keys in addition to having their own special | ||
55 | * operations. | ||
54 | */ | 56 | */ |
55 | static int keyring_instantiate(struct key *keyring, | 57 | static int keyring_instantiate(struct key *keyring, |
56 | const void *data, size_t datalen); | 58 | const void *data, size_t datalen); |
@@ -71,18 +73,17 @@ struct key_type key_type_keyring = { | |||
71 | .describe = keyring_describe, | 73 | .describe = keyring_describe, |
72 | .read = keyring_read, | 74 | .read = keyring_read, |
73 | }; | 75 | }; |
74 | |||
75 | EXPORT_SYMBOL(key_type_keyring); | 76 | EXPORT_SYMBOL(key_type_keyring); |
76 | 77 | ||
77 | /* | 78 | /* |
78 | * semaphore to serialise link/link calls to prevent two link calls in parallel | 79 | * Semaphore to serialise link/link calls to prevent two link calls in parallel |
79 | * introducing a cycle | 80 | * introducing a cycle. |
80 | */ | 81 | */ |
81 | static DECLARE_RWSEM(keyring_serialise_link_sem); | 82 | static DECLARE_RWSEM(keyring_serialise_link_sem); |
82 | 83 | ||
83 | /* | 84 | /* |
84 | * publish the name of a keyring so that it can be found by name (if it has | 85 | * Publish the name of a keyring so that it can be found by name (if it has |
85 | * one) | 86 | * one). |
86 | */ | 87 | */ |
87 | static void keyring_publish_name(struct key *keyring) | 88 | static void keyring_publish_name(struct key *keyring) |
88 | { | 89 | { |
@@ -104,8 +105,9 @@ static void keyring_publish_name(struct key *keyring) | |||
104 | } | 105 | } |
105 | 106 | ||
106 | /* | 107 | /* |
107 | * initialise a keyring | 108 | * Initialise a keyring. |
108 | * - we object if we were given any data | 109 | * |
110 | * Returns 0 on success, -EINVAL if given any data. | ||
109 | */ | 111 | */ |
110 | static int keyring_instantiate(struct key *keyring, | 112 | static int keyring_instantiate(struct key *keyring, |
111 | const void *data, size_t datalen) | 113 | const void *data, size_t datalen) |
@@ -123,7 +125,7 @@ static int keyring_instantiate(struct key *keyring, | |||
123 | } | 125 | } |
124 | 126 | ||
125 | /* | 127 | /* |
126 | * match keyrings on their name | 128 | * Match keyrings on their name |
127 | */ | 129 | */ |
128 | static int keyring_match(const struct key *keyring, const void *description) | 130 | static int keyring_match(const struct key *keyring, const void *description) |
129 | { | 131 | { |
@@ -132,7 +134,8 @@ static int keyring_match(const struct key *keyring, const void *description) | |||
132 | } | 134 | } |
133 | 135 | ||
134 | /* | 136 | /* |
135 | * dispose of the data dangling from the corpse of a keyring | 137 | * Clean up a keyring when it is destroyed. Unpublish its name if it had one |
138 | * and dispose of its data. | ||
136 | */ | 139 | */ |
137 | static void keyring_destroy(struct key *keyring) | 140 | static void keyring_destroy(struct key *keyring) |
138 | { | 141 | { |
@@ -160,7 +163,7 @@ static void keyring_destroy(struct key *keyring) | |||
160 | } | 163 | } |
161 | 164 | ||
162 | /* | 165 | /* |
163 | * describe the keyring | 166 | * Describe a keyring for /proc. |
164 | */ | 167 | */ |
165 | static void keyring_describe(const struct key *keyring, struct seq_file *m) | 168 | static void keyring_describe(const struct key *keyring, struct seq_file *m) |
166 | { | 169 | { |
@@ -181,8 +184,9 @@ static void keyring_describe(const struct key *keyring, struct seq_file *m) | |||
181 | } | 184 | } |
182 | 185 | ||
183 | /* | 186 | /* |
184 | * read a list of key IDs from the keyring's contents | 187 | * Read a list of key IDs from the keyring's contents in binary form |
185 | * - the keyring's semaphore is read-locked | 188 | * |
189 | * The keyring's semaphore is read-locked by the caller. | ||
186 | */ | 190 | */ |
187 | static long keyring_read(const struct key *keyring, | 191 | static long keyring_read(const struct key *keyring, |
188 | char __user *buffer, size_t buflen) | 192 | char __user *buffer, size_t buflen) |
@@ -233,7 +237,7 @@ error: | |||
233 | } | 237 | } |
234 | 238 | ||
235 | /* | 239 | /* |
236 | * allocate a keyring and link into the destination keyring | 240 | * Allocate a keyring and link into the destination keyring. |
237 | */ | 241 | */ |
238 | struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, | 242 | struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, |
