aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/keys/internal.h26
-rw-r--r--security/keys/key.c81
-rw-r--r--security/keys/keyctl.c301
-rw-r--r--security/keys/keyring.c86
-rw-r--r--security/keys/proc.c2
-rw-r--r--security/keys/process_keys.c164
-rw-r--r--security/keys/request_key.c36
-rw-r--r--security/keys/request_key_auth.c2
8 files changed, 391 insertions, 307 deletions
diff --git a/security/keys/internal.h b/security/keys/internal.h
index 46c8602661c9..db99ed434f3a 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -71,26 +71,26 @@ extern void keyring_publish_name(struct key *keyring);
71 71
72extern int __key_link(struct key *keyring, struct key *key); 72extern int __key_link(struct key *keyring, struct key *key);
73 73
74extern struct key *__keyring_search_one(struct key *keyring, 74extern key_ref_t __keyring_search_one(key_ref_t keyring_ref,
75 const struct key_type *type, 75 const struct key_type *type,
76 const char *description, 76 const char *description,
77 key_perm_t perm); 77 key_perm_t perm);
78 78
79extern struct key *keyring_search_instkey(struct key *keyring, 79extern struct key *keyring_search_instkey(struct key *keyring,
80 key_serial_t target_id); 80 key_serial_t target_id);
81 81
82typedef int (*key_match_func_t)(const struct key *, const void *); 82typedef int (*key_match_func_t)(const struct key *, const void *);
83 83
84extern struct key *keyring_search_aux(struct key *keyring, 84extern key_ref_t keyring_search_aux(key_ref_t keyring_ref,
85 struct task_struct *tsk, 85 struct task_struct *tsk,
86 struct key_type *type, 86 struct key_type *type,
87 const void *description, 87 const void *description,
88 key_match_func_t match); 88 key_match_func_t match);
89 89
90extern struct key *search_process_keyrings(struct key_type *type, 90extern key_ref_t search_process_keyrings(struct key_type *type,
91 const void *description, 91 const void *description,
92 key_match_func_t match, 92 key_match_func_t match,
93 struct task_struct *tsk); 93 struct task_struct *tsk);
94 94
95extern struct key *find_keyring_by_name(const char *name, key_serial_t bound); 95extern struct key *find_keyring_by_name(const char *name, key_serial_t bound);
96 96
diff --git a/security/keys/key.c b/security/keys/key.c
index fb89f9844465..2182be9e9309 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -693,14 +693,15 @@ void key_type_put(struct key_type *ktype)
693 * - the key has an incremented refcount 693 * - the key has an incremented refcount
694 * - we need to put the key if we get an error 694 * - we need to put the key if we get an error
695 */ 695 */
696static inline struct key *__key_update(struct key *key, const void *payload, 696static inline key_ref_t __key_update(key_ref_t key_ref,
697 size_t plen) 697 const void *payload, size_t plen)
698{ 698{
699 struct key *key = key_ref_to_ptr(key_ref);
699 int ret; 700 int ret;
700 701
701 /* need write permission on the key to update it */ 702 /* need write permission on the key to update it */
702 ret = -EACCES; 703 ret = -EACCES;
703 if (!key_permission(key, KEY_WRITE)) 704 if (!key_permission(key_ref, KEY_WRITE))
704 goto error; 705 goto error;
705 706
706 ret = -EEXIST; 707 ret = -EEXIST;
@@ -719,12 +720,12 @@ static inline struct key *__key_update(struct key *key, const void *payload,
719 720
720 if (ret < 0) 721 if (ret < 0)
721 goto error; 722 goto error;
722 out: 723out:
723 return key; 724 return key_ref;
724 725
725 error: 726error:
726 key_put(key); 727 key_put(key);
727 key = ERR_PTR(ret); 728 key_ref = ERR_PTR(ret);
728 goto out; 729 goto out;
729 730
730} /* end __key_update() */ 731} /* end __key_update() */
@@ -734,52 +735,56 @@ static inline struct key *__key_update(struct key *key, const void *payload,
734 * search the specified keyring for a key of the same description; if one is 735 * search the specified keyring for a key of the same description; if one is
735 * found, update it, otherwise add a new one 736 * found, update it, otherwise add a new one
736 */ 737 */
737struct key *key_create_or_update(struct key *keyring, 738key_ref_t key_create_or_update(key_ref_t keyring_ref,
738 const char *type, 739 const char *type,
739 const char *description, 740 const char *description,
740 const void *payload, 741 const void *payload,
741 size_t plen, 742 size_t plen,
742 int not_in_quota) 743 int not_in_quota)
743{ 744{
744 struct key_type *ktype; 745 struct key_type *ktype;
745 struct key *key = NULL; 746 struct key *keyring, *key = NULL;
746 key_perm_t perm; 747 key_perm_t perm;
748 key_ref_t key_ref;
747 int ret; 749 int ret;
748 750
749 key_check(keyring);
750
751 /* look up the key type to see if it's one of the registered kernel 751 /* look up the key type to see if it's one of the registered kernel
752 * types */ 752 * types */
753 ktype = key_type_lookup(type); 753 ktype = key_type_lookup(type);
754 if (IS_ERR(ktype)) { 754 if (IS_ERR(ktype)) {
755 key = ERR_PTR(-ENODEV); 755 key_ref = ERR_PTR(-ENODEV);
756 goto error; 756 goto error;
757 } 757 }
758 758
759 ret = -EINVAL; 759 key_ref = ERR_PTR(-EINVAL);
760 if (!ktype->match || !ktype->instantiate) 760 if (!ktype->match || !ktype->instantiate)
761 goto error_2; 761 goto error_2;
762 762
763 keyring = key_ref_to_ptr(keyring_ref);
764
765 key_check(keyring);
766
767 down_write(&keyring->sem);
768
769 /* if we're going to allocate a new key, we're going to have
770 * to modify the keyring */
771 key_ref = ERR_PTR(-EACCES);
772 if (!key_permission(keyring_ref, KEY_WRITE))
773 goto error_3;
774
763 /* search for an existing key of the same type and description in the 775 /* search for an existing key of the same type and description in the
764 * destination keyring 776 * destination keyring
765 */ 777 */
766 down_write(&keyring->sem); 778 key_ref = __keyring_search_one(keyring_ref, ktype, description, 0);
767 779 if (!IS_ERR(key_ref))
768 key = __keyring_search_one(keyring, ktype, description, 0);
769 if (!IS_ERR(key))
770 goto found_matching_key; 780 goto found_matching_key;
771 781
772 /* if we're going to allocate a new key, we're going to have to modify
773 * the keyring */
774 ret = -EACCES;
775 if (!key_permission(keyring, KEY_WRITE))
776 goto error_3;
777
778 /* decide on the permissions we want */ 782 /* decide on the permissions we want */
779 perm = KEY_USR_VIEW | KEY_USR_SEARCH | KEY_USR_LINK; 783 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK;
784 perm |= KEY_USR_VIEW | KEY_USR_SEARCH | KEY_USR_LINK;
780 785
781 if (ktype->read) 786 if (ktype->read)
782 perm |= KEY_USR_READ; 787 perm |= KEY_POS_READ | KEY_USR_READ;
783 788
784 if (ktype == &key_type_keyring || ktype->update) 789 if (ktype == &key_type_keyring || ktype->update)
