aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/Kconfig1
-rw-r--r--security/Makefile2
-rw-r--r--security/inode.c347
-rw-r--r--security/keys/internal.h26
-rw-r--r--security/keys/key.c81
-rw-r--r--security/keys/keyctl.c301
-rw-r--r--security/keys/keyring.c86
-rw-r--r--security/keys/proc.c2
-rw-r--r--security/keys/process_keys.c164
-rw-r--r--security/keys/request_key.c36
-rw-r--r--security/keys/request_key_auth.c2
-rw-r--r--security/seclvl.c237
-rw-r--r--security/selinux/avc.c4
-rw-r--r--security/selinux/hooks.c32
-rw-r--r--security/selinux/ss/services.c4
15 files changed, 841 insertions, 484 deletions
diff --git a/security/Kconfig b/security/Kconfig
index dcf04a09185d..64d3f1e9ca85 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -35,6 +35,7 @@ config KEYS_DEBUG_PROC_KEYS
35 35
36config SECURITY 36config SECURITY
37 bool "Enable different security models" 37 bool "Enable different security models"
38 depends on SYSFS
38 help 39 help
39 This allows you to choose different security modules to be 40 This allows you to choose different security modules to be
40 configured into your kernel. 41 configured into your kernel.
diff --git a/security/Makefile b/security/Makefile
index 197cc2f3f1ec..8cbbf2f36709 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -11,7 +11,7 @@ obj-y += commoncap.o
11endif 11endif
12 12
13# Object file lists 13# Object file lists
14obj-$(CONFIG_SECURITY) += security.o dummy.o 14obj-$(CONFIG_SECURITY) += security.o dummy.o inode.o
15# Must precede capability.o in order to stack properly. 15# Must precede capability.o in order to stack properly.
16obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o 16obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
17obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o 17obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o
diff --git a/security/inode.c b/security/inode.c
new file mode 100644
index 000000000000..a5964502ae30
--- /dev/null
+++ b/security/inode.c
@@ -0,0 +1,347 @@
1/*
2 * inode.c - securityfs
3 *
4 * Copyright (C) 2005 Greg Kroah-Hartman <gregkh@suse.de>
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License version
8 * 2 as published by the Free Software Foundation.
9 *
10 * Based on fs/debugfs/inode.c which had the following copyright notice:
11 * Copyright (C) 2004 Greg Kroah-Hartman <greg@kroah.com>
12 * Copyright (C) 2004 IBM Inc.
13 */
14
15/* #define DEBUG */
16#include <linux/config.h>
17#include <linux/module.h>
18#include <linux/fs.h>
19#include <linux/mount.h>
20#include <linux/pagemap.h>
21#include <linux/init.h>
22#include <linux/namei.h>
23#include <linux/security.h>
24
25#define SECURITYFS_MAGIC 0x73636673
26
27static struct vfsmount *mount;
28static int mount_count;
29
30/*
31 * TODO:
32 * I think I can get rid of these default_file_ops, but not quite sure...
33 */
34static ssize_t default_read_file(struct file *file, char __user *buf,
35 size_t count, loff_t *ppos)
36{
37 return 0;
38}
39
40static ssize_t default_write_file(struct file *file, const char __user *buf,
41 size_t count, loff_t *ppos)
42{
43 return count;
44}
45
46static int default_open(struct inode *inode, struct file *file)
47{
48 if (inode->u.generic_ip)
49 file->private_data = inode->u.generic_ip;
50
51 return 0;
52}
53
54static struct file_operations default_file_ops = {
55 .read = default_read_file,
56 .write = default_write_file,
57 .open = default_open,
58};
59
60static struct inode *get_inode(struct super_block *sb, int mode, dev_t dev)
61{
62 struct inode *inode = new_inode(sb);
63
64 if (inode) {
65 inode->i_mode = mode;
66 inode->i_uid = 0;
67 inode->i_gid = 0;
68 inode->i_blksize = PAGE_CACHE_SIZE;
69 inode->i_blocks = 0;
70 inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME;
71 switch (mode & S_IFMT) {
72 default:
73 init_special_inode(inode, mode, dev);
74 break;
75 case S_IFREG:
76 inode->i_fop = &default_file_ops;
77 break;
78 case S_IFDIR:
79 inode->i_op = &simple_dir_inode_operations;
80 inode->i_fop = &simple_dir_operations;
81
82 /* directory inodes start off with i_nlink == 2 (for "." entry) */
83 inode->i_nlink++;
84 break;
85 }
86 }
87 return inode;
88}
89
90/* SMP-safe */
91static int mknod(struct inode *dir, struct dentry *dentry,
92 int mode, dev_t dev)
93{
94 struct inode *inode;
95 int error = -EPERM;
96
97 if (dentry->d_inode)
98 return -EEXIST;
99
100 inode = get_inode(dir->i_sb, mode, dev);
101 if (inode) {
102 d_instantiate(dentry, inode);
103 dget(dentry);
104 error = 0;
105 }
106 return error;
107}
108
109static int mkdir(struct inode *dir, struct dentry *dentry, int mode)
110{
111 int res;
112
113 mode = (mode & (S_IRWXUGO | S_ISVTX)) | S_IFDIR;
114 res = mknod(dir, dentry, mode, 0);
115 if (!res)
116 dir->i_nlink++;
117 return res;
118}
119
120static int create(struct inode *dir, struct dentry *dentry, int mode)
121{
122 mode = (mode & S_IALLUGO) | S_IFREG;
123 return mknod(dir, dentry, mode, 0);
124}
125
126static inline int positive(struct dentry *dentry)
127{
128 return dentry->d_inode && !d_unhashed(dentry);
129}
130
131static int fill_super(struct super_block *sb, void *data, int silent)
132{
133 static struct tree_descr files[] = {{""}};
134
135 return simple_fill_super(sb, SECURITYFS_MAGIC, files);
136}
137
138static struct super_block *get_sb(struct file_system_type *fs_type,
139 int flags, const char *dev_name,
140 void *data)
141{
142 return get_sb_single(fs_type, flags, data, fill_super);
143}
144
145static struct file_system_type fs_type = {
146 .owner = THIS_MODULE,
147 .name = "securityfs",
148 .get_sb = get_sb,
149 .kill_sb = kill_litter_super,
150};
151
152static int create_by_name(const char *name, mode_t mode,
153 struct dentry *parent,
154 struct dentry **dentry)
155{
156 int error = 0;
157
158 *dentry = NULL;
159
160 /* If the parent is not specified, we create it in the root.
161 * We need the root dentry to do this, which is in the super
162 * block. A pointer to that is in the struct vfsmount that we
163 * have around.
164 */
165 if (!parent ) {
166 if (mount && mount->mnt_sb) {
167 parent = mount->mnt_sb->s_root;
168 }
169 }
170 if (!parent) {
171 pr_debug("securityfs: Ah! can not find a parent!\n");
172 return -EFAULT;
173 }
174
175 down(&parent->d_inode->i_sem);
176 *dentry = lookup_one_len(name, parent, strlen(name));
177 if (!IS_ERR(dentry)) {
178 if ((mode & S_IFMT) == S_IFDIR)
179 error = mkdir(parent->d_inode, *dentry, mode);
180 else
181 error = create(parent->d_inode, *dentry, mode);
182 } else
183 error = PTR_ERR(dentry);
184 up(&parent->d_inode->i_sem);
185
186 return error;
187}
188
189/**
190 * securityfs_create_file - create a file in the securityfs filesystem
191 *
192 * @name: a pointer to a string containing the name of the file to create.
193 * @mode: the permission that the file should have
194 * @parent: a pointer to the parent dentry for this file. This should be a
195 * directory dentry if set. If this paramater is NULL, then the
196 * file will be created in the root of the securityfs filesystem.
197 * @data: a pointer to something that the caller will want to get to later
198 * on. The inode.u.generic_ip pointer will point to this value on
199 * the open() call.
200 * @fops: a pointer to a struct file_operations that should be used for
201 * this file.
202 *
203 * This is the basic "create a file" function for securityfs. It allows for a
204 * wide range of flexibility in createing a file, or a directory (if you
205 * want to create a directory, the securityfs_create_dir() function is
206 * recommended to be used instead.)
207 *
208 * This function will return a pointer to a dentry if it succeeds. This
209 * pointer must be passed to the securityfs_remove() function when the file is
210 * to be removed (no automatic cleanup happens if your module is unloaded,
211 * you are responsible here.) If an error occurs, NULL will be returned.
212 *
213 * If securityfs is not enabled in the kernel, the value -ENODEV will be
214 * returned. It is not wise to check for this value, but rather, check for
215 * NULL or !NULL instead as to eliminate the need for #ifdef in the calling
216 * code.