239 | const struct cred *cred, unsigned long flags, | 243 | const struct cred *cred, unsigned long flags, |
@@ -258,16 +262,40 @@ struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, | |||
258 | return keyring; | 262 | return keyring; |
259 | } | 263 | } |
260 | 264 | ||
261 | /* | 265 | /** |
262 | * search the supplied keyring tree for a key that matches the criterion | 266 | * keyring_search_aux - Search a keyring tree for a key matching some criteria |
263 | * - perform a breadth-then-depth search up to the prescribed limit | 267 | * @keyring_ref: A pointer to the keyring with possession indicator. |
264 | * - we only find keys on which we have search permission | 268 | * @cred: The credentials to use for permissions checks. |
265 | * - we use the supplied match function to see if the description (or other | 269 | * @type: The type of key to search for. |
266 | * feature of interest) matches | 270 | * @description: Parameter for @match. |
267 | * - we rely on RCU to prevent the keyring lists from disappearing on us | 271 | * @match: Function to rule on whether or not a key is the one required. |
268 | * - we return -EAGAIN if we didn't find any matching key | 272 | * |
269 | * - we return -ENOKEY if we only found negative matching keys | 273 | * Search the supplied keyring tree for a key that matches the criteria given. |
270 | * - we propagate the possession attribute from the keyring ref to the key ref | 274 | * The root keyring and any linked keyrings must grant Search permission to the |
275 | * caller to be searchable and keys can only be found if they too grant Search | ||
276 | * to the caller. The possession flag on the root keyring pointer controls use | ||
277 | * of the possessor bits in permissions checking of the entire tree. In | ||
278 | * addition, the LSM gets to forbid keyring searches and key matches. | ||
279 | * | ||
280 | * The search is performed as a breadth-then-depth search up to the prescribed | ||
281 | * limit (KEYRING_SEARCH_MAX_DEPTH). | ||
282 | * | ||
283 | * Keys are matched to the type provided and are then filtered by the match | ||
284 | * function, which is given the description to use in any way it sees fit. The | ||
285 | * match function may use any attributes of a key that it wishes to to | ||
286 | * determine the match. Normally the match function from the key type would be | ||
287 | * used. | ||
288 | * | ||
289 | * RCU is used to prevent the keyring key lists from disappearing without the | ||
290 | * need to take lots of locks. | ||
291 | * | ||
292 | * Returns a pointer to the found key and increments the key usage count if | ||
293 | * successful; -EAGAIN if no matching keys were found, or if expired or revoked | ||
294 | * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the | ||
295 | * specified keyring wasn't a keyring. | ||
296 | * | ||
297 | * In the case of a successful return, the possession attribute from | ||
298 | * @keyring_ref is propagated to the returned key reference. | ||
271 | */ | 299 | */ |
272 | key_ref_t keyring_search_aux(key_ref_t keyring_ref, | 300 | key_ref_t keyring_search_aux(key_ref_t keyring_ref, |
273 | const struct cred *cred, | 301 | const struct cred *cred, |
@@ -431,13 +459,14 @@ error: | |||
431 | return key_ref; | 459 | return key_ref; |
432 | } | 460 | } |
433 | 461 | ||
434 | /* | 462 | /** |
435 | * search the supplied keyring tree for a key that matches the criterion | 463 | * keyring_search - Search the supplied keyring tree for a matching key |
436 | * - perform a breadth-then-depth search up to the prescribed limit | 464 | * @keyring: The root of the keyring tree to be searched. |
437 | * - we only find keys on which we have search permission | 465 | * @type: The type of keyring we want to find. |
438 | * - we readlock the keyrings as we search down the tree | 466 | * @description: The name of the keyring we want to find. |
439 | * - we return -EAGAIN if we didn't find any matching key | 467 | * |
440 | * - we return -ENOKEY if we only found negative matching keys | 468 | * As keyring_search_aux() above, but using the current task's credentials and |
469 | * type's default matching function. | ||