785 perm |= KEY_USR_WRITE; 790 perm |= KEY_USR_WRITE;
@@ -788,7 +793,7 @@ struct key *key_create_or_update(struct key *keyring,
788 key = key_alloc(ktype, description, current->fsuid, current->fsgid, 793 key = key_alloc(ktype, description, current->fsuid, current->fsgid,
789 perm, not_in_quota); 794 perm, not_in_quota);
790 if (IS_ERR(key)) { 795 if (IS_ERR(key)) {
791 ret = PTR_ERR(key); 796 key_ref = ERR_PTR(PTR_ERR(key));
792 goto error_3; 797 goto error_3;
793 } 798 }
794 799
@@ -796,15 +801,18 @@ struct key *key_create_or_update(struct key *keyring,
796 ret = __key_instantiate_and_link(key, payload, plen, keyring, NULL); 801 ret = __key_instantiate_and_link(key, payload, plen, keyring, NULL);
797 if (ret < 0) { 802 if (ret < 0) {
798 key_put(key); 803 key_put(key);
799 key = ERR_PTR(ret); 804 key_ref = ERR_PTR(ret);
805 goto error_3;
800 } 806 }
801 807
808 key_ref = make_key_ref(key, is_key_possessed(keyring_ref));
809
802 error_3: 810 error_3:
803 up_write(&keyring->sem); 811 up_write(&keyring->sem);
804 error_2: 812 error_2:
805 key_type_put(ktype); 813 key_type_put(ktype);
806 error: 814 error:
807 return key; 815 return key_ref;
808 816
809 found_matching_key: 817 found_matching_key:
810 /* we found a matching key, so we're going to try to update it 818 /* we found a matching key, so we're going to try to update it
@@ -813,7 +821,7 @@ struct key *key_create_or_update(struct key *keyring,
813 up_write(&keyring->sem); 821 up_write(&keyring->sem);
814 key_type_put(ktype); 822 key_type_put(ktype);
815 823
816 key = __key_update(key, payload, plen); 824 key_ref = __key_update(key_ref, payload, plen);
817 goto error; 825 goto error;
818 826
819} /* end key_create_or_update() */ 827} /* end key_create_or_update() */
@@ -824,15 +832,16 @@ EXPORT_SYMBOL(key_create_or_update);
824/* 832/*
825 * update a key 833 * update a key
826 */ 834 */
827int key_update(struct key *key, const void *payload, size_t plen) 835int key_update(key_ref_t key_ref, const void *payload, size_t plen)
828{ 836{
837 struct key *key = key_ref_to_ptr(key_ref);
829 int ret; 838 int ret;
830 839
831 key_check(key); 840 key_check(key);
832 841
833 /* the key must be writable */ 842 /* the key must be writable */
834 ret = -EACCES; 843 ret = -EACCES;
835 if (!key_permission(key, KEY_WRITE)) 844 if (!key_permission(key_ref, KEY_WRITE))
836 goto error; 845 goto error;
837 846
838 /* attempt to update it if supported */ 847 /* attempt to update it if supported */
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index a6516a64b297..4c670ee6acf9 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -34,7 +34,7 @@ asmlinkage long sys_add_key(const char __user *_type,
34 size_t plen, 34 size_t plen,
35 key_serial_t ringid) 35 key_serial_t ringid)
36{ 36{
37 struct key *keyring, *key; 37 key_ref_t keyring_ref, key_ref;
38 char type[32], *description; 38 char type[32], *description;
39 void *payload; 39 void *payload;
40 long dlen, ret; 40 long dlen, ret;
@@ -86,25 +86,25 @@ asmlinkage long sys_add_key(const char __user *_type,
86 } 86 }
87 87
88 /* find the target keyring (which must be writable) */ 88 /* find the target keyring (which must be writable) */
89 keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 89 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
90 if (IS_ERR(keyring)) { 90 if (IS_ERR(keyring_ref)) {
91 ret = PTR_ERR(keyring); 91 ret = PTR_ERR(keyring_ref);
92 goto error3; 92 goto error3;
93 } 93 }
94 94
95 /* create or update the requested key and add it to the target 95 /* create or update the requested key and add it to the target
96 * keyring */ 96 * keyring */
97 key = key_create_or_update(keyring, type, description, 97 key_ref = key_create_or_update(keyring_ref, type, description,
98 payload, plen, 0); 98 payload, plen, 0);
99 if (!IS_ERR(key)) { 99 if (!IS_ERR(key_ref)) {
100 ret = key->serial; 100 ret = key_ref_to_ptr(key_ref)->serial;
101 key_put(key); 101 key_ref_put(key_ref);
102 } 102 }
103 else { 103 else {
104 ret = PTR_ERR(key); 104 ret = PTR_ERR(key_ref);
105 } 105 }
106 106
107 key_put(keyring); 107 key_ref_put(keyring_ref);
108 error3: 108 error3:
109 kfree(payload); 109 kfree(payload);
110 error2: 110 error2:
@@ -131,7 +131,8 @@ asmlinkage long sys_request_key(const char __user *_type,
131 key_serial_t destringid) 131 key_serial_t destringid)
132{ 132{
133 struct key_type *ktype; 133 struct key_type *ktype;
134 struct key *key, *dest; 134 struct key *key;
135 key_ref_t dest_ref;
135 char type[32], *description, *callout_info; 136 char type[32], *description, *callout_info;
136 long dlen, ret; 137 long dlen, ret;
137 138
@@ -187,11 +188,11 @@ asmlinkage long sys_request_key(const char __user *_type,
187 } 188 }
188 189
189 /* get the destination keyring if specified */ 190 /* get the destination keyring if specified */
190 dest = NULL; 191 dest_ref = NULL;
191 if (destringid) { 192 if (destringid) {
192 dest = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 193 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE);
193 if (IS_ERR(dest)) { 194 if (IS_ERR(dest_ref)) {
194 ret = PTR_ERR(dest); 195 ret = PTR_ERR(dest_ref);
195 goto error3; 196 goto error3;
196 } 197 }
197 } 198 }
@@ -204,7 +205,8 @@ asmlinkage long sys_request_key(const char __user *_type,
204 } 205 }
205 206
206 /* do the search */ 207 /* do the search */
207 key = request_key_and_link(ktype, description, callout_info, dest); 208 key = request_key_and_link(ktype, description, callout_info,
209 key_ref_to_ptr(dest_ref));
208 if (IS_ERR(key)) { 210 if (IS_ERR(key)) {
209 ret = PTR_ERR(key); 211 ret = PTR_ERR(key);
210 goto error5; 212 goto error5;
@@ -216,7 +218,7 @@ asmlinkage long sys_request_key(const char __user *_type,
216 error5: 218 error5:
217 key_type_put(ktype); 219 key_type_put(ktype);
218 error4: 220 error4:
219 key_put(dest); 221 key_ref_put(dest_ref);
220 error3: 222 error3:
221 kfree(callout_info); 223 kfree(callout_info);
222 error2: 224 error2:
@@ -234,17 +236,17 @@ asmlinkage long sys_request_key(const char __user *_type,
234 */ 236 */
235long keyctl_get_keyring_ID(key_serial_t id, int create) 237long keyctl_get_keyring_ID(key_serial_t id, int create)
236{ 238{
237 struct key *key; 239 key_ref_t key_ref;
238 long ret; 240 long ret;
239 241
240 key = lookup_user_key(NULL, id, create, 0, KEY_SEARCH); 242 key_ref = lookup_user_key(NULL, id, create, 0, KEY_SEARCH);
241 if (IS_ERR(key)) { 243 if (IS_ERR(key_ref)) {
242 ret = PTR_ERR(key); 244 ret = PTR_ERR(key_ref);
243 goto error; 245 goto error;
244 } 246 }
245 247
246 ret = key->serial; 248 ret = key_ref_to_ptr(key_ref)->serial;
247 key_put(key); 249 key_ref_put(key_ref);
248 error: 250 error:
249 return ret; 251 return ret;
250 252