217 */
218struct dentry *securityfs_create_file(const char *name, mode_t mode,
219 struct dentry *parent, void *data,
220 struct file_operations *fops)
221{
222 struct dentry *dentry = NULL;
223 int error;
224
225 pr_debug("securityfs: creating file '%s'\n",name);
226
227 error = simple_pin_fs("securityfs", &mount, &mount_count);
228 if (error) {
229 dentry = ERR_PTR(error);
230 goto exit;
231 }
232
233 error = create_by_name(name, mode, parent, &dentry);
234 if (error) {
235 dentry = ERR_PTR(error);
236 simple_release_fs(&mount, &mount_count);
237 goto exit;
238 }
239
240 if (dentry->d_inode) {
241 if (fops)
242 dentry->d_inode->i_fop = fops;
243 if (data)
244 dentry->d_inode->u.generic_ip = data;
245 }
246exit:
247 return dentry;
248}
249EXPORT_SYMBOL_GPL(securityfs_create_file);
250
251/**
252 * securityfs_create_dir - create a directory in the securityfs filesystem
253 *
254 * @name: a pointer to a string containing the name of the directory to
255 * create.
256 * @parent: a pointer to the parent dentry for this file. This should be a
257 * directory dentry if set. If this paramater is NULL, then the
258 * directory will be created in the root of the securityfs filesystem.
259 *
260 * This function creates a directory in securityfs with the given name.
261 *
262 * This function will return a pointer to a dentry if it succeeds. This
263 * pointer must be passed to the securityfs_remove() function when the file is
264 * to be removed (no automatic cleanup happens if your module is unloaded,
265 * you are responsible here.) If an error occurs, NULL will be returned.
266 *
267 * If securityfs is not enabled in the kernel, the value -ENODEV will be
268 * returned. It is not wise to check for this value, but rather, check for
269 * NULL or !NULL instead as to eliminate the need for #ifdef in the calling
270 * code.
271 */
272struct dentry *securityfs_create_dir(const char *name, struct dentry *parent)
273{
274 return securityfs_create_file(name,
275 S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
276 parent, NULL, NULL);
277}
278EXPORT_SYMBOL_GPL(securityfs_create_dir);
279
280/**
281 * securityfs_remove - removes a file or directory from the securityfs filesystem
282 *
283 * @dentry: a pointer to a the dentry of the file or directory to be
284 * removed.
285 *
286 * This function removes a file or directory in securityfs that was previously
287 * created with a call to another securityfs function (like
288 * securityfs_create_file() or variants thereof.)
289 *
290 * This function is required to be called in order for the file to be
291 * removed, no automatic cleanup of files will happen when a module is
292 * removed, you are responsible here.
293 */
294void securityfs_remove(struct dentry *dentry)
295{
296 struct dentry *parent;
297
298 if (!dentry)
299 return;
300
301 parent = dentry->d_parent;
302 if (!parent || !parent->d_inode)
303 return;
304
305 down(&parent->d_inode->i_sem);
306 if (positive(dentry)) {
307 if (dentry->d_inode) {
308 if (S_ISDIR(dentry->d_inode->i_mode))
309 simple_rmdir(parent->d_inode, dentry);
310 else
311 simple_unlink(parent->d_inode, dentry);
312 dput(dentry);
313 }
314 }
315 up(&parent->d_inode->i_sem);
316 simple_release_fs(&mount, &mount_count);
317}
318EXPORT_SYMBOL_GPL(securityfs_remove);
319
320static decl_subsys(security, NULL, NULL);
321
322static int __init securityfs_init(void)
323{
324 int retval;
325
326 kset_set_kset_s(&security_subsys, kernel_subsys);
327 retval = subsystem_register(&security_subsys);
328 if (retval)
329 return retval;
330
331 retval = register_filesystem(&fs_type);
332 if (retval)
333 subsystem_unregister(&security_subsys);
334 return retval;
335}
336
337static void __exit securityfs_exit(void)
338{
339 simple_release_fs(&mount, &mount_count);
340 unregister_filesystem(&fs_type);
341 subsystem_unregister(&security_subsys);
342}
343
344core_initcall(securityfs_init);
345module_exit(securityfs_exit);
346MODULE_LICENSE("GPL");
347
diff --git a/security/keys/internal.h b/security/keys/internal.h
index 46c8602661c9..db99ed434f3a 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -71,26 +71,26 @@ extern void keyring_publish_name(struct key *keyring);
71 71
72extern int __key_link(struct key *keyring, struct key *key); 72extern int __key_link(struct key *keyring, struct key *key);
73 73
74extern struct key *__keyring_search_one(struct key *keyring, 74extern key_ref_t __keyring_search_one(key_ref_t keyring_ref,
75 const struct key_type *type, 75 const struct key_type *type,
76 const char *description, 76 const char *description,
77 key_perm_t perm); 77 key_perm_t perm);
78 78
79extern struct key *keyring_search_instkey(struct key *keyring, 79extern struct key *keyring_search_instkey(struct key *keyring,
80 key_serial_t target_id); 80 key_serial_t target_id);
81 81
82typedef int (*key_match_func_t)(const struct key *, const void *); 82typedef int (*key_match_func_t)(const struct key *, const void *);
83 83
84extern struct key *keyring_search_aux(struct key *keyring, 84extern key_ref_t keyring_search_aux(key_ref_t keyring_ref,
85 struct task_struct *tsk, 85 struct task_struct *tsk,
86 struct key_type *type, 86 struct key_type *type,
87 const void *description, 87 const void *description,
88 key_match_func_t match); 88 key_match_func_t match);
89 89
90extern struct key *search_process_keyrings(struct key_type *type, 90extern key_ref_t search_process_keyrings(struct key_type *type,
91 const void *description, 91 const void *description,
92 key_match_func_t match, 92 key_match_func_t match,
93 struct task_struct *tsk); 93 struct task_struct *tsk);
94 94
95extern struct key *find_keyring_by_name(const char *name, key_serial_t bound); 95extern struct key *find_keyring_by_name(const char *name, key_serial_t bound);
96 96
diff --git a/security/keys/key.c b/security/keys/key.c
index fb89f9844465..2182be9e9309 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -693,14 +693,15 @@ void key_type_put(struct key_type *ktype)
693 * - the key has an incremented refcount 693 * - the key has an incremented refcount
694 * - we need to put the key if we get an error 694 * - we need to put the key if we get an error
695 */ 695 */
696static inline struct key *__key_update(struct key *key, const void *payload, 696static inline key_ref_t __key_update(key_ref_t key_ref,
697 size_t plen) 697 const void *payload, size_t plen)
698{ 698{
699 struct key *key = key_ref_to_ptr(key_ref);
699 int ret; 700 int ret;
700 701
701 /* need write permission on the key to update it */ 702 /* need write permission on the key to update it */
702 ret = -EACCES; 703 ret = -EACCES;
703 if (!key_permission(key, KEY_WRITE)) 704 if (!key_permission(key_ref, KEY_WRITE))
704 goto error; 705 goto error;
705 706
706 ret = -EEXIST; 707 ret = -EEXIST;
@@ -719,12 +720,12 @@ static inline struct key *__key_update(struct key *key, const void *payload,
719 720
720 if (ret < 0) 721 if (ret < 0)
721 goto error; 722 goto error;
722 out: 723out:
723 return key; 724 return key_ref;
724 725
725 error: 726error:
726 key_put(key); 727 key_put(key);
727 key = ERR_PTR(ret); 728 key_ref = ERR_PTR(ret);
728 goto out; 729 goto out;
729 730
730} /* end __key_update() */ 731} /* end __key_update() */
@@ -734,52 +735,56 @@ static inline struct key *__key_update(struct key *key, const void *payload,
734 * search the specified keyring for a key of the same description; if one is 735 * search the specified keyring for a key of the same description; if one is
735 * found, update it, otherwise add a new one 736 * found, update it, otherwise add a new one
736 */ 737 */
737struct key *key_create_or_update(struct key *keyring, 738key_ref_t key_create_or_update(key_ref_t keyring_ref,
738 const char *type, 739 const char *type,
739 const char *description, 740 const char *description,
740 const void *payload, 741 const void *payload,
741 size_t plen, 742 size_t plen,
