5 files changed, 156 insertions, 0 deletions
diff --git a/security/keys/compat.c b/security/keys/compat.c
index c766c68a63bc..792c0a611a6d 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -82,6 +82,9 @@ asmlinkage long compat_sys_keyctl(u32 option,
        case KEYCTL_GET_SECURITY:
                return keyctl_get_security(arg2, compat_ptr(arg3), arg4);
+        case KEYCTL_SESSION_TO_PARENT:
+                return keyctl_session_to_parent();
        default:
                return -EOPNOTSUPP;
        }
diff --git a/security/keys/gc.c b/security/keys/gc.c
index 44adc325e15c..1e616aef55fd 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -65,6 +65,7 @@ static void key_gc_timer_func(unsigned long data)
 * - return true if we altered the keyring
 */
 static bool key_gc_keyring(struct key *keyring, time_t limit)
+        __releases(key_serial_lock)
 {
        struct keyring_list *klist;
        struct key *key;
diff --git a/security/keys/internal.h b/security/keys/internal.h
index fb830514c337..24ba0307b7ad 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -201,6 +201,7 @@ extern long keyctl_set_timeout(key_serial_t, unsigned);
 extern long keyctl_assume_authority(key_serial_t);
 extern long keyctl_get_security(key_serial_t keyid, char __user *buffer,
                                size_t buflen);
+extern long keyctl_session_to_parent(void);
 /*
 * debugging key validation
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 736d7800f97f..74c968524592 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1228,6 +1228,105 @@ long keyctl_get_security(key_serial_t keyid,
        return ret;
 }
+/*
+ * attempt to install the calling process's session keyring on the process's
+ * parent process
+ * - the keyring must exist and must grant us LINK permission
+ * - implements keyctl(KEYCTL_SESSION_TO_PARENT)
+ */
+long keyctl_session_to_parent(void)
+{
+        struct task_struct *me, *parent;
+        const struct cred *mycred, *pcred;
+        struct cred *cred, *oldcred;
+        key_ref_t keyring_r;
+        int ret;
+        keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_LINK);
+        if (IS_ERR(keyring_r))
+                return PTR_ERR(keyring_r);
+        /* our parent is going to need a new cred struct, a new tgcred struct
+         * and new security data, so we allocate them here to prevent ENOMEM in
+         * our parent */
+        ret = -ENOMEM;
+        cred = cred_alloc_blank();
+        if (!cred)
+                goto error_keyring;
+        cred->tgcred->session_keyring = key_ref_to_ptr(keyring_r);
+        keyring_r = NULL;
+        me = current;
+        write_lock_irq(&tasklist_lock);
+        parent = me->real_parent;
+        ret = -EPERM;
+        /* the parent mustn't be init and mustn't be a kernel thread */
+        if (parent->pid <= 1 || !parent->mm)
+                goto not_permitted;
+        /* the parent must be single threaded */
+        if (atomic_read(&parent->signal->count) != 1)
+                goto not_permitted;
+        /* the parent and the child must have different session keyrings or
+         * there's no point */
+        mycred = current_cred();
+        pcred = __task_cred(parent);
+        if (mycred == pcred ||
+            mycred->tgcred->session_keyring == pcred->tgcred->session_keyring)
+                goto already_same;
+        /* the parent must have the same effective ownership and mustn't be
+         * SUID/SGID */
+        if (pcred-> uid != mycred->euid ||
+            pcred->euid != mycred->euid ||
+            pcred->suid != mycred->euid ||
+            pcred-> gid != mycred->egid ||
+            pcred->egid != mycred->egid ||
+            pcred->sgid != mycred->egid)
+                goto not_permitted;
+        /* the keyrings must have the same UID */
+        if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