@@ -302,7 +304,7 @@ long keyctl_update_key(key_serial_t id,
302 const void __user *_payload, 304 const void __user *_payload,
303 size_t plen) 305 size_t plen)
304{ 306{
305 struct key *key; 307 key_ref_t key_ref;
306 void *payload; 308 void *payload;
307 long ret; 309 long ret;
308 310
@@ -324,16 +326,16 @@ long keyctl_update_key(key_serial_t id,
324 } 326 }
325 327
326 /* find the target key (which must be writable) */ 328 /* find the target key (which must be writable) */
327 key = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 329 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE);
328 if (IS_ERR(key)) { 330 if (IS_ERR(key_ref)) {
329 ret = PTR_ERR(key); 331 ret = PTR_ERR(key_ref);
330 goto error2; 332 goto error2;
331 } 333 }
332 334
333 /* update the key */ 335 /* update the key */
334 ret = key_update(key, payload, plen); 336 ret = key_update(key_ref, payload, plen);
335 337
336 key_put(key); 338 key_ref_put(key_ref);
337 error2: 339 error2:
338 kfree(payload); 340 kfree(payload);
339 error: 341 error:
@@ -349,19 +351,19 @@ long keyctl_update_key(key_serial_t id,
349 */ 351 */
350long keyctl_revoke_key(key_serial_t id) 352long keyctl_revoke_key(key_serial_t id)
351{ 353{
352 struct key *key; 354 key_ref_t key_ref;
353 long ret; 355 long ret;
354 356
355 key = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 357 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE);
356 if (IS_ERR(key)) { 358 if (IS_ERR(key_ref)) {
357 ret = PTR_ERR(key); 359 ret = PTR_ERR(key_ref);
358 goto error; 360 goto error;
359 } 361 }
360 362
361 key_revoke(key); 363 key_revoke(key_ref_to_ptr(key_ref));
362 ret = 0; 364 ret = 0;
363 365
364 key_put(key); 366 key_ref_put(key_ref);
365 error: 367 error:
366 return ret; 368 return ret;
367 369
@@ -375,18 +377,18 @@ long keyctl_revoke_key(key_serial_t id)
375 */ 377 */
376long keyctl_keyring_clear(key_serial_t ringid) 378long keyctl_keyring_clear(key_serial_t ringid)
377{ 379{
378 struct key *keyring; 380 key_ref_t keyring_ref;
379 long ret; 381 long ret;
380 382
381 keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 383 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
382 if (IS_ERR(keyring)) { 384 if (IS_ERR(keyring_ref)) {
383 ret = PTR_ERR(keyring); 385 ret = PTR_ERR(keyring_ref);
384 goto error; 386 goto error;
385 } 387 }
386 388
387 ret = keyring_clear(keyring); 389 ret = keyring_clear(key_ref_to_ptr(keyring_ref));
388 390
389 key_put(keyring); 391 key_ref_put(keyring_ref);
390 error: 392 error:
391 return ret; 393 return ret;
392 394
@@ -401,26 +403,26 @@ long keyctl_keyring_clear(key_serial_t ringid)
401 */ 403 */
402long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 404long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
403{ 405{
404 struct key *keyring, *key; 406 key_ref_t keyring_ref, key_ref;
405 long ret; 407 long ret;
406 408
407 keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 409 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
408 if (IS_ERR(keyring)) { 410 if (IS_ERR(keyring_ref)) {
409 ret = PTR_ERR(keyring); 411 ret = PTR_ERR(keyring_ref);
410 goto error; 412 goto error;
411 } 413 }
412 414
413 key = lookup_user_key(NULL, id, 1, 0, KEY_LINK); 415 key_ref = lookup_user_key(NULL, id, 1, 0, KEY_LINK);
414 if (IS_ERR(key)) { 416 if (IS_ERR(key_ref)) {
415 ret = PTR_ERR(key); 417 ret = PTR_ERR(key_ref);
416 goto error2; 418 goto error2;
417 } 419 }
418 420
419 ret = key_link(keyring, key); 421 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref));
420 422
421 key_put(key); 423 key_ref_put(key_ref);
422 error2: 424 error2:
423 key_put(keyring); 425 key_ref_put(keyring_ref);
424 error: 426 error:
425 return ret; 427 return ret;
426 428
@@ -435,26 +437,26 @@ long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
435 */ 437 */
436long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 438long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
437{ 439{
438 struct key *keyring, *key; 440 key_ref_t keyring_ref, key_ref;
439 long ret; 441 long ret;
440 442
441 keyring = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE); 443 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE);
442 if (IS_ERR(keyring)) { 444 if (IS_ERR(keyring_ref)) {
443 ret = PTR_ERR(keyring); 445 ret = PTR_ERR(keyring_ref);
444 goto error; 446 goto error;
445 } 447 }
446 448
447 key = lookup_user_key(NULL, id, 0, 0, 0); 449 key_ref = lookup_user_key(NULL, id, 0, 0, 0);
448 if (IS_ERR(key)) { 450 if (IS_ERR(key_ref)) {
449 ret = PTR_ERR(key); 451 ret = PTR_ERR(key_ref);
450 goto error2; 452 goto error2;
451 } 453 }
452 454
453 ret = key_unlink(keyring, key); 455 ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref));
454 456
455 key_put(key); 457 key_ref_put(key_ref);
456 error2: 458 error2:
457 key_put(keyring); 459 key_ref_put(keyring_ref);
458 error: 460 error:
459 return ret; 461 return ret;
460 462
@@ -476,24 +478,26 @@ long keyctl_describe_key(key_serial_t keyid,
476 size_t buflen) 478 size_t buflen)
477{ 479{
478 struct key *key, *instkey; 480 struct key *key, *instkey;
481 key_ref_t key_ref;
479 char *tmpbuf; 482 char *tmpbuf;
480 long ret; 483 long ret;
481 484
482 key = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW); 485 key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW);
483 if (IS_ERR(key)) { 486 if (IS_ERR(key_ref)) {
484 /* viewing a key under construction is permitted if we have the 487 /* viewing a key under construction is permitted if we have the
485 * authorisation token handy */ 488 * authorisation token handy */
486 if (PTR_ERR(key) == -EACCES) { 489 if (PTR_ERR(key_ref) == -EACCES) {
487 instkey = key_get_instantiation_authkey(keyid); 490 instkey = key_get_instantiation_authkey(keyid);
488 if (!IS_ERR(instkey)) { 491 if (!IS_ERR(instkey)) {
489 key_put(instkey); 492 key_put(instkey);
490 key = lookup_user_key(NULL, keyid, 0, 1, 0); 493 key_ref = lookup_user_key(NULL, keyid,
491 if (!IS_ERR(key)) 494 0, 1, 0);
495 if (!IS_ERR(key_ref))
492 goto okay; 496 goto okay;
493 } 497 }
494 } 498 }
495 499
496 ret = PTR_ERR(key); 500 ret = PTR_ERR(key_ref);
497 goto error; 501 goto error;
498 } 502 }
499 503
@@ -504,13 +508,16 @@ okay:
504 if (!tmpbuf) 508 if (!tmpbuf)
505 goto error2; 509 goto error2;
506 510
511 key = key_ref_to_ptr(key_ref);
512
507 ret = snprintf(tmpbuf, PAGE_SIZE - 1, 513 ret = snprintf(tmpbuf, PAGE_SIZE - 1,
508 "%s;%d;%d;%06x;%s", 514 "%s;%d;%d;%08x;%s",
509 key->type->name, 515 key_ref_to_ptr(key_ref)->type->name,
510 key->uid, 516 key_ref_to_ptr(key_ref)->uid,
511 key->gid, 517 key_ref_to_ptr(key_ref)->gid,
512 key->perm, 518 key_ref_to_ptr(key_ref)->perm,
513 key->description ? key->description :"" 519 key_ref_to_ptr(key_ref)->description ?