742 int not_in_quota) 743 int not_in_quota)
743{ 744{
744 struct key_type *ktype; 745 struct key_type *ktype;
745 struct key *key = NULL; 746 struct key *keyring, *key = NULL;
746 key_perm_t perm; 747 key_perm_t perm;
748 key_ref_t key_ref;
747 int ret; 749 int ret;
748 750
749 key_check(keyring);
750
751 /* look up the key type to see if it's one of the registered kernel 751 /* look up the key type to see if it's one of the registered kernel
752 * types */ 752 * types */
753 ktype = key_type_lookup(type); 753 ktype = key_type_lookup(type);
754 if (IS_ERR(ktype)) { 754 if (IS_ERR(ktype)) {
755 key = ERR_PTR(-ENODEV); 755 key_ref = ERR_PTR(-ENODEV);
756 goto error; 756 goto error;
757 } 757 }
758 758
759 ret = -EINVAL; 759 key_ref = ERR_PTR(-EINVAL);
760 if (!ktype->match || !ktype->instantiate) 760 if (!ktype->match || !ktype->instantiate)
761 goto error_2; 761 goto error_2;
762 762
763 keyring = key_ref_to_ptr(keyring_ref);
764
765 key_check(keyring);
766
767 down_write(&keyring->sem);
768
769 /* if we're going to allocate a new key, we're going to have
770 * to modify the keyring */
771 key_ref = ERR_PTR(-EACCES);
772 if (!key_permission(keyring_ref, KEY_WRITE))
773 goto error_3;
774
763 /* search for an existing key of the same type and description in the 775 /* search for an existing key of the same type and description in the
764 * destination keyring 776 * destination keyring
765 */ 777 */
766 down_write(&keyring->sem); 778 key_ref = __keyring_search_one(keyring_ref, ktype, description, 0);
767 779 if (!IS_ERR(key_ref))
768 key = __keyring_search_one(keyring, ktype, description, 0);
769 if (!IS_ERR(key))
770 goto found_matching_key; 780 goto found_matching_key;
771 781
772 /* if we're going to allocate a new key, we're going to have to modify
773 * the keyring */
774 ret = -EACCES;
775 if (!key_permission(keyring, KEY_WRITE))
776 goto error_3;
777
778 /* decide on the permissions we want */ 782 /* decide on the permissions we want */
779 perm = KEY_USR_VIEW | KEY_USR_SEARCH | KEY_USR_LINK; 783 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK;
784 perm |= KEY_USR_VIEW | KEY_USR_SEARCH | KEY_USR_LINK;
780 785
781 if (ktype->read) 786 if (ktype->read)
782 perm |= KEY_USR_READ; 787 perm |= KEY_POS_READ | KEY_USR_READ;
783 788
784 if (ktype == &key_type_keyring || ktype->update) 789 if (ktype == &key_type_keyring || ktype->update)
785 perm |= KEY_USR_WRITE; 790 perm |= KEY_USR_WRITE;
@@ -788,7 +793,7 @@ struct key *key_create_or_update(struct key *keyring,
788 key = key_alloc(ktype, description, current->fsuid, current->fsgid, 793 key = key_alloc(ktype, description, current->fsuid, current->fsgid,
789 perm, not_in_quota); 794 perm, not_in_quota);
790 if (IS_ERR(key)) { 795 if (IS_ERR(key)) {
791 ret = PTR_ERR(key); 796 key_ref = ERR_PTR(PTR_ERR(key));
792 goto error_3; 797 goto error_3;
793 } 798 }
794 799
@@ -796,15 +801,18 @@ struct key *key_create_or_update(struct key *keyring,
796 ret = __key_instantiate_and_link(key, payload, plen, keyring, NULL); 801 ret = __key_instantiate_and_link(key, payload, plen, keyring, NULL);
797 if (ret < 0) { 802 if (ret < 0) {
798 key_put(key); 803 key_put(key);
799 key = ERR_PTR(ret); 804 key_ref = ERR_PTR(ret);
805 goto error_3;
800 } 806 }
801 807
808 key_ref = make_key_ref(key, is_key_possessed(keyring_ref));
809
802 error_3: 810 error_3:
803 up_write(&keyring->sem); 811 up_write(&keyring->sem);
804 error_2: 812 error_2:
805 key_type_put(ktype); 813 key_type_put(ktype);
806 error: 814 error:
807 return key; 815 return key_ref;
808 816
809 found_matching_key: 817 found_matching_key:
810 /* we found a matching key, so we're going to try to update it 818 /* we found a matching key, so we're going to try to update it
@@ -813,7 +821,7 @@ struct key *key_create_or_update(struct key *keyring,
813 up_write(&keyring->sem); 821 up_write(&keyring->sem);
814 key_type_put(ktype); 822 key_type_put(ktype);
815 823
816 key = __key_update(key, payload, plen); 824 key_ref = __key_update(key_ref, payload, plen);
817 goto error; 825 goto error;
818 826
819} /* end key_create_or_update() */ 827} /* end key_create_or_update() */
@@ -824,15 +832,16 @@ EXPORT_SYMBOL(key_create_or_update);
824/* 832/*
825 * update a key 833 * update a key
826 */ 834 */
827int key_update(struct key *key, const void *payload, size_t plen) 835int key_update(key_ref_t key_ref, const void *payload, size_t plen)
828{ 836{
837 struct key *key = key_ref_to_ptr(key_ref);
829 int ret; 838 int ret;
830 839
831 key_check(key); 840 key_check(key);
832 841
833 /* the key must be writable */ 842 /* the key must be writable */
834 ret = -EACCES; 843 ret = -EACCES;
835 if (!key_permission(key, KEY_WRITE)) 844 if (!key_permission(key_ref, KEY_WRITE))
836 goto error; 845 goto error;
837 846
838 /* attempt to update it if supported */ 847 /* attempt to update it if supported */
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index a6516a64b297..4c670ee6acf9 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -34,7 +34,7 @@ asmlinkage long sys_add_key(const char __user *_type,
34 size_t plen, 34 size_t plen,
35 key_serial_t ringid) 35 key_serial_t ringid)
36{ 36{
37 struct key *keyring, *key; 37 key_ref_t keyring_ref, key_ref;
38 char type[32], *description; 38 char type[32], *description;
39 void *payload; 39 void *payload;
40 long dlen, ret; 40 long dlen, ret;
@@ -86,25 +86,25 @@ asmlinkage long sys_add_key(const char __user *_type,
86 } 86 }
87 87
88 /* find the target keyring (which must be writable) */ 88 /* find the target keyring (which must be writable) */
89 keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 89 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
90 if (IS_ERR(keyring)) { 90 if (IS_ERR(keyring_ref)) {
91 ret = PTR_ERR(keyring); 91 ret = PTR_ERR(keyring_ref);
92 goto error3; 92 goto error3;
93 } 93 }
94 94
95 /* create or update the requested key and add it to the target 95 /* create or update the requested key and add it to the target
96 * keyring */ 96 * keyring */
97 key = key_create_or_update(keyring, type, description, 97 key_ref = key_create_or_update(keyring_ref, type, description,
98 payload, plen, 0); 98 payload, plen, 0);
99 if (!IS_ERR(key)) { 99 if (!IS_ERR(key_ref)) {
100 ret = key->serial; 100 ret = key_ref_to_ptr(key_ref)->serial;
101 key_put(key); 101 key_ref_put(key_ref);
102 } 102 }
103 else { 103 else {
104 ret = PTR_ERR(key); 104 ret = PTR_ERR(key_ref);
105 } 105 }
106 106
107 key_put(keyring); 107 key_ref_put(keyring_ref);
108 error3: 108 error3:
109 kfree(payload); 109 kfree(payload);
110 error2: 110 error2:
@@ -131,7 +131,8 @@ asmlinkage long sys_request_key(const char __user *_type,
131 key_serial_t destringid) 131 key_serial_t destringid)
132{ 132{
133 struct key_type *ktype; 133 struct key_type *ktype;
134 struct key *key, *dest; 134 struct key *key;
135 key_ref_t dest_ref;
135 char type[32], *description, *callout_info; 136 char type[32], *description, *callout_info;
136 long dlen, ret; 137 long dlen, ret;
137 138
@@ -187,11 +188,11 @@ asmlinkage long sys_request_key(const char __user *_type,
187 } 188 }
188 189
189 /* get the destination keyring if specified */ 190 /* get the destination keyring if specified */
190 dest = NULL; 191 dest_ref = NULL;
191 if (destringid) { 192 if (destringid) {
192 dest = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 193 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE);
193 if (IS_ERR(dest)) { 194 if (IS_ERR(dest_ref)) {
194 ret = PTR_ERR(dest); 195 ret = PTR_ERR(dest_ref);
195 goto error3; 196 goto error3;
196 } 197 }
197 } 198 }
@@ -204,7 +205,8 @@ asmlinkage long sys_request_key(const char __user *_type,
204 } 205 }
205 206
206 /* do the search */ 207 /* do the search */
207 key = request_key_and_link(ktype, description, callout_info, dest); 208 key = request_key_and_link(ktype, description, callout_info,
209 key_ref_to_ptr(dest_ref));