441 | */ | 470 | */ |
442 | key_ref_t keyring_search(key_ref_t keyring, | 471 | key_ref_t keyring_search(key_ref_t keyring, |
443 | struct key_type *type, | 472 | struct key_type *type, |
@@ -449,13 +478,22 @@ key_ref_t keyring_search(key_ref_t keyring, | |||
449 | return keyring_search_aux(keyring, current->cred, | 478 | return keyring_search_aux(keyring, current->cred, |
450 | type, description, type->match); | 479 | type, description, type->match); |
451 | } | 480 | } |
452 | |||
453 | EXPORT_SYMBOL(keyring_search); | 481 | EXPORT_SYMBOL(keyring_search); |
454 | 482 | ||
455 | /* | 483 | /* |
456 | * search the given keyring only (no recursion) | 484 | * Search the given keyring only (no recursion). |
457 | * - keyring must be locked by caller | 485 | * |
458 | * - caller must guarantee that the keyring is a keyring | 486 | * The caller must guarantee that the keyring is a keyring and that the |
487 | * permission is granted to search the keyring as no check is made here. | ||
488 | * | ||
489 | * RCU is used to make it unnecessary to lock the keyring key list here. | ||
490 | * | ||
491 | * Returns a pointer to the found key with usage count incremented if | ||
492 | * successful and returns -ENOKEY if not found. Revoked keys and keys not | ||
493 | * providing the requested permission are skipped over. | ||
494 | * | ||
495 | * If successful, the possession indicator is propagated from the keyring ref | ||
496 | * to the returned key reference. | ||
459 | */ | 497 | */ |
460 | key_ref_t __keyring_search_one(key_ref_t keyring_ref, | 498 | key_ref_t __keyring_search_one(key_ref_t keyring_ref, |
461 | const struct key_type *ktype, | 499 | const struct key_type *ktype, |
@@ -498,9 +536,15 @@ found: | |||
498 | } | 536 | } |
499 | 537 | ||
500 | /* | 538 | /* |
501 | * find a keyring with the specified name | 539 | * Find a keyring with the specified name. |
502 | * - all named keyrings are searched | 540 | * |
503 | * - normally only finds keyrings with search permission for the current process | 541 | * All named keyrings in the current user namespace are searched, provided they |
542 | * grant Search permission directly to the caller (unless this check is | ||
543 | * skipped). Keyrings whose usage points have reached zero or who have been | ||
544 | * revoked are skipped. | ||
545 | * | ||
546 | * Returns a pointer to the keyring with the keyring's refcount having being | ||
547 | * incremented on success. -ENOKEY is returned if a key could not be found. | ||
504 | */ | 548 | */ |
505 | struct key *find_keyring_by_name(const char *name, bool skip_perm_check) | 549 | struct key *find_keyring_by_name(const char *name, bool skip_perm_check) |
506 | { | 550 | { |
@@ -551,10 +595,11 @@ out: | |||
551 | } | 595 | } |
552 | 596 | ||
553 | /* | 597 | /* |
554 | * see if a cycle will will be created by inserting acyclic tree B in acyclic | 598 | * See if a cycle will will be created by inserting acyclic tree B in acyclic |
555 | * tree A at the topmost level (ie: as a direct child of A) | 599 | * tree A at the topmost level (ie: as a direct child of A). |
556 | * - since we are adding B to A at the top level, checking for cycles should | 600 | * |
557 | * just be a matter of seeing if node A is somewhere in tree B | 601 | * Since we are adding B to A at the top level, checking for cycles should just |
602 | * be a matter of seeing if node A is somewhere in tree B. | ||
558 | */ | 603 | */ |
559 | static int keyring_detect_cycle(struct key *A, struct key *B) | 604 | static int keyring_detect_cycle(struct key *A, struct key *B) |
560 | { | 605 | { |
@@ -637,7 +682,7 @@ cycle_detected: | |||
637 | } | 682 | } |
638 | 683 | ||
639 | /* | 684 | /* |
640 | * dispose of a keyring list after the RCU grace period, freeing the unlinked | 685 | * Dispose of a keyring list after the RCU grace period, freeing the unlinked |
641 | * key | 686 | * key |
642 | */ | 687 | */ |
643 | static void keyring_unlink_rcu_disposal(struct rcu_head *rcu) | 688 | static void keyring_unlink_rcu_disposal(struct rcu_head *rcu) |
@@ -651,7 +696,7 @@ static void keyring_unlink_rcu_disposal(struct rcu_head *rcu) | |||
651 | } | 696 | } |
652 | 697 | ||
653 | /* | 698 | /* |