520 key_ref_to_ptr(key_ref)->description : ""
514 ); 521 );
515 522
516 /* include a NUL char at the end of the data */ 523 /* include a NUL char at the end of the data */
@@ -530,7 +537,7 @@ okay:
530 537
531 kfree(tmpbuf); 538 kfree(tmpbuf);
532 error2: 539 error2:
533 key_put(key); 540 key_ref_put(key_ref);
534 error: 541 error:
535 return ret; 542 return ret;
536 543
@@ -552,7 +559,7 @@ long keyctl_keyring_search(key_serial_t ringid,
552 key_serial_t destringid) 559 key_serial_t destringid)
553{ 560{
554 struct key_type *ktype; 561 struct key_type *ktype;
555 struct key *keyring, *key, *dest; 562 key_ref_t keyring_ref, key_ref, dest_ref;
556 char type[32], *description; 563 char type[32], *description;
557 long dlen, ret; 564 long dlen, ret;
558 565
@@ -581,18 +588,18 @@ long keyctl_keyring_search(key_serial_t ringid,
581 goto error2; 588 goto error2;
582 589
583 /* get the keyring at which to begin the search */ 590 /* get the keyring at which to begin the search */
584 keyring = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH); 591 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH);
585 if (IS_ERR(keyring)) { 592 if (IS_ERR(keyring_ref)) {
586 ret = PTR_ERR(keyring); 593 ret = PTR_ERR(keyring_ref);
587 goto error2; 594 goto error2;
588 } 595 }
589 596
590 /* get the destination keyring if specified */ 597 /* get the destination keyring if specified */
591 dest = NULL; 598 dest_ref = NULL;
592 if (destringid) { 599 if (destringid) {
593 dest = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 600 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE);
594 if (IS_ERR(dest)) { 601 if (IS_ERR(dest_ref)) {
595 ret = PTR_ERR(dest); 602 ret = PTR_ERR(dest_ref);
596 goto error3; 603 goto error3;
597 } 604 }
598 } 605 }
@@ -605,9 +612,9 @@ long keyctl_keyring_search(key_serial_t ringid,
605 } 612 }
606 613
607 /* do the search */ 614 /* do the search */
608 key = keyring_search(keyring, ktype, description); 615 key_ref = keyring_search(keyring_ref, ktype, description);
609 if (IS_ERR(key)) { 616 if (IS_ERR(key_ref)) {
610 ret = PTR_ERR(key); 617 ret = PTR_ERR(key_ref);
611 618
612 /* treat lack or presence of a negative key the same */ 619 /* treat lack or presence of a negative key the same */
613 if (ret == -EAGAIN) 620 if (ret == -EAGAIN)
@@ -616,26 +623,26 @@ long keyctl_keyring_search(key_serial_t ringid,
616 } 623 }
617 624
618 /* link the resulting key to the destination keyring if we can */ 625 /* link the resulting key to the destination keyring if we can */
619 if (dest) { 626 if (dest_ref) {
620 ret = -EACCES; 627 ret = -EACCES;
621 if (!key_permission(key, KEY_LINK)) 628 if (!key_permission(key_ref, KEY_LINK))
622 goto error6; 629 goto error6;
623 630
624 ret = key_link(dest, key); 631 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref));
625 if (ret < 0) 632 if (ret < 0)
626 goto error6; 633 goto error6;
627 } 634 }
628 635
629 ret = key->serial; 636 ret = key_ref_to_ptr(key_ref)->serial;
630 637
631 error6: 638 error6:
632 key_put(key); 639 key_ref_put(key_ref);
633 error5: 640 error5:
634 key_type_put(ktype); 641 key_type_put(ktype);
635 error4: 642 error4:
636 key_put(dest); 643 key_ref_put(dest_ref);
637 error3: 644 error3:
638 key_put(keyring); 645 key_ref_put(keyring_ref);
639 error2: 646 error2:
640 kfree(description); 647 kfree(description);
641 error: 648 error:
@@ -645,16 +652,6 @@ long keyctl_keyring_search(key_serial_t ringid,
645 652
646/*****************************************************************************/ 653/*****************************************************************************/
647/* 654/*
648 * see if the key we're looking at is the target key
649 */
650static int keyctl_read_key_same(const struct key *key, const void *target)
651{
652 return key == target;
653
654} /* end keyctl_read_key_same() */
655
656/*****************************************************************************/
657/*
658 * read a user key's payload 655 * read a user key's payload
659 * - the keyring must be readable or the key must be searchable from the 656 * - the keyring must be readable or the key must be searchable from the
660 * process's keyrings 657 * process's keyrings
@@ -665,38 +662,33 @@ static int keyctl_read_key_same(const struct key *key, const void *target)
665 */ 662 */
666long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 663long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
667{ 664{
668 struct key *key, *skey; 665 struct key *key;
666 key_ref_t key_ref;
669 long ret; 667 long ret;
670 668
671 /* find the key first */ 669 /* find the key first */
672 key = lookup_user_key(NULL, keyid, 0, 0, 0); 670 key_ref = lookup_user_key(NULL, keyid, 0, 0, 0);
673 if (!IS_ERR(key)) { 671 if (IS_ERR(key_ref)) {
674 /* see if we can read it directly */ 672 ret = -ENOKEY;
675 if (key_permission(key, KEY_READ)) 673 goto error;
676 goto can_read_key;
677
678 /* we can't; see if it's searchable from this process's
679 * keyrings
680 * - we automatically take account of the fact that it may be
681 * dangling off an instantiation key
682 */
683 skey = search_process_keyrings(key->type, key,
684 keyctl_read_key_same, current);
685 if (!IS_ERR(skey))
686 goto can_read_key2;
687
688 ret = PTR_ERR(skey);
689 if (ret == -EAGAIN)
690 ret = -EACCES;
691 goto error2;
692 } 674 }
693 675
694 ret = -ENOKEY; 676 key = key_ref_to_ptr(key_ref);
695 goto error; 677
678 /* see if we can read it directly */
679 if (key_permission(key_ref, KEY_READ))
680 goto can_read_key;
681
682 /* we can't; see if it's searchable from this process's keyrings
683 * - we automatically take account of the fact that it may be
684 * dangling off an instantiation key
685 */
686 if (!is_key_possessed(key_ref)) {
687 ret = -EACCES;
688 goto error2;
689 }
696 690
697 /* the key is probably readable - now try to read it */ 691 /* the key is probably readable - now try to read it */
698 can_read_key2:
699 key_put(skey);
700 can_read_key: 692 can_read_key:
701 ret = key_validate(key); 693 ret = key_validate(key);
702 if (ret == 0) { 694 if (ret == 0) {
@@ -727,18 +719,21 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
727long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) 719long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
728{ 720{
729 struct key *key; 721 struct key *key;
722 key_ref_t key_ref;
730 long ret; 723 long ret;
731 724
732 ret = 0; 725 ret = 0;
733 if (uid == (uid_t) -1 && gid == (gid_t) -1) 726 if (uid == (uid_t) -1 && gid == (gid_t) -1)
734 goto error; 727 goto error;
735 728
736 key = lookup_user_key(NULL, id, 1, 1, 0); 729 key_ref = lookup_user_key(NULL, id, 1, 1, 0);
737 if (IS_ERR(key)) { 730 if (IS_ERR(key_ref)) {
738 ret = PTR_ERR(key); 731 ret = PTR_ERR(key_ref);
739 goto error; 732 goto error;
740 } 733 }
741 734
735 key = key_ref_to_ptr(key_ref);
736
742 /* make the changes with the locks held to prevent chown/chown races */ 737 /* make the changes with the locks held to prevent chown/chown races */
743 ret = -EACCES; 738 ret = -EACCES;
744 down_write(&key->sem); 739 down_write(&key->sem);
@@ -784,18 +779,21 @@ long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
784long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 779long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
785{ 780{
786 struct key *key; 781 struct key *key;
782 key_ref_t key_ref;
787 long ret; 783 long ret;
788 784
789 ret = -EINVAL; 785 ret = -EINVAL;
790 if (perm & ~(KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 786 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL))
791 goto error; 787 goto error;
792 788
793 key = lookup_user_key(NULL, id, 1, 1, 0); 789 key_ref = lookup_user_key(NULL, id, 1, 1, 0);
794 if (IS_ERR(key)) { 790 if (IS_ERR(key_ref)) {
795 ret = PTR_ERR(key); 791 ret = PTR_ERR(key_ref);
796 goto error; 792 goto error;
797 } 793 }
798 794