208 if (IS_ERR(key)) { 210 if (IS_ERR(key)) {
209 ret = PTR_ERR(key); 211 ret = PTR_ERR(key);
210 goto error5; 212 goto error5;
@@ -216,7 +218,7 @@ asmlinkage long sys_request_key(const char __user *_type,
216 error5: 218 error5:
217 key_type_put(ktype); 219 key_type_put(ktype);
218 error4: 220 error4:
219 key_put(dest); 221 key_ref_put(dest_ref);
220 error3: 222 error3:
221 kfree(callout_info); 223 kfree(callout_info);
222 error2: 224 error2:
@@ -234,17 +236,17 @@ asmlinkage long sys_request_key(const char __user *_type,
234 */ 236 */
235long keyctl_get_keyring_ID(key_serial_t id, int create) 237long keyctl_get_keyring_ID(key_serial_t id, int create)
236{ 238{
237 struct key *key; 239 key_ref_t key_ref;
238 long ret; 240 long ret;
239 241
240 key = lookup_user_key(NULL, id, create, 0, KEY_SEARCH); 242 key_ref = lookup_user_key(NULL, id, create, 0, KEY_SEARCH);
241 if (IS_ERR(key)) { 243 if (IS_ERR(key_ref)) {
242 ret = PTR_ERR(key); 244 ret = PTR_ERR(key_ref);
243 goto error; 245 goto error;
244 } 246 }
245 247
246 ret = key->serial; 248 ret = key_ref_to_ptr(key_ref)->serial;
247 key_put(key); 249 key_ref_put(key_ref);
248 error: 250 error:
249 return ret; 251 return ret;
250 252
@@ -302,7 +304,7 @@ long keyctl_update_key(key_serial_t id,
302 const void __user *_payload, 304 const void __user *_payload,
303 size_t plen) 305 size_t plen)
304{ 306{
305 struct key *key; 307 key_ref_t key_ref;
306 void *payload; 308 void *payload;
307 long ret; 309 long ret;
308 310
@@ -324,16 +326,16 @@ long keyctl_update_key(key_serial_t id,
324 } 326 }
325 327
326 /* find the target key (which must be writable) */ 328 /* find the target key (which must be writable) */
327 key = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 329 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE);
328 if (IS_ERR(key)) { 330 if (IS_ERR(key_ref)) {
329 ret = PTR_ERR(key); 331 ret = PTR_ERR(key_ref);
330 goto error2; 332 goto error2;
331 } 333 }
332 334
333 /* update the key */ 335 /* update the key */
334 ret = key_update(key, payload, plen); 336 ret = key_update(key_ref, payload, plen);
335 337
336 key_put(key); 338 key_ref_put(key_ref);
337 error2: 339 error2:
338 kfree(payload); 340 kfree(payload);
339 error: 341 error:
@@ -349,19 +351,19 @@ long keyctl_update_key(key_serial_t id,
349 */ 351 */
350long keyctl_revoke_key(key_serial_t id) 352long keyctl_revoke_key(key_serial_t id)
351{ 353{
352 struct key *key; 354 key_ref_t key_ref;
353 long ret; 355 long ret;
354 356
355 key = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 357 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE);
356 if (IS_ERR(key)) { 358 if (IS_ERR(key_ref)) {
357 ret = PTR_ERR(key); 359 ret = PTR_ERR(key_ref);
358 goto error; 360 goto error;
359 } 361 }
360 362
361 key_revoke(key); 363 key_revoke(key_ref_to_ptr(key_ref));
362 ret = 0; 364 ret = 0;
363 365
364 key_put(key); 366 key_ref_put(key_ref);
365 error: 367 error:
366 return ret; 368 return ret;
367 369
@@ -375,18 +377,18 @@ long keyctl_revoke_key(key_serial_t id)
375 */ 377 */
376long keyctl_keyring_clear(key_serial_t ringid) 378long keyctl_keyring_clear(key_serial_t ringid)
377{ 379{
378 struct key *keyring; 380 key_ref_t keyring_ref;
379 long ret; 381 long ret;
380 382
381 keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 383 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
382 if (IS_ERR(keyring)) { 384 if (IS_ERR(keyring_ref)) {
383 ret = PTR_ERR(keyring); 385 ret = PTR_ERR(keyring_ref);
384 goto error; 386 goto error;
385 } 387 }
386 388
387 ret = keyring_clear(keyring); 389 ret = keyring_clear(key_ref_to_ptr(keyring_ref));
388 390
389 key_put(keyring); 391 key_ref_put(keyring_ref);
390 error: 392 error:
391 return ret; 393 return ret;
392 394
@@ -401,26 +403,26 @@ long keyctl_keyring_clear(key_serial_t ringid)
401 */ 403 */
402long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 404long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
403{ 405{
404 struct key *keyring, *key; 406 key_ref_t keyring_ref, key_ref;
405 long ret; 407 long ret;
406 408
407 keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 409 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
408 if (IS_ERR(keyring)) { 410 if (IS_ERR(keyring_ref)) {
409 ret = PTR_ERR(keyring); 411 ret = PTR_ERR(keyring_ref);
410 goto error; 412 goto error;
411 } 413 }
412 414
413 key = lookup_user_key(NULL, id, 1, 0, KEY_LINK); 415 key_ref = lookup_user_key(NULL, id, 1, 0, KEY_LINK);
414 if (IS_ERR(key)) { 416 if (IS_ERR(key_ref)) {
415 ret = PTR_ERR(key); 417 ret = PTR_ERR(key_ref);
416 goto error2; 418 goto error2;
417 } 419 }
418 420
419 ret = key_link(keyring, key); 421 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref));
420 422
421 key_put(key); 423 key_ref_put(key_ref);
422 error2: 424 error2:
423 key_put(keyring); 425 key_ref_put(keyring_ref);
424 error: 426 error:
425 return ret; 427 return ret;
426 428
@@ -435,26 +437,26 @@ long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
435 */ 437 */
436long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 438long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
437{ 439{
438 struct key *keyring, *key; 440 key_ref_t keyring_ref, key_ref;
439 long ret; 441 long ret;
440 442
441 keyring = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE); 443 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE);
442 if (IS_ERR(keyring)) { 444 if (IS_ERR(keyring_ref)) {
443 ret = PTR_ERR(keyring); 445 ret = PTR_ERR(keyring_ref);
444 goto error; 446 goto error;
445 } 447 }
446 448
447 key = lookup_user_key(NULL, id, 0, 0, 0); 449 key_ref = lookup_user_key(NULL, id, 0, 0, 0);
448 if (IS_ERR(key)) { 450 if (IS_ERR(key_ref)) {
449 ret = PTR_ERR(key); 451 ret = PTR_ERR(key_ref);
450 goto error2; 452 goto error2;
451 } 453 }
452 454
453 ret = key_unlink(keyring, key); 455 ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref));
454 456
455 key_put(key); 457 key_ref_put(key_ref);
456 error2: 458 error2:
457 key_put(keyring); 459 key_ref_put(keyring_ref);
458 error: 460 error:
459 return ret; 461 return ret;
460 462
@@ -476,24 +478,26 @@ long keyctl_describe_key(key_serial_t keyid,
476 size_t buflen) 478 size_t buflen)
477{ 479{
478 struct key *key, *instkey; 480 struct key *key, *instkey;
481 key_ref_t key_ref;
479 char *tmpbuf; 482 char *tmpbuf;
480 long ret; 483 long ret;
481 484
482 key = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW); 485 key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW);
483 if (IS_ERR(key)) { 486 if (IS_ERR(key_ref)) {
484 /* viewing a key under construction is permitted if we have the 487 /* viewing a key under construction is permitted if we have the
485 * authorisation token handy */ 488 * authorisation token handy */
486 if (PTR_ERR(key) == -EACCES) { 489 if (PTR_ERR(key_ref) == -EACCES) {
487 instkey = key_get_instantiation_authkey(keyid); 490 instkey = key_get_instantiation_authkey(keyid);
488 if (!IS_ERR(instkey)) { 491 if (!IS_ERR(instkey)) {
489 key_put(instkey); 492 key_put(instkey);
490 key = lookup_user_key(NULL, keyid, 0, 1, 0); 493 key_ref = lookup_user_key(NULL, keyid,
491 if (!IS_ERR(key)) 494 0, 1, 0);
495 if (!IS_ERR(key_ref))
492 goto okay; 496 goto okay;
493 } 497 }
494 } 498 }
495 499
496 ret = PTR_ERR(key); 500 ret = PTR_ERR(key_ref);
497 goto error; 501 goto error;
498 } 502 }
499 503
@@ -504,13 +508,16 @@ okay:
504 if (!tmpbuf) 508 if (!tmpbuf)
505 goto error2; 509 goto error2;
506 510
511 key = key_ref_to_ptr(key_ref);
512
507 ret = snprintf(tmpbuf, PAGE_SIZE - 1, 513 ret = snprintf(tmpbuf, PAGE_SIZE - 1,
508 "%s;%d;%d;%06x;%s", 514 "%s;%d;%d;%08x;%s",
509 key->type->name, 515 key_ref_to_ptr(key_ref)->type->name,
510 key->uid, 516 key_ref_to_ptr(key_ref)->uid,
511 key->gid, 517 key_ref_to_ptr(key_ref)->gid,
512 key->perm, 518 key_ref_to_ptr(key_ref)->perm,
513 key->description ? key->description :"" 519 key_ref_to_ptr(key_ref)->description ?