654 | * preallocate memory so that a key can be linked into to a keyring | 699 | * Preallocate memory so that a key can be linked into to a keyring. |
655 | */ | 700 | */ |
656 | int __key_link_begin(struct key *keyring, const struct key_type *type, | 701 | int __key_link_begin(struct key *keyring, const struct key_type *type, |
657 | const char *description, | 702 | const char *description, |
@@ -768,10 +813,10 @@ error_krsem: | |||
768 | } | 813 | } |
769 | 814 | ||
770 | /* | 815 | /* |
771 | * check already instantiated keys aren't going to be a problem | 816 | * Check already instantiated keys aren't going to be a problem. |
772 | * - the caller must have called __key_link_begin() | 817 | * |
773 | * - don't need to call this for keys that were created since __key_link_begin() | 818 | * The caller must have called __key_link_begin(). Don't need to call this for |
774 | * was called | 819 | * keys that were created since __key_link_begin() was called. |
775 | */ | 820 | */ |
776 | int __key_link_check_live_key(struct key *keyring, struct key *key) | 821 | int __key_link_check_live_key(struct key *keyring, struct key *key) |
777 | { | 822 | { |
@@ -783,9 +828,12 @@ int __key_link_check_live_key(struct key *keyring, struct key *key) | |||
783 | } | 828 | } |
784 | 829 | ||
785 | /* | 830 | /* |
786 | * link a key into to a keyring | 831 | * Link a key into to a keyring. |
787 | * - must be called with __key_link_begin() having being called | 832 | * |
788 | * - discard already extant link to matching key if there is one | 833 | * Must be called with __key_link_begin() having being called. Discards any |
834 | * already extant link to matching key if there is one, so that each keyring | ||
835 | * holds at most one link to any given key of a particular type+description | ||
836 | * combination. | ||
789 | */ | 837 | */ |
790 | void __key_link(struct key *keyring, struct key *key, | 838 | void __key_link(struct key *keyring, struct key *key, |
791 | struct keyring_list **_prealloc) | 839 | struct keyring_list **_prealloc) |
@@ -828,8 +876,9 @@ void __key_link(struct key *keyring, struct key *key, | |||
828 | } | 876 | } |
829 | 877 | ||
830 | /* | 878 | /* |
831 | * finish linking a key into to a keyring | 879 | * Finish linking a key into to a keyring. |
832 | * - must be called with __key_link_begin() having being called | 880 | * |
881 | * Must be called with __key_link_begin() having being called. | ||
833 | */ | 882 | */ |
834 | void __key_link_end(struct key *keyring, struct key_type *type, | 883 | void __key_link_end(struct key *keyring, struct key_type *type, |
835 | struct keyring_list *prealloc) | 884 | struct keyring_list *prealloc) |
@@ -850,8 +899,25 @@ void __key_link_end(struct key *keyring, struct key_type *type, | |||
850 | up_write(&keyring->sem); | 899 | up_write(&keyring->sem); |
851 | } | 900 | } |
852 | 901 | ||
853 | /* | 902 | /** |
854 | * link a key to a keyring | 903 | * key_link - Link a key to a keyring |
904 | * @keyring: The keyring to make the link in. | ||
905 | * @key: The key to link to. | ||
906 | * | ||
907 | * Make a link in a keyring to a key, such that the keyring holds a reference | ||
908 | * on that key and the key can potentially be found by searching that keyring. | ||
909 | * | ||
910 | * This function will write-lock the keyring's semaphore and will consume some | ||
911 | * of the user's key data quota to hold the link. | ||
912 | * | ||
913 | * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, | ||
914 | * -EKEYREVOKED if the keyring has been revoked, -ENFILE if the keyring is | ||
915 | * full, -EDQUOT if there is insufficient key data quota remaining to add | ||
916 | * another link or -ENOMEM if there's insufficient memory. | ||
917 | * | ||
918 | * It is assumed that the caller has checked that it is permitted for a link to | ||
919 | * be made (the keyring should have Write permission and the key Link | ||
920 | * permission). | ||
855 | */ | 921 | */ |
856 | int key_link(struct key *keyring, struct key *key) | 922 | int key_link(struct key *keyring, struct key *key) |
857 | { | 923 | { |
@@ -871,11 +937,24 @@ int key_link(struct key *keyring, struct key *key) | |||
871 | 937 | ||
872 | return ret; | 938 | return ret; |
873 | } | 939 | } |