795 key = key_ref_to_ptr(key_ref);
796
799 /* make the changes with the locks held to prevent chown/chmod races */ 797 /* make the changes with the locks held to prevent chown/chmod races */
800 ret = -EACCES; 798 ret = -EACCES;
801 down_write(&key->sem); 799 down_write(&key->sem);
@@ -824,7 +822,8 @@ long keyctl_instantiate_key(key_serial_t id,
824 key_serial_t ringid) 822 key_serial_t ringid)
825{ 823{
826 struct request_key_auth *rka; 824 struct request_key_auth *rka;
827 struct key *instkey, *keyring; 825 struct key *instkey;
826 key_ref_t keyring_ref;
828 void *payload; 827 void *payload;
829 long ret; 828 long ret;
830 829
@@ -857,21 +856,21 @@ long keyctl_instantiate_key(key_serial_t id,
857 856
858 /* find the destination keyring amongst those belonging to the 857 /* find the destination keyring amongst those belonging to the
859 * requesting task */ 858 * requesting task */
860 keyring = NULL; 859 keyring_ref = NULL;
861 if (ringid) { 860 if (ringid) {
862 keyring = lookup_user_key(rka->context, ringid, 1, 0, 861 keyring_ref = lookup_user_key(rka->context, ringid, 1, 0,
863 KEY_WRITE); 862 KEY_WRITE);
864 if (IS_ERR(keyring)) { 863 if (IS_ERR(keyring_ref)) {
865 ret = PTR_ERR(keyring); 864 ret = PTR_ERR(keyring_ref);
866 goto error3; 865 goto error3;
867 } 866 }
868 } 867 }
869 868
870 /* instantiate the key and link it into a keyring */ 869 /* instantiate the key and link it into a keyring */
871 ret = key_instantiate_and_link(rka->target_key, payload, plen, 870 ret = key_instantiate_and_link(rka->target_key, payload, plen,
872 keyring, instkey); 871 key_ref_to_ptr(keyring_ref), instkey);
873 872
874 key_put(keyring); 873 key_ref_put(keyring_ref);
875 error3: 874 error3:
876 key_put(instkey); 875 key_put(instkey);
877 error2: 876 error2:
@@ -889,7 +888,8 @@ long keyctl_instantiate_key(key_serial_t id,
889long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 888long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
890{ 889{
891 struct request_key_auth *rka; 890 struct request_key_auth *rka;
892 struct key *instkey, *keyring; 891 struct key *instkey;
892 key_ref_t keyring_ref;
893 long ret; 893 long ret;
894 894
895 /* find the instantiation authorisation key */ 895 /* find the instantiation authorisation key */
@@ -903,19 +903,20 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
903 903
904 /* find the destination keyring if present (which must also be 904 /* find the destination keyring if present (which must also be
905 * writable) */ 905 * writable) */
906 keyring = NULL; 906 keyring_ref = NULL;
907 if (ringid) { 907 if (ringid) {
908 keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 908 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
909 if (IS_ERR(keyring)) { 909 if (IS_ERR(keyring_ref)) {
910 ret = PTR_ERR(keyring); 910 ret = PTR_ERR(keyring_ref);
911 goto error2; 911 goto error2;
912 } 912 }
913 } 913 }
914 914
915 /* instantiate the key and link it into a keyring */ 915 /* instantiate the key and link it into a keyring */
916 ret = key_negate_and_link(rka->target_key, timeout, keyring, instkey); 916 ret = key_negate_and_link(rka->target_key, timeout,
917 key_ref_to_ptr(keyring_ref), instkey);
917 918
918 key_put(keyring); 919 key_ref_put(keyring_ref);
919 error2: 920 error2:
920 key_put(instkey); 921 key_put(instkey);
921 error: 922 error:
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 9c208c756df8..0639396dd441 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -309,7 +309,7 @@ struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
309 int ret; 309 int ret;
310 310
311 keyring = key_alloc(&key_type_keyring, description, 311 keyring = key_alloc(&key_type_keyring, description,
312 uid, gid, KEY_USR_ALL, not_in_quota); 312 uid, gid, KEY_POS_ALL | KEY_USR_ALL, not_in_quota);
313 313
314 if (!IS_ERR(keyring)) { 314 if (!IS_ERR(keyring)) {
315 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL); 315 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
@@ -333,12 +333,13 @@ struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
333 * - we rely on RCU to prevent the keyring lists from disappearing on us 333 * - we rely on RCU to prevent the keyring lists from disappearing on us
334 * - we return -EAGAIN if we didn't find any matching key 334 * - we return -EAGAIN if we didn't find any matching key
335 * - we return -ENOKEY if we only found negative matching keys 335 * - we return -ENOKEY if we only found negative matching keys
336 * - we propagate the possession attribute from the keyring ref to the key ref
336 */ 337 */
337struct key *keyring_search_aux(struct key *keyring, 338key_ref_t keyring_search_aux(key_ref_t keyring_ref,
338 struct task_struct *context, 339 struct task_struct *context,
339 struct key_type *type, 340 struct key_type *type,
340 const void *description, 341 const void *description,
341 key_match_func_t match) 342 key_match_func_t match)
342{ 343{
343 struct { 344 struct {
344 struct keyring_list *keylist; 345 struct keyring_list *keylist;
@@ -347,29 +348,33 @@ struct key *keyring_search_aux(struct key *keyring,
347 348
348 struct keyring_list *keylist; 349 struct keyring_list *keylist;
349 struct timespec now; 350 struct timespec now;
350 struct key *key; 351 unsigned long possessed;
352 struct key *keyring, *key;
353 key_ref_t key_ref;
351 long err; 354 long err;
352 int sp, kix; 355 int sp, kix;
353 356
357 keyring = key_ref_to_ptr(keyring_ref);
358 possessed = is_key_possessed(keyring_ref);
354 key_check(keyring); 359 key_check(keyring);
355 360
356 rcu_read_lock();
357
358 /* top keyring must have search permission to begin the search */ 361 /* top keyring must have search permission to begin the search */
359 key = ERR_PTR(-EACCES); 362 key_ref = ERR_PTR(-EACCES);
360 if (!key_task_permission(keyring, context, KEY_SEARCH)) 363 if (!key_task_permission(keyring_ref, context, KEY_SEARCH))
361 goto error; 364 goto error;
362 365
363 key = ERR_PTR(-ENOTDIR); 366 key_ref = ERR_PTR(-ENOTDIR);
364 if (keyring->type != &key_type_keyring) 367 if (keyring->type != &key_type_keyring)
365 goto error; 368 goto error;
366 369
370 rcu_read_lock();
371
367 now = current_kernel_time(); 372 now = current_kernel_time();
368 err = -EAGAIN; 373 err = -EAGAIN;
369 sp = 0; 374 sp = 0;
370 375
371 /* start processing a new keyring */ 376 /* start processing a new keyring */
372 descend: 377descend:
373 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 378 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
374 goto not_this_keyring; 379 goto not_this_keyring;
375 380
@@ -397,7 +402,8 @@ struct key *keyring_search_aux(struct key *keyring,
397 continue; 402 continue;
398 403
399 /* key must have search permissions */ 404 /* key must have search permissions */
400 if (!key_task_permission(key, context, KEY_SEARCH)) 405 if (!key_task_permission(make_key_ref(key, possessed),
406 context, KEY_SEARCH))
401 continue; 407 continue;
402 408
403 /* we set a different error code if we find a negative key */ 409 /* we set a different error code if we find a negative key */
@@ -411,7 +417,7 @@ struct key *keyring_search_aux(struct key *keyring,
411 417
412 /* search through the keyrings nested in this one */ 418 /* search through the keyrings nested in this one */
413 kix = 0; 419 kix = 0;
414 ascend: 420ascend:
415 for (; kix < keylist->nkeys; kix++) { 421 for (; kix < keylist->nkeys; kix++) {
416 key = keylist->keys[kix]; 422 key = keylist->keys[kix];
417 if (key->type != &key_type_keyring) 423 if (key->type != &key_type_keyring)
@@ -423,7 +429,8 @@ struct key *keyring_search_aux(struct key *keyring,
423 if (sp >= KEYRING_SEARCH_MAX_DEPTH) 429 if (sp >= KEYRING_SEARCH_MAX_DEPTH)
424 continue; 430 continue;
425 431
426 if (!key_task_permission(key, context, KEY_SEARCH)) 432 if (!key_task_permission(make_key_ref(key, possessed),
433 context, KEY_SEARCH))
427 continue; 434 continue;