520 key_ref_to_ptr(key_ref)->description : ""
514 ); 521 );
515 522
516 /* include a NUL char at the end of the data */ 523 /* include a NUL char at the end of the data */
@@ -530,7 +537,7 @@ okay:
530 537
531 kfree(tmpbuf); 538 kfree(tmpbuf);
532 error2: 539 error2:
533 key_put(key); 540 key_ref_put(key_ref);
534 error: 541 error:
535 return ret; 542 return ret;
536 543
@@ -552,7 +559,7 @@ long keyctl_keyring_search(key_serial_t ringid,
552 key_serial_t destringid) 559 key_serial_t destringid)
553{ 560{
554 struct key_type *ktype; 561 struct key_type *ktype;
555 struct key *keyring, *key, *dest; 562 key_ref_t keyring_ref, key_ref, dest_ref;
556 char type[32], *description; 563 char type[32], *description;
557 long dlen, ret; 564 long dlen, ret;
558 565
@@ -581,18 +588,18 @@ long keyctl_keyring_search(key_serial_t ringid,
581 goto error2; 588 goto error2;
582 589
583 /* get the keyring at which to begin the search */ 590 /* get the keyring at which to begin the search */
584 keyring = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH); 591 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH);
585 if (IS_ERR(keyring)) { 592 if (IS_ERR(keyring_ref)) {
586 ret = PTR_ERR(keyring); 593 ret = PTR_ERR(keyring_ref);
587 goto error2; 594 goto error2;
588 } 595 }
589 596
590 /* get the destination keyring if specified */ 597 /* get the destination keyring if specified */
591 dest = NULL; 598 dest_ref = NULL;
592 if (destringid) { 599 if (destringid) {
593 dest = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 600 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE);
594 if (IS_ERR(dest)) { 601 if (IS_ERR(dest_ref)) {
595 ret = PTR_ERR(dest); 602 ret = PTR_ERR(dest_ref);
596 goto error3; 603 goto error3;
597 } 604 }
598 } 605 }
@@ -605,9 +612,9 @@ long keyctl_keyring_search(key_serial_t ringid,
605 } 612 }
606 613
607 /* do the search */ 614 /* do the search */
608 key = keyring_search(keyring, ktype, description); 615 key_ref = keyring_search(keyring_ref, ktype, description);
609 if (IS_ERR(key)) { 616 if (IS_ERR(key_ref)) {
610 ret = PTR_ERR(key); 617 ret = PTR_ERR(key_ref);
611 618
612 /* treat lack or presence of a negative key the same */ 619 /* treat lack or presence of a negative key the same */
613 if (ret == -EAGAIN) 620 if (ret == -EAGAIN)
@@ -616,26 +623,26 @@ long keyctl_keyring_search(key_serial_t ringid,
616 } 623 }
617 624
618 /* link the resulting key to the destination keyring if we can */ 625 /* link the resulting key to the destination keyring if we can */
619 if (dest) { 626 if (dest_ref) {
620 ret = -EACCES; 627 ret = -EACCES;
621 if (!key_permission(key, KEY_LINK)) 628 if (!key_permission(key_ref, KEY_LINK))
622 goto error6; 629 goto error6;
623 630
624 ret = key_link(dest, key); 631 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref));
625 if (ret < 0) 632 if (ret < 0)
626 goto error6; 633 goto error6;
627 } 634 }
628 635
629 ret = key->serial; 636 ret = key_ref_to_ptr(key_ref)->serial;
630 637
631 error6: 638 error6:
632 key_put(key); 639 key_ref_put(key_ref);
633 error5: 640 error5:
634 key_type_put(ktype); 641 key_type_put(ktype);
635 error4: 642 error4:
636 key_put(dest); 643 key_ref_put(dest_ref);
637 error3: 644 error3:
638 key_put(keyring); 645 key_ref_put(keyring_ref);
639 error2: 646 error2:
640 kfree(description); 647 kfree(description);
641 error: 648 error:
@@ -645,16 +652,6 @@ long keyctl_keyring_search(key_serial_t ringid,
645 652
646/*****************************************************************************/ 653/*****************************************************************************/
647/* 654/*
648 * see if the key we're looking at is the target key
649 */
650static int keyctl_read_key_same(const struct key *key, const void *target)
651{
652 return key == target;
653
654} /* end keyctl_read_key_same() */
655
656/*****************************************************************************/
657/*
658 * read a user key's payload 655 * read a user key's payload
659 * - the keyring must be readable or the key must be searchable from the 656 * - the keyring must be readable or the key must be searchable from the
660 * process's keyrings 657 * process's keyrings
@@ -665,38 +662,33 @@ static int keyctl_read_key_same(const struct key *key, const void *target)
665 */ 662 */
666long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 663long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
667{ 664{
668 struct key *key, *skey; 665 struct key *key;
666 key_ref_t key_ref;
669 long ret; 667 long ret;
670 668
671 /* find the key first */ 669 /* find the key first */
672 key = lookup_user_key(NULL, keyid, 0, 0, 0); 670 key_ref = lookup_user_key(NULL, keyid, 0, 0, 0);
673 if (!IS_ERR(key)) { 671 if (IS_ERR(key_ref)) {
674 /* see if we can read it directly */ 672 ret = -ENOKEY;
675 if (key_permission(key, KEY_READ)) 673 goto error;
676 goto can_read_key;
677
678 /* we can't; see if it's searchable from this process's
679 * keyrings
680 * - we automatically take account of the fact that it may be
681 * dangling off an instantiation key
682 */
683 skey = search_process_keyrings(key->type, key,
684 keyctl_read_key_same, current);
685 if (!IS_ERR(skey))
686 goto can_read_key2;
687
688 ret = PTR_ERR(skey);
689 if (ret == -EAGAIN)
690 ret = -EACCES;
691 goto error2;
692 } 674 }
693 675
694 ret = -ENOKEY; 676 key = key_ref_to_ptr(key_ref);
695 goto error; 677
678 /* see if we can read it directly */
679 if (key_permission(key_ref, KEY_READ))
680 goto can_read_key;
681
682 /* we can't; see if it's searchable from this process's keyrings
683 * - we automatically take account of the fact that it may be
684 * dangling off an instantiation key
685 */
686 if (!is_key_possessed(key_ref)) {
687 ret = -EACCES;
688 goto error2;
689 }
696 690
697 /* the key is probably readable - now try to read it */ 691 /* the key is probably readable - now try to read it */
698 can_read_key2:
699 key_put(skey);
700 can_read_key: 692 can_read_key:
701 ret = key_validate(key); 693 ret = key_validate(key);
702 if (ret == 0) { 694 if (ret == 0) {
@@ -727,18 +719,21 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
727long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) 719long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
728{ 720{
729 struct key *key; 721 struct key *key;
722 key_ref_t key_ref;
730 long ret; 723 long ret;
731 724
732 ret = 0; 725 ret = 0;
733 if (uid == (uid_t) -1 && gid == (gid_t) -1) 726 if (uid == (uid_t) -1 && gid == (gid_t) -1)
734 goto error; 727 goto error;
735 728
736 key = lookup_user_key(NULL, id, 1, 1, 0); 729 key_ref = lookup_user_key(NULL, id, 1, 1, 0);
737 if (IS_ERR(key)) { 730 if (IS_ERR(key_ref)) {
738 ret = PTR_ERR(key); 731 ret = PTR_ERR(key_ref);
739 goto error; 732 goto error;
740 } 733 }
741 734
735 key = key_ref_to_ptr(key_ref);
736
742 /* make the changes with the locks held to prevent chown/chown races */ 737 /* make the changes with the locks held to prevent chown/chown races */
743 ret = -EACCES; 738 ret = -EACCES;
744 down_write(&key->sem); 739 down_write(&key->sem);
@@ -784,18 +779,21 @@ long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
784long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 779long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
785{ 780{
786 struct key *key; 781 struct key *key;
782 key_ref_t key_ref;
787 long ret; 783 long ret;
788 784
789 ret = -EINVAL; 785 ret = -EINVAL;
790 if (perm & ~(KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 786 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL))
791 goto error; 787 goto error;
792 788
793 key = lookup_user_key(NULL, id, 1, 1, 0); 789 key_ref = lookup_user_key(NULL, id, 1, 1, 0);
794 if (IS_ERR(key)) { 790 if (IS_ERR(key_ref)) {
795 ret = PTR_ERR(key); 791 ret = PTR_ERR(key_ref);
796 goto error; 792 goto error;
797 } 793 }
798 794
795 key = key_ref_to_ptr(key_ref);
796
799 /* make the changes with the locks held to prevent chown/chmod races */ 797 /* make the changes with the locks held to prevent chown/chmod races */
800 ret = -EACCES; 798 ret = -EACCES;
801 down_write(&key->sem); 799 down_write(&key->sem);
@@ -824,7 +822,8 @@ long keyctl_instantiate_key(key_serial_t id,
824 key_serial_t ringid) 822 key_serial_t ringid)