+            mycred->tgcred->session_keyring->uid != mycred->euid)
+                goto not_permitted;
+        /* the LSM must permit the replacement of the parent's keyring with the
+         * keyring from this process */
+        ret = security_key_session_to_parent(mycred, pcred,
+                                             key_ref_to_ptr(keyring_r));
+        if (ret < 0)
+                goto not_permitted;
+        /* if there's an already pending keyring replacement, then we replace
+         * that */
+        oldcred = parent->replacement_session_keyring;
+        /* the replacement session keyring is applied just prior to userspace
+         * restarting */
+        parent->replacement_session_keyring = cred;
+        cred = NULL;
+        set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
+        write_unlock_irq(&tasklist_lock);
+        if (oldcred)
+                put_cred(oldcred);
+        return 0;
+already_same:
+        ret = 0;
+not_permitted:
+        put_cred(cred);
+        return ret;
+error_keyring:
+        key_ref_put(keyring_r);
+        return ret;
+}
 /*****************************************************************************/
 /*
 * the key control system call
@@ -1313,6 +1412,9 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
                                           (char __user *) arg3,
                                           (size_t) arg4);
+        case KEYCTL_SESSION_TO_PARENT:
+                return keyctl_session_to_parent();
        default:
                return -EOPNOTSUPP;
        }
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 4739cfbb41b7..5c23afb31ece 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -17,6 +17,7 @@
 #include <linux/fs.h>
 #include <linux/err.h>
 #include <linux/mutex.h>
+#include <linux/security.h>
 #include <linux/user_namespace.h>
 #include <asm/uaccess.h>
 #include "internal.h"
@@ -768,3 +769,51 @@ error:
        abort_creds(new);
        return ret;
 }
+/*
+ * Replace a process's session keyring when that process resumes userspace on
+ * behalf of one of its children
+ */
+void key_replace_session_keyring(void)
+{
+        const struct cred *old;
+        struct cred *new;
+        if (!current->replacement_session_keyring)
+                return;
+        write_lock_irq(&tasklist_lock);
+        new = current->replacement_session_keyring;
+        current->replacement_session_keyring = NULL;
+        write_unlock_irq(&tasklist_lock);
+        if (!new)
+                return;
+        old = current_cred();
+        new->  uid      = old->  uid;
+        new-> euid      = old-> euid;
+        new-> suid      = old-> suid;
+        new->fsuid      = old->fsuid;
+        new->  gid      = old->  gid;
+        new-> egid      = old-> egid;
+        new-> sgid      = old-> sgid;
+        new->fsgid      = old->fsgid;
+        new->user       = get_uid(old->user);
+        new->group_info = get_group_info(old->group_info);
+        new->securebits = old->securebits;
+        new->cap_inheritable    = old->cap_inheritable;
+        new->cap_permitted      = old->cap_permitted;
+        new->cap_effective      = old->cap_effective;
+        new->cap_bset           = old->cap_bset;
+        new->jit_keyring        = old->jit_keyring;
+        new->thread_keyring     = key_get(old->thread_keyring);
+        new->tgcred->tgid       = old->tgcred->tgid;
+        new->tgcred->process_keyring = key_get(old->tgcred->process_keyring);
+        security_transfer_creds(new, old);
+        commit_creds(new);
+}

diff --git a/security/keys/compat.c b/security/keys/compat.c index c766c68a63bc..792c0a611a6d 100644 --- a/security/keys/compat.c +++ b/security/keys/compat.c
@@ -82,6 +82,9 @@ asmlinkage long compat_sys_keyctl(u32 option,
82	case KEYCTL_GET_SECURITY:	82	case KEYCTL_GET_SECURITY:
83	return keyctl_get_security(arg2, compat_ptr(arg3), arg4);	83	return keyctl_get_security(arg2, compat_ptr(arg3), arg4);
84		84
		85	case KEYCTL_SESSION_TO_PARENT:
		86	return keyctl_session_to_parent();
		87
85	default:	88	default:
86	return -EOPNOTSUPP;	89	return -EOPNOTSUPP;
87	}	90	}


diff --git a/security/keys/gc.c b/security/keys/gc.c index 44adc325e15c..1e616aef55fd 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c
@@ -65,6 +65,7 @@ static void key_gc_timer_func(unsigned long data)
65	* - return true if we altered the keyring	65	* - return true if we altered the keyring
66	*/	66	*/
67	static bool key_gc_keyring(struct key *keyring, time_t limit)	67	static bool key_gc_keyring(struct key *keyring, time_t limit)
		68	__releases(key_serial_lock)
68	{	69	{
69	struct keyring_list *klist;	70	struct keyring_list *klist;
70	struct key *key;	71	struct key *key;


diff --git a/security/keys/internal.h b/security/keys/internal.h index fb830514c337..24ba0307b7ad 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h
@@ -201,6 +201,7 @@ extern long keyctl_set_timeout(key_serial_t, unsigned);
201	extern long keyctl_assume_authority(key_serial_t);	201	extern long keyctl_assume_authority(key_serial_t);
202	extern long keyctl_get_security(key_serial_t keyid, char __user *buffer,	202	extern long keyctl_get_security(key_serial_t keyid, char __user *buffer,
203	size_t buflen);	203	size_t buflen);
		204	extern long keyctl_session_to_parent(void);
204		205
205	/*	206	/*
206	* debugging key validation	207	* debugging key validation


diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 736d7800f97f..74c968524592 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c
@@ -1228,6 +1228,105 @@ long keyctl_get_security(key_serial_t keyid,
1228	return ret;	1228	return ret;
1229	}	1229	}
1230		1230
		1231	/*
		1232	* attempt to install the calling process's session keyring on the process's
		1233	* parent process
		1234	* - the keyring must exist and must grant us LINK permission
		1235	* - implements keyctl(KEYCTL_SESSION_TO_PARENT)
		1236	*/
		1237	long keyctl_session_to_parent(void)
		1238	{
		1239	struct task_struct me, parent;
		1240	const struct cred mycred, pcred;
		1241	struct cred cred, oldcred;
		1242	key_ref_t keyring_r;
		1243	int ret;
		1244
		1245	keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_LINK);
		1246	if (IS_ERR(keyring_r))
		1247	return PTR_ERR(keyring_r);
		1248
		1249	/* our parent is going to need a new cred struct, a new tgcred struct
		1250	* and new security data, so we allocate them here to prevent ENOMEM in
		1251	* our parent */
		1252	ret = -ENOMEM;
		1253	cred = cred_alloc_blank();
		1254	if (!cred)
		1255	goto error_keyring;
		1256
		1257	cred->tgcred->session_keyring = key_ref_to_ptr(keyring_r);
		1258	keyring_r = NULL;
		1259
		1260	me = current;
		1261	write_lock_irq(&tasklist_lock);
		1262
		1263	parent = me->real_parent;
		1264	ret = -EPERM;
		1265
		1266	/* the parent mustn't be init and mustn't be a kernel thread */
		1267	if (parent->pid <= 1 \|\| !parent->mm)
		1268	goto not_permitted;
		1269
		1270	/* the parent must be single threaded */
		1271	if (atomic_read(&parent->signal->count) != 1)
		1272	goto not_permitted;
		1273
		1274	/* the parent and the child must have different session keyrings or
		1275	* there's no point */
		1276	mycred = current_cred();
		1277	pcred = __task_cred(parent);
		1278	if (mycred == pcred \|\|
		1279	mycred->tgcred->session_keyring == pcred->tgcred->session_keyring)
		1280	goto already_same;
		1281
		1282	/* the parent must have the same effective ownership and mustn't be
		1283	* SUID/SGID */
		1284	if (pcred-> uid != mycred->euid \|\|
		1285	pcred->euid != mycred->euid \|\|
		1286	pcred->suid != mycred->euid \|\|
		1287	pcred-> gid != mycred->egid \|\|
		1288	pcred->egid != mycred->egid \|\|
		1289	pcred->sgid != mycred->egid)
		1290	goto not_permitted;
		1291