428 435
429 /* stack the current position */ 436 /* stack the current position */
@@ -438,7 +445,7 @@ struct key *keyring_search_aux(struct key *keyring,
438 445
439 /* the keyring we're looking at was disqualified or didn't contain a 446 /* the keyring we're looking at was disqualified or didn't contain a
440 * matching key */ 447 * matching key */
441 not_this_keyring: 448not_this_keyring:
442 if (sp > 0) { 449 if (sp > 0) {
443 /* resume the processing of a keyring higher up in the tree */ 450 /* resume the processing of a keyring higher up in the tree */
444 sp--; 451 sp--;
@@ -447,16 +454,18 @@ struct key *keyring_search_aux(struct key *keyring,
447 goto ascend; 454 goto ascend;
448 } 455 }
449 456
450 key = ERR_PTR(err); 457 key_ref = ERR_PTR(err);
451 goto error; 458 goto error_2;
452 459
453 /* we found a viable match */ 460 /* we found a viable match */
454 found: 461found:
455 atomic_inc(&key->usage); 462 atomic_inc(&key->usage);
456 key_check(key); 463 key_check(key);
457 error: 464 key_ref = make_key_ref(key, possessed);
465error_2:
458 rcu_read_unlock(); 466 rcu_read_unlock();
459 return key; 467error:
468 return key_ref;
460 469
461} /* end keyring_search_aux() */ 470} /* end keyring_search_aux() */
462 471
@@ -469,9 +478,9 @@ struct key *keyring_search_aux(struct key *keyring,
469 * - we return -EAGAIN if we didn't find any matching key 478 * - we return -EAGAIN if we didn't find any matching key
470 * - we return -ENOKEY if we only found negative matching keys 479 * - we return -ENOKEY if we only found negative matching keys
471 */ 480 */
472struct key *keyring_search(struct key *keyring, 481key_ref_t keyring_search(key_ref_t keyring,
473 struct key_type *type, 482 struct key_type *type,
474 const char *description) 483 const char *description)
475{ 484{
476 if (!type->match) 485 if (!type->match)
477 return ERR_PTR(-ENOKEY); 486 return ERR_PTR(-ENOKEY);
@@ -488,15 +497,19 @@ EXPORT_SYMBOL(keyring_search);
488 * search the given keyring only (no recursion) 497 * search the given keyring only (no recursion)
489 * - keyring must be locked by caller 498 * - keyring must be locked by caller
490 */ 499 */
491struct key *__keyring_search_one(struct key *keyring, 500key_ref_t __keyring_search_one(key_ref_t keyring_ref,
492 const struct key_type *ktype, 501 const struct key_type *ktype,
493 const char *description, 502 const char *description,
494 key_perm_t perm) 503 key_perm_t perm)
495{ 504{
496 struct keyring_list *klist; 505 struct keyring_list *klist;
497 struct key *key; 506 unsigned long possessed;
507 struct key *keyring, *key;
498 int loop; 508 int loop;
499 509
510 keyring = key_ref_to_ptr(keyring_ref);
511 possessed = is_key_possessed(keyring_ref);
512
500 rcu_read_lock(); 513 rcu_read_lock();
501 514
502 klist = rcu_dereference(keyring->payload.subscriptions); 515 klist = rcu_dereference(keyring->payload.subscriptions);
@@ -507,21 +520,21 @@ struct key *__keyring_search_one(struct key *keyring,
507 if (key->type == ktype && 520 if (key->type == ktype &&
508 (!key->type->match || 521 (!key->type->match ||
509 key->type->match(key, description)) && 522 key->type->match(key, description)) &&
510 key_permission(key, perm) && 523 key_permission(make_key_ref(key, possessed),
524 perm) &&
511 !test_bit(KEY_FLAG_REVOKED, &key->flags) 525 !test_bit(KEY_FLAG_REVOKED, &key->flags)
512 ) 526 )
513 goto found; 527 goto found;
514 } 528 }
515 } 529 }
516 530
517 key = ERR_PTR(-ENOKEY); 531 rcu_read_unlock();
518 goto error; 532 return ERR_PTR(-ENOKEY);
519 533
520 found: 534 found:
521 atomic_inc(&key->usage); 535 atomic_inc(&key->usage);
522 error:
523 rcu_read_unlock(); 536 rcu_read_unlock();
524 return key; 537 return make_key_ref(key, possessed);
525 538
526} /* end __keyring_search_one() */ 539} /* end __keyring_search_one() */
527 540
@@ -603,7 +616,8 @@ struct key *find_keyring_by_name(const char *name, key_serial_t bound)
603 if (strcmp(keyring->description, name) != 0) 616 if (strcmp(keyring->description, name) != 0)
604 continue; 617 continue;
605 618
606 if (!key_permission(keyring, KEY_SEARCH)) 619 if (!key_permission(make_key_ref(keyring, 0),
620 KEY_SEARCH))
607 continue; 621 continue;
608 622
609 /* found a potential candidate, but we still need to 623 /* found a potential candidate, but we still need to
diff --git a/security/keys/proc.c b/security/keys/proc.c
index c55cf1fd0826..12b750e51fbf 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -167,7 +167,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
167#define showflag(KEY, LETTER, FLAG) \ 167#define showflag(KEY, LETTER, FLAG) \
168 (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-') 168 (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-')
169 169
170 seq_printf(m, "%08x %c%c%c%c%c%c %5d %4s %06x %5d %5d %-9.9s ", 170 seq_printf(m, "%08x %c%c%c%c%c%c %5d %4s %08x %5d %5d %-9.9s ",
171 key->serial, 171 key->serial,
172 showflag(key, 'I', KEY_FLAG_INSTANTIATED), 172 showflag(key, 'I', KEY_FLAG_INSTANTIATED),
173 showflag(key, 'R', KEY_FLAG_REVOKED), 173 showflag(key, 'R', KEY_FLAG_REVOKED),
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index c089f78fb94e..d42d2158ce13 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -39,7 +39,7 @@ struct key root_user_keyring = {
39 .type = &key_type_keyring, 39 .type = &key_type_keyring,
40 .user = &root_key_user, 40 .user = &root_key_user,
41 .sem = __RWSEM_INITIALIZER(root_user_keyring.sem), 41 .sem = __RWSEM_INITIALIZER(root_user_keyring.sem),
42 .perm = KEY_USR_ALL, 42 .perm = KEY_POS_ALL | KEY_USR_ALL,
43 .flags = 1 << KEY_FLAG_INSTANTIATED, 43 .flags = 1 << KEY_FLAG_INSTANTIATED,
44 .description = "_uid.0", 44 .description = "_uid.0",
45#ifdef KEY_DEBUGGING 45#ifdef KEY_DEBUGGING
@@ -54,7 +54,7 @@ struct key root_session_keyring = {
54 .type = &key_type_keyring, 54 .type = &key_type_keyring,
55 .user = &root_key_user, 55 .user = &root_key_user,
56 .sem = __RWSEM_INITIALIZER(root_session_keyring.sem), 56 .sem = __RWSEM_INITIALIZER(root_session_keyring.sem),
57 .perm = KEY_USR_ALL, 57 .perm = KEY_POS_ALL | KEY_USR_ALL,
58 .flags = 1 << KEY_FLAG_INSTANTIATED, 58 .flags = 1 << KEY_FLAG_INSTANTIATED,
59 .description = "_uid_ses.0", 59 .description = "_uid_ses.0",
60#ifdef KEY_DEBUGGING 60#ifdef KEY_DEBUGGING
@@ -98,7 +98,7 @@ int alloc_uid_keyring(struct user_struct *user)
98 user->session_keyring = session_keyring; 98 user->session_keyring = session_keyring;
99 ret = 0; 99 ret = 0;
100 100
101 error: 101error:
102 return ret; 102 return ret;
103 103
104} /* end alloc_uid_keyring() */ 104} /* end alloc_uid_keyring() */
@@ -156,7 +156,7 @@ int install_thread_keyring(struct task_struct *tsk)
156 ret = 0; 156 ret = 0;
157 157
158 key_put(old); 158 key_put(old);
159 error: 159error:
160 return ret; 160 return ret;
161 161
162} /* end install_thread_keyring() */ 162} /* end install_thread_keyring() */
@@ -193,7 +193,7 @@ int install_process_keyring(struct task_struct *tsk)
193 } 193 }
194 194
195 ret = 0; 195 ret = 0;
196 error: 196error:
197 return ret; 197 return ret;
198 198
199} /* end install_process_keyring() */ 199} /* end install_process_keyring() */
@@ -236,7 +236,7 @@ static int install_session_keyring(struct task_struct *tsk,
236 /* we're using RCU on the pointer */ 236 /* we're using RCU on the pointer */
237 synchronize_rcu(); 237 synchronize_rcu();
238 key_put(old); 238 key_put(old);
239 error: 239error:
240 return ret; 240 return ret;
241 241
242} /* end install_session_keyring() */ 242} /* end install_session_keyring() */
@@ -376,13 +376,13 @@ void key_fsgid_changed(struct task_struct *tsk)
376 * - we return -EAGAIN if we didn't find any matching key 376 * - we return -EAGAIN if we didn't find any matching key
377 * - we return -ENOKEY if we found only negative matching keys 377 * - we return -ENOKEY if we found only negative matching keys
378 */ 378 */