825{ 823{
826 struct request_key_auth *rka; 824 struct request_key_auth *rka;
827 struct key *instkey, *keyring; 825 struct key *instkey;
826 key_ref_t keyring_ref;
828 void *payload; 827 void *payload;
829 long ret; 828 long ret;
830 829
@@ -857,21 +856,21 @@ long keyctl_instantiate_key(key_serial_t id,
857 856
858 /* find the destination keyring amongst those belonging to the 857 /* find the destination keyring amongst those belonging to the
859 * requesting task */ 858 * requesting task */
860 keyring = NULL; 859 keyring_ref = NULL;
861 if (ringid) { 860 if (ringid) {
862 keyring = lookup_user_key(rka->context, ringid, 1, 0, 861 keyring_ref = lookup_user_key(rka->context, ringid, 1, 0,
863 KEY_WRITE); 862 KEY_WRITE);
864 if (IS_ERR(keyring)) { 863 if (IS_ERR(keyring_ref)) {
865 ret = PTR_ERR(keyring); 864 ret = PTR_ERR(keyring_ref);
866 goto error3; 865 goto error3;
867 } 866 }
868 } 867 }
869 868
870 /* instantiate the key and link it into a keyring */ 869 /* instantiate the key and link it into a keyring */
871 ret = key_instantiate_and_link(rka->target_key, payload, plen, 870 ret = key_instantiate_and_link(rka->target_key, payload, plen,
872 keyring, instkey); 871 key_ref_to_ptr(keyring_ref), instkey);
873 872
874 key_put(keyring); 873 key_ref_put(keyring_ref);
875 error3: 874 error3:
876 key_put(instkey); 875 key_put(instkey);
877 error2: 876 error2:
@@ -889,7 +888,8 @@ long keyctl_instantiate_key(key_serial_t id,
889long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 888long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
890{ 889{
891 struct request_key_auth *rka; 890 struct request_key_auth *rka;
892 struct key *instkey, *keyring; 891 struct key *instkey;
892 key_ref_t keyring_ref;
893 long ret; 893 long ret;
894 894
895 /* find the instantiation authorisation key */ 895 /* find the instantiation authorisation key */
@@ -903,19 +903,20 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
903 903
904 /* find the destination keyring if present (which must also be 904 /* find the destination keyring if present (which must also be
905 * writable) */ 905 * writable) */
906 keyring = NULL; 906 keyring_ref = NULL;
907 if (ringid) { 907 if (ringid) {
908 keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 908 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
909 if (IS_ERR(keyring)) { 909 if (IS_ERR(keyring_ref)) {
910 ret = PTR_ERR(keyring); 910 ret = PTR_ERR(keyring_ref);
911 goto error2; 911 goto error2;
912 } 912 }
913 } 913 }
914 914
915 /* instantiate the key and link it into a keyring */ 915 /* instantiate the key and link it into a keyring */
916 ret = key_negate_and_link(rka->target_key, timeout, keyring, instkey); 916 ret = key_negate_and_link(rka->target_key, timeout,
917 key_ref_to_ptr(keyring_ref), instkey);
917 918
918 key_put(keyring); 919 key_ref_put(keyring_ref);
919 error2: 920 error2:
920 key_put(instkey); 921 key_put(instkey);
921 error: 922 error:
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 9c208c756df8..0639396dd441 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -309,7 +309,7 @@ struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
309 int ret; 309 int ret;
310 310
311 keyring = key_alloc(&key_type_keyring, description, 311 keyring = key_alloc(&key_type_keyring, description,
312 uid, gid, KEY_USR_ALL, not_in_quota); 312 uid, gid, KEY_POS_ALL | KEY_USR_ALL, not_in_quota);
313 313
314 if (!IS_ERR(keyring)) { 314 if (!IS_ERR(keyring)) {
315 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL); 315 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
@@ -333,12 +333,13 @@ struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
333 * - we rely on RCU to prevent the keyring lists from disappearing on us 333 * - we rely on RCU to prevent the keyring lists from disappearing on us
334 * - we return -EAGAIN if we didn't find any matching key 334 * - we return -EAGAIN if we didn't find any matching key
335 * - we return -ENOKEY if we only found negative matching keys 335 * - we return -ENOKEY if we only found negative matching keys
336 * - we propagate the possession attribute from the keyring ref to the key ref
336 */ 337 */
337struct key *keyring_search_aux(struct key *keyring, 338key_ref_t keyring_search_aux(key_ref_t keyring_ref,
338 struct task_struct *context, 339 struct task_struct *context,
339 struct key_type *type, 340 struct key_type *type,
340 const void *description, 341 const void *description,
341 key_match_func_t match) 342 key_match_func_t match)
342{ 343{
343 struct { 344 struct {
344 struct keyring_list *keylist; 345 struct keyring_list *keylist;
@@ -347,29 +348,33 @@ struct key *keyring_search_aux(struct key *keyring,
347 348
348 struct keyring_list *keylist; 349 struct keyring_list *keylist;
349 struct timespec now; 350 struct timespec now;
350 struct key *key; 351 unsigned long possessed;
352 struct key *keyring, *key;
353 key_ref_t key_ref;
351 long err; 354 long err;
352 int sp, kix; 355 int sp, kix;
353 356
357 keyring = key_ref_to_ptr(keyring_ref);
358 possessed = is_key_possessed(keyring_ref);
354 key_check(keyring); 359 key_check(keyring);
355 360
356 rcu_read_lock();
357
358 /* top keyring must have search permission to begin the search */ 361 /* top keyring must have search permission to begin the search */
359 key = ERR_PTR(-EACCES); 362 key_ref = ERR_PTR(-EACCES);
360 if (!key_task_permission(keyring, context, KEY_SEARCH)) 363 if (!key_task_permission(keyring_ref, context, KEY_SEARCH))
361 goto error; 364 goto error;
362 365
363 key = ERR_PTR(-ENOTDIR); 366 key_ref = ERR_PTR(-ENOTDIR);
364 if (keyring->type != &key_type_keyring) 367 if (keyring->type != &key_type_keyring)
365 goto error; 368 goto error;
366 369
370 rcu_read_lock();
371
367 now = current_kernel_time(); 372 now = current_kernel_time();
368 err = -EAGAIN; 373 err = -EAGAIN;
369 sp = 0; 374 sp = 0;
370 375
371 /* start processing a new keyring */ 376 /* start processing a new keyring */
372 descend: 377descend:
373 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 378 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
374 goto not_this_keyring; 379 goto not_this_keyring;
375 380
@@ -397,7 +402,8 @@ struct key *keyring_search_aux(struct key *keyring,
397 continue; 402 continue;
398 403
399 /* key must have search permissions */ 404 /* key must have search permissions */
400 if (!key_task_permission(key, context, KEY_SEARCH)) 405 if (!key_task_permission(make_key_ref(key, possessed),
406 context, KEY_SEARCH))
401 continue; 407 continue;
402 408
403 /* we set a different error code if we find a negative key */ 409 /* we set a different error code if we find a negative key */
@@ -411,7 +417,7 @@ struct key *keyring_search_aux(struct key *keyring,
411 417
412 /* search through the keyrings nested in this one */ 418 /* search through the keyrings nested in this one */
413 kix = 0; 419 kix = 0;
414 ascend: 420ascend:
415 for (; kix < keylist->nkeys; kix++) { 421 for (; kix < keylist->nkeys; kix++) {
416 key = keylist->keys[kix]; 422 key = keylist->keys[kix];
417 if (key->type != &key_type_keyring) 423 if (key->type != &key_type_keyring)
@@ -423,7 +429,8 @@ struct key *keyring_search_aux(struct key *keyring,
423 if (sp >= KEYRING_SEARCH_MAX_DEPTH) 429 if (sp >= KEYRING_SEARCH_MAX_DEPTH)
424 continue; 430 continue;
425 431
426 if (!key_task_permission(key, context, KEY_SEARCH)) 432 if (!key_task_permission(make_key_ref(key, possessed),
433 context, KEY_SEARCH))
427 continue; 434 continue;
428 435
429 /* stack the current position */ 436 /* stack the current position */
@@ -438,7 +445,7 @@ struct key *keyring_search_aux(struct key *keyring,
438 445
439 /* the keyring we're looking at was disqualified or didn't contain a 446 /* the keyring we're looking at was disqualified or didn't contain a
440 * matching key */ 447 * matching key */
441 not_this_keyring: 448not_this_keyring:
442 if (sp > 0) { 449 if (sp > 0) {
443 /* resume the processing of a keyring higher up in the tree */ 450 /* resume the processing of a keyring higher up in the tree */
444 sp--; 451 sp--;
@@ -447,16 +454,18 @@ struct key *keyring_search_aux(struct key *keyring,
447 goto ascend; 454 goto ascend;
448 } 455 }
449 456