		1292	/* the keyrings must have the same UID */
		1293	if (pcred ->tgcred->session_keyring->uid != mycred->euid \|\|
		1294	mycred->tgcred->session_keyring->uid != mycred->euid)
		1295	goto not_permitted;
		1296
		1297	/* the LSM must permit the replacement of the parent's keyring with the
		1298	* keyring from this process */
		1299	ret = security_key_session_to_parent(mycred, pcred,
		1300	key_ref_to_ptr(keyring_r));
		1301	if (ret < 0)
		1302	goto not_permitted;
		1303
		1304	/* if there's an already pending keyring replacement, then we replace
		1305	* that */
		1306	oldcred = parent->replacement_session_keyring;
		1307
		1308	/* the replacement session keyring is applied just prior to userspace
		1309	* restarting */
		1310	parent->replacement_session_keyring = cred;
		1311	cred = NULL;
		1312	set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
		1313
		1314	write_unlock_irq(&tasklist_lock);
		1315	if (oldcred)
		1316	put_cred(oldcred);
		1317	return 0;
		1318
		1319	already_same:
		1320	ret = 0;
		1321	not_permitted:
		1322	put_cred(cred);
		1323	return ret;
		1324
		1325	error_keyring:
		1326	key_ref_put(keyring_r);
		1327	return ret;
		1328	}
		1329
1231	/*****************************************************************************/	1330	/*****************************************************************************/
1232	/*	1331	/*
1233	* the key control system call	1332	* the key control system call
@@ -1313,6 +1412,9 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
1313	(char __user *) arg3,	1412	(char __user *) arg3,
1314	(size_t) arg4);	1413	(size_t) arg4);
1315		1414
		1415	case KEYCTL_SESSION_TO_PARENT:
		1416	return keyctl_session_to_parent();
		1417
1316	default:	1418	default:
1317	return -EOPNOTSUPP;	1419	return -EOPNOTSUPP;
1318	}	1420	}


diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index 4739cfbb41b7..5c23afb31ece 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c
@@ -17,6 +17,7 @@
17	#include <linux/fs.h>	17	#include <linux/fs.h>
18	#include <linux/err.h>	18	#include <linux/err.h>
19	#include <linux/mutex.h>	19	#include <linux/mutex.h>
		20	#include <linux/security.h>
20	#include <linux/user_namespace.h>	21	#include <linux/user_namespace.h>
21	#include <asm/uaccess.h>	22	#include <asm/uaccess.h>
22	#include "internal.h"	23	#include "internal.h"
@@ -768,3 +769,51 @@ error:
768	abort_creds(new);	769	abort_creds(new);
769	return ret;	770	return ret;
770	}	771	}
		772
		773	/*
		774	* Replace a process's session keyring when that process resumes userspace on
		775	* behalf of one of its children
		776	*/
		777	void key_replace_session_keyring(void)
		778	{
		779	const struct cred *old;
		780	struct cred *new;
		781
		782	if (!current->replacement_session_keyring)
		783	return;
		784
		785	write_lock_irq(&tasklist_lock);
		786	new = current->replacement_session_keyring;
		787	current->replacement_session_keyring = NULL;
		788	write_unlock_irq(&tasklist_lock);
		789
		790	if (!new)
		791	return;
		792
		793	old = current_cred();
		794	new-> uid = old-> uid;
		795	new-> euid = old-> euid;
		796	new-> suid = old-> suid;
		797	new->fsuid = old->fsuid;
		798	new-> gid = old-> gid;
		799	new-> egid = old-> egid;
		800	new-> sgid = old-> sgid;
		801	new->fsgid = old->fsgid;
		802	new->user = get_uid(old->user);
		803	new->group_info = get_group_info(old->group_info);
		804
		805	new->securebits = old->securebits;
		806	new->cap_inheritable = old->cap_inheritable;
		807	new->cap_permitted = old->cap_permitted;
		808	new->cap_effective = old->cap_effective;
		809	new->cap_bset = old->cap_bset;
		810
		811	new->jit_keyring = old->jit_keyring;
		812	new->thread_keyring = key_get(old->thread_keyring);
		813	new->tgcred->tgid = old->tgcred->tgid;
		814	new->tgcred->process_keyring = key_get(old->tgcred->process_keyring);
		815
		816	security_transfer_creds(new, old);
		817
		818	commit_creds(new);
		819	}