379struct key *search_process_keyrings(struct key_type *type, 379key_ref_t search_process_keyrings(struct key_type *type,
380 const void *description, 380 const void *description,
381 key_match_func_t match, 381 key_match_func_t match,
382 struct task_struct *context) 382 struct task_struct *context)
383{ 383{
384 struct request_key_auth *rka; 384 struct request_key_auth *rka;
385 struct key *key, *ret, *err, *instkey; 385 key_ref_t key_ref, ret, err, instkey_ref;
386 386
387 /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were 387 /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
388 * searchable, but we failed to find a key or we found a negative key; 388 * searchable, but we failed to find a key or we found a negative key;
@@ -391,46 +391,48 @@ struct key *search_process_keyrings(struct key_type *type,
391 * 391 *
392 * in terms of priority: success > -ENOKEY > -EAGAIN > other error 392 * in terms of priority: success > -ENOKEY > -EAGAIN > other error
393 */ 393 */
394 key = NULL; 394 key_ref = NULL;
395 ret = NULL; 395 ret = NULL;
396 err = ERR_PTR(-EAGAIN); 396 err = ERR_PTR(-EAGAIN);
397 397
398 /* search the thread keyring first */ 398 /* search the thread keyring first */
399 if (context->thread_keyring) { 399 if (context->thread_keyring) {
400 key = keyring_search_aux(context->thread_keyring, 400 key_ref = keyring_search_aux(
401 context, type, description, match); 401 make_key_ref(context->thread_keyring, 1),
402 if (!IS_ERR(key)) 402 context, type, description, match);
403 if (!IS_ERR(key_ref))
403 goto found; 404 goto found;
404 405
405 switch (PTR_ERR(key)) { 406 switch (PTR_ERR(key_ref)) {
406 case -EAGAIN: /* no key */ 407 case -EAGAIN: /* no key */
407 if (ret) 408 if (ret)
408 break; 409 break;
409 case -ENOKEY: /* negative key */ 410 case -ENOKEY: /* negative key */
410 ret = key; 411 ret = key_ref;
411 break; 412 break;
412 default: 413 default:
413 err = key; 414 err = key_ref;
414 break; 415 break;
415 } 416 }
416 } 417 }
417 418
418 /* search the process keyring second */ 419 /* search the process keyring second */
419 if (context->signal->process_keyring) { 420 if (context->signal->process_keyring) {
420 key = keyring_search_aux(context->signal->process_keyring, 421 key_ref = keyring_search_aux(
421 context, type, description, match); 422 make_key_ref(context->signal->process_keyring, 1),
422 if (!IS_ERR(key)) 423 context, type, description, match);
424 if (!IS_ERR(key_ref))
423 goto found; 425 goto found;
424 426
425 switch (PTR_ERR(key)) { 427 switch (PTR_ERR(key_ref)) {
426 case -EAGAIN: /* no key */ 428 case -EAGAIN: /* no key */
427 if (ret) 429 if (ret)
428 break; 430 break;
429 case -ENOKEY: /* negative key */ 431 case -ENOKEY: /* negative key */
430 ret = key; 432 ret = key_ref;
431 break; 433 break;
432 default: 434 default:
433 err = key; 435 err = key_ref;
434 break; 436 break;
435 } 437 }
436 } 438 }
@@ -438,23 +440,25 @@ struct key *search_process_keyrings(struct key_type *type,
438 /* search the session keyring */ 440 /* search the session keyring */
439 if (context->signal->session_keyring) { 441 if (context->signal->session_keyring) {
440 rcu_read_lock(); 442 rcu_read_lock();
441 key = keyring_search_aux( 443 key_ref = keyring_search_aux(
442 rcu_dereference(context->signal->session_keyring), 444 make_key_ref(rcu_dereference(
445 context->signal->session_keyring),
446 1),
443 context, type, description, match); 447 context, type, description, match);
444 rcu_read_unlock(); 448 rcu_read_unlock();
445 449
446 if (!IS_ERR(key)) 450 if (!IS_ERR(key_ref))
447 goto found; 451 goto found;
448 452
449 switch (PTR_ERR(key)) { 453 switch (PTR_ERR(key_ref)) {
450 case -EAGAIN: /* no key */ 454 case -EAGAIN: /* no key */
451 if (ret) 455 if (ret)
452 break; 456 break;
453 case -ENOKEY: /* negative key */ 457 case -ENOKEY: /* negative key */
454 ret = key; 458 ret = key_ref;
455 break; 459 break;
456 default: 460 default:
457 err = key; 461 err = key_ref;
458 break; 462 break;
459 } 463 }
460 464
@@ -465,51 +469,54 @@ struct key *search_process_keyrings(struct key_type *type,
465 goto no_key; 469 goto no_key;
466 470
467 rcu_read_lock(); 471 rcu_read_lock();
468 instkey = __keyring_search_one( 472 instkey_ref = __keyring_search_one(
469 rcu_dereference(context->signal->session_keyring), 473 make_key_ref(rcu_dereference(
474 context->signal->session_keyring),
475 1),
470 &key_type_request_key_auth, NULL, 0); 476 &key_type_request_key_auth, NULL, 0);
471 rcu_read_unlock(); 477 rcu_read_unlock();
472 478
473 if (IS_ERR(instkey)) 479 if (IS_ERR(instkey_ref))
474 goto no_key; 480 goto no_key;
475 481
476 rka = instkey->payload.data; 482 rka = key_ref_to_ptr(instkey_ref)->payload.data;
477 483
478 key = search_process_keyrings(type, description, match, 484 key_ref = search_process_keyrings(type, description, match,
479 rka->context); 485 rka->context);
480 key_put(instkey); 486 key_ref_put(instkey_ref);
481 487
482 if (!IS_ERR(key)) 488 if (!IS_ERR(key_ref))
483 goto found; 489 goto found;
484 490
485 switch (PTR_ERR(key)) { 491 switch (PTR_ERR(key_ref)) {
486 case -EAGAIN: /* no key */ 492 case -EAGAIN: /* no key */
487 if (ret) 493 if (ret)
488 break; 494 break;
489 case -ENOKEY: /* negative key */ 495 case -ENOKEY: /* negative key */
490 ret = key; 496 ret = key_ref;
491 break; 497 break;
492 default: 498 default:
493 err = key; 499 err = key_ref;
494 break; 500 break;
495 } 501 }
496 } 502 }
497 /* or search the user-session keyring */ 503 /* or search the user-session keyring */
498 else { 504 else {
499 key = keyring_search_aux(context->user->session_keyring, 505 key_ref = keyring_search_aux(
500 context, type, description, match); 506 make_key_ref(context->user->session_keyring, 1),
501 if (!IS_ERR(key)) 507 context, type, description, match);
508 if (!IS_ERR(key_ref))
502 goto found; 509 goto found;
503 510
504 switch (PTR_ERR(key)) { 511 switch (PTR_ERR(key_ref)) {
505 case -EAGAIN: /* no key */ 512 case -EAGAIN: /* no key */
506 if (ret) 513 if (ret)
507 break; 514 break;
508 case -ENOKEY: /* negative key */ 515 case -ENOKEY: /* negative key */
509 ret = key; 516 ret = key_ref;
510 break; 517 break;
511 default: 518 default:
512 err = key; 519 err = key_ref;
513 break; 520 break;
514 } 521 }
515 } 522 }
@@ -517,29 +524,40 @@ struct key *search_process_keyrings(struct key_type *type,
517 524
518no_key: 525no_key:
519 /* no key - decide on the error we're going to go for */ 526 /* no key - decide on the error we're going to go for */
520 key = ret ? ret : err; 527 key_ref = ret ? ret : err;
521 528
522found: 529found:
523 return key; 530 return key_ref;
524 531
525} /* end search_process_keyrings() */ 532} /* end search_process_keyrings() */
526 533
527/*****************************************************************************/ 534/*****************************************************************************/
528/* 535/*
536 * see if the key we're looking at is the target key
537 */
538static int lookup_user_key_possessed(const struct key *key, const void *target)
539{
540 return key == target;
541
542} /* end lookup_user_key_possessed() */
543
544/*****************************************************************************/
545/*
529 * lookup a key given a key ID from userspace with a given permissions mask 546 * lookup a key given a key ID from userspace with a given permissions mask
530 * - don't create special keyrings unless so requested 547 * - don't create special keyrings unless so requested
531 * - partially constructed keys aren't found unless requested 548 * - partially constructed keys aren't found unless requested
532 */ 549 */
533struct key *lookup_user_key(struct task_struct *context, key_serial_t id, 550key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id,
534 int create, int partial, key_perm_t perm) 551 int create, int partial, key_perm_t perm)
535{ 552{