450 key = ERR_PTR(err); 457 key_ref = ERR_PTR(err);
451 goto error; 458 goto error_2;
452 459
453 /* we found a viable match */ 460 /* we found a viable match */
454 found: 461found:
455 atomic_inc(&key->usage); 462 atomic_inc(&key->usage);
456 key_check(key); 463 key_check(key);
457 error: 464 key_ref = make_key_ref(key, possessed);
465error_2:
458 rcu_read_unlock(); 466 rcu_read_unlock();
459 return key; 467error:
468 return key_ref;
460 469
461} /* end keyring_search_aux() */ 470} /* end keyring_search_aux() */
462 471
@@ -469,9 +478,9 @@ struct key *keyring_search_aux(struct key *keyring,
469 * - we return -EAGAIN if we didn't find any matching key 478 * - we return -EAGAIN if we didn't find any matching key
470 * - we return -ENOKEY if we only found negative matching keys 479 * - we return -ENOKEY if we only found negative matching keys
471 */ 480 */
472struct key *keyring_search(struct key *keyring, 481key_ref_t keyring_search(key_ref_t keyring,
473 struct key_type *type, 482 struct key_type *type,
474 const char *description) 483 const char *description)
475{ 484{
476 if (!type->match) 485 if (!type->match)
477 return ERR_PTR(-ENOKEY); 486 return ERR_PTR(-ENOKEY);
@@ -488,15 +497,19 @@ EXPORT_SYMBOL(keyring_search);
488 * search the given keyring only (no recursion) 497 * search the given keyring only (no recursion)
489 * - keyring must be locked by caller 498 * - keyring must be locked by caller
490 */ 499 */
491struct key *__keyring_search_one(struct key *keyring, 500key_ref_t __keyring_search_one(key_ref_t keyring_ref,
492 const struct key_type *ktype, 501 const struct key_type *ktype,
493 const char *description, 502 const char *description,
494 key_perm_t perm) 503 key_perm_t perm)
495{ 504{
496 struct keyring_list *klist; 505 struct keyring_list *klist;
497 struct key *key; 506 unsigned long possessed;
507 struct key *keyring, *key;
498 int loop; 508 int loop;
499 509
510 keyring = key_ref_to_ptr(keyring_ref);
511 possessed = is_key_possessed(keyring_ref);
512
500 rcu_read_lock(); 513 rcu_read_lock();
501 514
502 klist = rcu_dereference(keyring->payload.subscriptions); 515 klist = rcu_dereference(keyring->payload.subscriptions);
@@ -507,21 +520,21 @@ struct key *__keyring_search_one(struct key *keyring,
507 if (key->type == ktype && 520 if (key->type == ktype &&
508 (!key->type->match || 521 (!key->type->match ||
509 key->type->match(key, description)) && 522 key->type->match(key, description)) &&
510 key_permission(key, perm) && 523 key_permission(make_key_ref(key, possessed),
524 perm) &&
511 !test_bit(KEY_FLAG_REVOKED, &key->flags) 525 !test_bit(KEY_FLAG_REVOKED, &key->flags)
512 ) 526 )
513 goto found; 527 goto found;
514 } 528 }
515 } 529 }
516 530
517 key = ERR_PTR(-ENOKEY); 531 rcu_read_unlock();
518 goto error; 532 return ERR_PTR(-ENOKEY);
519 533
520 found: 534 found:
521 atomic_inc(&key->usage); 535 atomic_inc(&key->usage);
522 error:
523 rcu_read_unlock(); 536 rcu_read_unlock();
524 return key; 537 return make_key_ref(key, possessed);
525 538
526} /* end __keyring_search_one() */ 539} /* end __keyring_search_one() */
527 540
@@ -603,7 +616,8 @@ struct key *find_keyring_by_name(const char *name, key_serial_t bound)
603 if (strcmp(keyring->description, name) != 0) 616 if (strcmp(keyring->description, name) != 0)
604 continue; 617 continue;
605 618
606 if (!key_permission(keyring, KEY_SEARCH)) 619 if (!key_permission(make_key_ref(keyring, 0),
620 KEY_SEARCH))
607 continue; 621 continue;
608 622
609 /* found a potential candidate, but we still need to 623 /* found a potential candidate, but we still need to
diff --git a/security/keys/proc.c b/security/keys/proc.c
index c55cf1fd0826..12b750e51fbf 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -167,7 +167,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
167#define showflag(KEY, LETTER, FLAG) \ 167#define showflag(KEY, LETTER, FLAG) \
168 (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-') 168 (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-')
169 169
170 seq_printf(m, "%08x %c%c%c%c%c%c %5d %4s %06x %5d %5d %-9.9s ", 170 seq_printf(m, "%08x %c%c%c%c%c%c %5d %4s %08x %5d %5d %-9.9s ",
171 key->serial, 171 key->serial,
172 showflag(key, 'I', KEY_FLAG_INSTANTIATED), 172 showflag(key, 'I', KEY_FLAG_INSTANTIATED),
173 showflag(key, 'R', KEY_FLAG_REVOKED), 173 showflag(key, 'R', KEY_FLAG_REVOKED),
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index c089f78fb94e..d42d2158ce13 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -39,7 +39,7 @@ struct key root_user_keyring = {
39 .type = &key_type_keyring, 39 .type = &key_type_keyring,
40 .user = &root_key_user, 40 .user = &root_key_user,
41 .sem = __RWSEM_INITIALIZER(root_user_keyring.sem), 41 .sem = __RWSEM_INITIALIZER(root_user_keyring.sem),
42 .perm = KEY_USR_ALL, 42 .perm = KEY_POS_ALL | KEY_USR_ALL,
43 .flags = 1 << KEY_FLAG_INSTANTIATED, 43 .flags = 1 << KEY_FLAG_INSTANTIATED,
44 .description = "_uid.0", 44 .description = "_uid.0",
45#ifdef KEY_DEBUGGING 45#ifdef KEY_DEBUGGING
@@ -54,7 +54,7 @@ struct key root_session_keyring = {
54 .type = &key_type_keyring, 54 .type = &key_type_keyring,
55 .user = &root_key_user, 55 .user = &root_key_user,
56 .sem = __RWSEM_INITIALIZER(root_session_keyring.sem), 56 .sem = __RWSEM_INITIALIZER(root_session_keyring.sem),
57 .perm = KEY_USR_ALL, 57 .perm = KEY_POS_ALL | KEY_USR_ALL,
58 .flags = 1 << KEY_FLAG_INSTANTIATED, 58 .flags = 1 << KEY_FLAG_INSTANTIATED,
59 .description = "_uid_ses.0", 59 .description = "_uid_ses.0",
60#ifdef KEY_DEBUGGING 60#ifdef KEY_DEBUGGING
@@ -98,7 +98,7 @@ int alloc_uid_keyring(struct user_struct *user)
98 user->session_keyring = session_keyring; 98 user->session_keyring = session_keyring;
99 ret = 0; 99 ret = 0;
100 100
101 error: 101error:
102 return ret; 102 return ret;
103 103
104} /* end alloc_uid_keyring() */ 104} /* end alloc_uid_keyring() */
@@ -156,7 +156,7 @@ int install_thread_keyring(struct task_struct *tsk)
156 ret = 0; 156 ret = 0;
157 157
158 key_put(old); 158 key_put(old);
159 error: 159error:
160 return ret; 160 return ret;
161 161
162} /* end install_thread_keyring() */ 162} /* end install_thread_keyring() */
@@ -193,7 +193,7 @@ int install_process_keyring(struct task_struct *tsk)
193 } 193 }
194 194
195 ret = 0; 195 ret = 0;
196 error: 196error:
197 return ret; 197 return ret;
198 198
199} /* end install_process_keyring() */ 199} /* end install_process_keyring() */
@@ -236,7 +236,7 @@ static int install_session_keyring(struct task_struct *tsk,
236 /* we're using RCU on the pointer */ 236 /* we're using RCU on the pointer */
237 synchronize_rcu(); 237 synchronize_rcu();
238 key_put(old); 238 key_put(old);
239 error: 239error:
240 return ret; 240 return ret;
241 241
242} /* end install_session_keyring() */ 242} /* end install_session_keyring() */
@@ -376,13 +376,13 @@ void key_fsgid_changed(struct task_struct *tsk)
376 * - we return -EAGAIN if we didn't find any matching key 376 * - we return -EAGAIN if we didn't find any matching key
377 * - we return -ENOKEY if we found only negative matching keys 377 * - we return -ENOKEY if we found only negative matching keys
378 */ 378 */
379struct key *search_process_keyrings(struct key_type *type, 379key_ref_t search_process_keyrings(struct key_type *type,
380 const void *description, 380 const void *description,
381 key_match_func_t match, 381 key_match_func_t match,
382 struct task_struct *context) 382 struct task_struct *context)
383{ 383{
384 struct request_key_auth *rka; 384 struct request_key_auth *rka;
385 struct key *key, *ret, *err, *instkey; 385 key_ref_t key_ref, ret, err, instkey_ref;
386 386
387 /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were 387 /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
388 * searchable, but we failed to find a key or we found a negative key; 388 * searchable, but we failed to find a key or we found a negative key;
@@ -391,46 +391,48 @@ struct key *search_process_keyrings(struct key_type *type,
391 * 391 *
392 * in terms of priority: success > -ENOKEY > -EAGAIN > other error 392 * in terms of priority: success > -ENOKEY > -EAGAIN > other error
393 */ 393 */
394 key = NULL; 394 key_ref = NULL;
395 ret = NULL; 395 ret = NULL;
396 err = ERR_PTR(-EAGAIN); 396 err = ERR_PTR(-EAGAIN);