874 | |||
875 | EXPORT_SYMBOL(key_link); | 940 | EXPORT_SYMBOL(key_link); |
876 | 941 | ||
877 | /* | 942 | /** |
878 | * unlink the first link to a key from a keyring | 943 | * key_unlink - Unlink the first link to a key from a keyring. |
944 | * @keyring: The keyring to remove the link from. | ||
945 | * @key: The key the link is to. | ||
946 | * | ||
947 | * Remove a link from a keyring to a key. | ||
948 | * | ||
949 | * This function will write-lock the keyring's semaphore. | ||
950 | * | ||
951 | * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, -ENOENT if | ||
952 | * the key isn't linked to by the keyring or -ENOMEM if there's insufficient | ||
953 | * memory. | ||
954 | * | ||
955 | * It is assumed that the caller has checked that it is permitted for a link to | ||
956 | * be removed (the keyring should have Write permission; no permissions are | ||
957 | * required on the key). | ||
879 | */ | 958 | */ |
880 | int key_unlink(struct key *keyring, struct key *key) | 959 | int key_unlink(struct key *keyring, struct key *key) |
881 | { | 960 | { |
@@ -944,12 +1023,11 @@ nomem: | |||
944 | up_write(&keyring->sem); | 1023 | up_write(&keyring->sem); |
945 | goto error; | 1024 | goto error; |
946 | } | 1025 | } |
947 | |||
948 | EXPORT_SYMBOL(key_unlink); | 1026 | EXPORT_SYMBOL(key_unlink); |
949 | 1027 | ||
950 | /* | 1028 | /* |
951 | * dispose of a keyring list after the RCU grace period, releasing the keys it | 1029 | * Dispose of a keyring list after the RCU grace period, releasing the keys it |
952 | * links to | 1030 | * links to. |
953 | */ | 1031 | */ |
954 | static void keyring_clear_rcu_disposal(struct rcu_head *rcu) | 1032 | static void keyring_clear_rcu_disposal(struct rcu_head *rcu) |
955 | { | 1033 | { |
@@ -964,9 +1042,13 @@ static void keyring_clear_rcu_disposal(struct rcu_head *rcu) | |||
964 | kfree(klist); | 1042 | kfree(klist); |
965 | } | 1043 | } |
966 | 1044 | ||
967 | /* | 1045 | /** |
968 | * clear the specified process keyring | 1046 | * keyring_clear - Clear a keyring |
969 | * - implements keyctl(KEYCTL_CLEAR) | 1047 | * @keyring: The keyring to clear. |
1048 | * | ||
1049 | * Clear the contents of the specified keyring. | ||
1050 | * | ||
1051 | * Returns 0 if successful or -ENOTDIR if the keyring isn't a keyring. | ||
970 | */ | 1052 | */ |
971 | int keyring_clear(struct key *keyring) | 1053 | int keyring_clear(struct key *keyring) |
972 | { | 1054 | { |
@@ -999,12 +1081,12 @@ int keyring_clear(struct key *keyring) | |||
999 | 1081 | ||
1000 | return ret; | 1082 | return ret; |
1001 | } | 1083 | } |
1002 | |||
1003 | EXPORT_SYMBOL(keyring_clear); | 1084 | EXPORT_SYMBOL(keyring_clear); |
1004 | 1085 | ||
1005 | /* | 1086 | /* |
1006 | * dispose of the links from a revoked keyring | 1087 | * Dispose of the links from a revoked keyring. |
1007 | * - called with the key sem write-locked | 1088 | * |
1089 | * This is called with the key sem write-locked. | ||
1008 | */ | 1090 | */ |
1009 | static void keyring_revoke(struct key *keyring) | 1091 | static void keyring_revoke(struct key *keyring) |
1010 | { | 1092 | { |
@@ -1022,7 +1104,7 @@ static void keyring_revoke(struct key *keyring) | |||
1022 | } | 1104 | } |
1023 | 1105 | ||
1024 | /* | 1106 | /* |
1025 | * Determine whether a key is dead | 1107 | * Determine whether a key is dead. |
1026 | */ | 1108 | */ |
1027 | static bool key_is_dead(struct key *key, time_t limit) | 1109 | static bool key_is_dead(struct key *key, time_t limit) |
1028 | { | 1110 | { |
@@ -1031,7 +1113,12 @@ static bool key_is_dead(struct key *key, time_t limit) | |||
1031 | } | 1113 | } |
1032 | 1114 | ||
1033 | /* | 1115 | /* |
1034 | * Collect garbage from the contents of a keyring | 1116 | * Collect garbage from the contents of a keyring, replacing the old list with |
1117 | * a new one with the pointers all shuffled down. | ||
1118 | * | ||
1119 | * Dead keys are classed as oned that are flagged as being dead or are revoked, | ||
1120 | * expired or negative keys that were revoked or expired before the specified | ||
1121 | * limit. | ||
1035 | */ | 1122 | */ |
1036 | void keyring_gc(struct key *keyring, time_t limit) | 1123 | void keyring_gc(struct key *keyring, time_t limit) |
1037 | { | 1124 | { |