553 key_ref_t key_ref, skey_ref;
536 struct key *key; 554 struct key *key;
537 int ret; 555 int ret;
538 556
539 if (!context) 557 if (!context)
540 context = current; 558 context = current;
541 559
542 key = ERR_PTR(-ENOKEY); 560 key_ref = ERR_PTR(-ENOKEY);
543 561
544 switch (id) { 562 switch (id) {
545 case KEY_SPEC_THREAD_KEYRING: 563 case KEY_SPEC_THREAD_KEYRING:
@@ -556,6 +574,7 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
556 574
557 key = context->thread_keyring; 575 key = context->thread_keyring;
558 atomic_inc(&key->usage); 576 atomic_inc(&key->usage);
577 key_ref = make_key_ref(key, 1);
559 break; 578 break;
560 579
561 case KEY_SPEC_PROCESS_KEYRING: 580 case KEY_SPEC_PROCESS_KEYRING:
@@ -572,6 +591,7 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
572 591
573 key = context->signal->process_keyring; 592 key = context->signal->process_keyring;
574 atomic_inc(&key->usage); 593 atomic_inc(&key->usage);
594 key_ref = make_key_ref(key, 1);
575 break; 595 break;
576 596
577 case KEY_SPEC_SESSION_KEYRING: 597 case KEY_SPEC_SESSION_KEYRING:
@@ -579,7 +599,7 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
579 /* always install a session keyring upon access if one 599 /* always install a session keyring upon access if one
580 * doesn't exist yet */ 600 * doesn't exist yet */
581 ret = install_session_keyring( 601 ret = install_session_keyring(
582 context, context->user->session_keyring); 602 context, context->user->session_keyring);
583 if (ret < 0) 603 if (ret < 0)
584 goto error; 604 goto error;
585 } 605 }
@@ -588,16 +608,19 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
588 key = rcu_dereference(context->signal->session_keyring); 608 key = rcu_dereference(context->signal->session_keyring);
589 atomic_inc(&key->usage); 609 atomic_inc(&key->usage);
590 rcu_read_unlock(); 610 rcu_read_unlock();
611 key_ref = make_key_ref(key, 1);
591 break; 612 break;
592 613
593 case KEY_SPEC_USER_KEYRING: 614 case KEY_SPEC_USER_KEYRING:
594 key = context->user->uid_keyring; 615 key = context->user->uid_keyring;
595 atomic_inc(&key->usage); 616 atomic_inc(&key->usage);
617 key_ref = make_key_ref(key, 1);
596 break; 618 break;
597 619
598 case KEY_SPEC_USER_SESSION_KEYRING: 620 case KEY_SPEC_USER_SESSION_KEYRING:
599 key = context->user->session_keyring; 621 key = context->user->session_keyring;
600 atomic_inc(&key->usage); 622 atomic_inc(&key->usage);
623 key_ref = make_key_ref(key, 1);
601 break; 624 break;
602 625
603 case KEY_SPEC_GROUP_KEYRING: 626 case KEY_SPEC_GROUP_KEYRING:
@@ -606,13 +629,28 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
606 goto error; 629 goto error;
607 630
608 default: 631 default:
609 key = ERR_PTR(-EINVAL); 632 key_ref = ERR_PTR(-EINVAL);
610 if (id < 1) 633 if (id < 1)
611 goto error; 634 goto error;
612 635
613 key = key_lookup(id); 636 key = key_lookup(id);
614 if (IS_ERR(key)) 637 if (IS_ERR(key)) {
638 key_ref = ERR_PTR(PTR_ERR(key));
615 goto error; 639 goto error;
640 }
641
642 key_ref = make_key_ref(key, 0);
643
644 /* check to see if we possess the key */
645 skey_ref = search_process_keyrings(key->type, key,
646 lookup_user_key_possessed,
647 current);
648
649 if (!IS_ERR(skey_ref)) {
650 key_put(key);
651 key_ref = skey_ref;
652 }
653
616 break; 654 break;
617 } 655 }
618 656
@@ -630,15 +668,15 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
630 /* check the permissions */ 668 /* check the permissions */
631 ret = -EACCES; 669 ret = -EACCES;
632 670
633 if (!key_task_permission(key, context, perm)) 671 if (!key_task_permission(key_ref, context, perm))
634 goto invalid_key; 672 goto invalid_key;
635 673
636 error: 674error:
637 return key; 675 return key_ref;
638 676
639 invalid_key: 677invalid_key:
640 key_put(key); 678 key_ref_put(key_ref);
641 key = ERR_PTR(ret); 679 key_ref = ERR_PTR(ret);
642 goto error; 680 goto error;
643 681
644} /* end lookup_user_key() */ 682} /* end lookup_user_key() */
@@ -694,9 +732,9 @@ long join_session_keyring(const char *name)
694 ret = keyring->serial; 732 ret = keyring->serial;
695 key_put(keyring); 733 key_put(keyring);
696 734
697 error2: 735error2:
698 up(&key_session_sem); 736 up(&key_session_sem);
699 error: 737error:
700 return ret; 738 return ret;
701 739
702} /* end join_session_keyring() */ 740} /* end join_session_keyring() */
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index 90c1506d007c..e6dd366d43a3 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -129,7 +129,7 @@ static struct key *__request_key_construction(struct key_type *type,
129 129
130 /* create a key and add it to the queue */ 130 /* create a key and add it to the queue */
131 key = key_alloc(type, description, 131 key = key_alloc(type, description,
132 current->fsuid, current->fsgid, KEY_USR_ALL, 0); 132 current->fsuid, current->fsgid, KEY_POS_ALL, 0);
133 if (IS_ERR(key)) 133 if (IS_ERR(key))
134 goto alloc_failed; 134 goto alloc_failed;
135 135
@@ -365,14 +365,24 @@ struct key *request_key_and_link(struct key_type *type,
365{ 365{
366 struct key_user *user; 366 struct key_user *user;
367 struct key *key; 367 struct key *key;
368 key_ref_t key_ref;
368 369
369 kenter("%s,%s,%s,%p", 370 kenter("%s,%s,%s,%p",
370 type->name, description, callout_info, dest_keyring); 371 type->name, description, callout_info, dest_keyring);
371 372
372 /* search all the process keyrings for a key */ 373 /* search all the process keyrings for a key */
373 key = search_process_keyrings(type, description, type->match, current); 374 key_ref = search_process_keyrings(type, description, type->match,
375 current);
374 376
375 if (PTR_ERR(key) == -EAGAIN) { 377 kdebug("search 1: %p", key_ref);
378
379 if (!IS_ERR(key_ref)) {
380 key = key_ref_to_ptr(key_ref);
381 }
382 else if (PTR_ERR(key_ref) != -EAGAIN) {
383 key = ERR_PTR(PTR_ERR(key_ref));
384 }
385 else {
376 /* the search failed, but the keyrings were searchable, so we 386 /* the search failed, but the keyrings were searchable, so we
377 * should consult userspace if we can */ 387 * should consult userspace if we can */
378 key = ERR_PTR(-ENOKEY); 388 key = ERR_PTR(-ENOKEY);
@@ -384,7 +394,7 @@ struct key *request_key_and_link(struct key_type *type,
384 if (!user) 394 if (!user)
385 goto nomem; 395 goto nomem;
386 396
387 do { 397 for (;;) {
388 if (signal_pending(current)) 398 if (signal_pending(current))
389 goto interrupted; 399 goto interrupted;
390 400
@@ -397,10 +407,22 @@ struct key *request_key_and_link(struct key_type *type,
397 407
398 /* someone else made the key we want, so we need to 408 /* someone else made the key we want, so we need to
399 * search again as it might now be available to us */ 409 * search again as it might now be available to us */
400 key = search_process_keyrings(type, description, 410 key_ref = search_process_keyrings(type, description,
401 type->match, current); 411 type->match,
412 current);
413
414 kdebug("search 2: %p", key_ref);
402 415
403 } while (PTR_ERR(key) == -EAGAIN); 416 if (!IS_ERR(key_ref)) {
417 key = key_ref_to_ptr(key_ref);
418 break;
419 }
420
421 if (PTR_ERR(key_ref) != -EAGAIN) {
422 key = ERR_PTR(PTR_ERR(key_ref));
423 break;
424 }
425 }
404 426
405 key_user_put(user); 427 key_user_put(user);
406 428
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index f22264632229..1ecd3d3fa9f8 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -126,7 +126,7 @@ struct key *request_key_auth_new(struct key *target, struct key **_rkakey)
126 126
127 rkakey = key_alloc(&key_type_request_key_auth, desc, 127 rkakey = key_alloc(&key_type_request_key_auth, desc,
128 current->fsuid, current->fsgid, 128 current->fsuid, current->fsgid,
129 KEY_USR_VIEW, 1); 129 KEY_POS_VIEW | KEY_USR_VIEW, 1);
130 if (IS_ERR(rkakey)) { 130 if (IS_ERR(rkakey)) {
131 key_put(keyring); 131 key_put(keyring);
132 kleave("= %ld", PTR_ERR(rkakey)); 132 kleave("= %ld", PTR_ERR(rkakey));