397 397
398 /* search the thread keyring first */ 398 /* search the thread keyring first */
399 if (context->thread_keyring) { 399 if (context->thread_keyring) {
400 key = keyring_search_aux(context->thread_keyring, 400 key_ref = keyring_search_aux(
401 context, type, description, match); 401 make_key_ref(context->thread_keyring, 1),
402 if (!IS_ERR(key)) 402 context, type, description, match);
403 if (!IS_ERR(key_ref))
403 goto found; 404 goto found;
404 405
405 switch (PTR_ERR(key)) { 406 switch (PTR_ERR(key_ref)) {
406 case -EAGAIN: /* no key */ 407 case -EAGAIN: /* no key */
407 if (ret) 408 if (ret)
408 break; 409 break;
409 case -ENOKEY: /* negative key */ 410 case -ENOKEY: /* negative key */
410 ret = key; 411 ret = key_ref;
411 break; 412 break;
412 default: 413 default:
413 err = key; 414 err = key_ref;
414 break; 415 break;
415 } 416 }
416 } 417 }
417 418
418 /* search the process keyring second */ 419 /* search the process keyring second */
419 if (context->signal->process_keyring) { 420 if (context->signal->process_keyring) {
420 key = keyring_search_aux(context->signal->process_keyring, 421 key_ref = keyring_search_aux(
421 context, type, description, match); 422 make_key_ref(context->signal->process_keyring, 1),
422 if (!IS_ERR(key)) 423 context, type, description, match);
424 if (!IS_ERR(key_ref))
423 goto found; 425 goto found;
424 426
425 switch (PTR_ERR(key)) { 427 switch (PTR_ERR(key_ref)) {
426 case -EAGAIN: /* no key */ 428 case -EAGAIN: /* no key */
427 if (ret) 429 if (ret)
428 break; 430 break;
429 case -ENOKEY: /* negative key */ 431 case -ENOKEY: /* negative key */
430 ret = key; 432 ret = key_ref;
431 break; 433 break;
432 default: 434 default:
433 err = key; 435 err = key_ref;
434 break; 436 break;
435 } 437 }
436 } 438 }
@@ -438,23 +440,25 @@ struct key *search_process_keyrings(struct key_type *type,
438 /* search the session keyring */ 440 /* search the session keyring */
439 if (context->signal->session_keyring) { 441 if (context->signal->session_keyring) {
440 rcu_read_lock(); 442 rcu_read_lock();
441 key = keyring_search_aux( 443 key_ref = keyring_search_aux(
442 rcu_dereference(context->signal->session_keyring), 444 make_key_ref(rcu_dereference(
445 context->signal->session_keyring),
446 1),
443 context, type, description, match); 447 context, type, description, match);
444 rcu_read_unlock(); 448 rcu_read_unlock();
445 449
446 if (!IS_ERR(key)) 450 if (!IS_ERR(key_ref))
447 goto found; 451 goto found;
448 452
449 switch (PTR_ERR(key)) { 453 switch (PTR_ERR(key_ref)) {
450 case -EAGAIN: /* no key */ 454 case -EAGAIN: /* no key */
451 if (ret) 455 if (ret)
452 break; 456 break;
453 case -ENOKEY: /* negative key */ 457 case -ENOKEY: /* negative key */
454 ret = key; 458 ret = key_ref;
455 break; 459 break;
456 default: 460 default:
457 err = key; 461 err = key_ref;
458 break; 462 break;
459 } 463 }
460 464
@@ -465,51 +469,54 @@ struct key *search_process_keyrings(struct key_type *type,
465 goto no_key; 469 goto no_key;
466 470
467 rcu_read_lock(); 471 rcu_read_lock();
468 instkey = __keyring_search_one( 472 instkey_ref = __keyring_search_one(
469 rcu_dereference(context->signal->session_keyring), 473 make_key_ref(rcu_dereference(
474 context->signal->session_keyring),
475 1),
470 &key_type_request_key_auth, NULL, 0); 476 &key_type_request_key_auth, NULL, 0);
471 rcu_read_unlock(); 477 rcu_read_unlock();
472 478
473 if (IS_ERR(instkey)) 479 if (IS_ERR(instkey_ref))
474 goto no_key; 480 goto no_key;
475 481
476 rka = instkey->payload.data; 482 rka = key_ref_to_ptr(instkey_ref)->payload.data;
477 483
478 key = search_process_keyrings(type, description, match, 484 key_ref = search_process_keyrings(type, description, match,
479 rka->context); 485 rka->context);
480 key_put(instkey); 486 key_ref_put(instkey_ref);
481 487
482 if (!IS_ERR(key)) 488 if (!IS_ERR(key_ref))
483 goto found; 489 goto found;
484 490
485 switch (PTR_ERR(key)) { 491 switch (PTR_ERR(key_ref)) {
486 case -EAGAIN: /* no key */ 492 case -EAGAIN: /* no key */
487 if (ret) 493 if (ret)
488 break; 494 break;
489 case -ENOKEY: /* negative key */ 495 case -ENOKEY: /* negative key */
490 ret = key; 496 ret = key_ref;
491 break; 497 break;
492 default: 498 default:
493 err = key; 499 err = key_ref;
494 break; 500 break;
495 } 501 }
496 } 502 }
497 /* or search the user-session keyring */ 503 /* or search the user-session keyring */
498 else { 504 else {
499 key = keyring_search_aux(context->user->session_keyring, 505 key_ref = keyring_search_aux(
500 context, type, description, match); 506 make_key_ref(context->user->session_keyring, 1),
501 if (!IS_ERR(key)) 507 context, type, description, match);
508 if (!IS_ERR(key_ref))
502 goto found; 509 goto found;
503 510
504 switch (PTR_ERR(key)) { 511 switch (PTR_ERR(key_ref)) {
505 case -EAGAIN: /* no key */ 512 case -EAGAIN: /* no key */
506 if (ret) 513 if (ret)
507 break; 514 break;
508 case -ENOKEY: /* negative key */ 515 case -ENOKEY: /* negative key */
509 ret = key; 516 ret = key_ref;
510 break; 517 break;
511 default: 518 default:
512 err = key; 519 err = key_ref;
513 break; 520 break;
514 } 521 }
515 } 522 }
@@ -517,29 +524,40 @@ struct key *search_process_keyrings(struct key_type *type,
517 524
518no_key: 525no_key:
519 /* no key - decide on the error we're going to go for */ 526 /* no key - decide on the error we're going to go for */
520 key = ret ? ret : err; 527 key_ref = ret ? ret : err;
521 528
522found: 529found:
523 return key; 530 return key_ref;
524 531
525} /* end search_process_keyrings() */ 532} /* end search_process_keyrings() */
526 533
527/*****************************************************************************/ 534/*****************************************************************************/
528/* 535/*
536 * see if the key we're looking at is the target key
537 */
538static int lookup_user_key_possessed(const struct key *key, const void *target)
539{
540 return key == target;
541
542} /* end lookup_user_key_possessed() */
543
544/*****************************************************************************/
545/*
529 * lookup a key given a key ID from userspace with a given permissions mask 546 * lookup a key given a key ID from userspace with a given permissions mask
530 * - don't create special keyrings unless so requested 547 * - don't create special keyrings unless so requested
531 * - partially constructed keys aren't found unless requested 548 * - partially constructed keys aren't found unless requested
532 */ 549 */
533struct key *lookup_user_key(struct task_struct *context, key_serial_t id, 550key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id,
534 int create, int partial, key_perm_t perm) 551 int create, int partial, key_perm_t perm)
535{ 552{
553 key_ref_t key_ref, skey_ref;
536 struct key *key; 554 struct key *key;
537 int ret; 555 int ret;
538 556
539 if (!context) 557 if (!context)
540 context = current; 558 context = current;
541 559
542 key = ERR_PTR(-ENOKEY); 560 key_ref = ERR_PTR(-ENOKEY);
543 561
544 switch (id) { 562 switch (id) {
545 case KEY_SPEC_THREAD_KEYRING: 563 case KEY_SPEC_THREAD_KEYRING:
@@ -556,6 +574,7 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
556 574
557 key = context->thread_keyring; 575 key = context->thread_keyring;
558 atomic_inc(&key->usage); 576 atomic_inc(&key->usage);
577 key_ref = make_key_ref(key, 1);
559 break; 578 break;
560 579
561 case KEY_SPEC_PROCESS_KEYRING: 580 case KEY_SPEC_PROCESS_KEYRING:
@@ -572,6 +591,7 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
572 591
573 key = context->signal->process_keyring; 592 key = context->signal->process_keyring;
574 atomic_inc(&key->usage); 593 atomic_inc(&key->usage);
594 key_ref = make_key_ref(key, 1);
575 break; 595 break;
576 596
577 case KEY_SPEC_SESSION_KEYRING: 597 case KEY_SPEC_SESSION_KEYRING:
@@ -579,7 +599,7 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
579 /* always install a session keyring upon access if one 599 /* always install a session keyring upon access if one
580 * doesn't exist yet */ 600 * doesn't exist yet */
581 ret = install_session_keyring( 601 ret = install_session_keyring(
582 context, context->user->session_keyring); 602 context, context->user->session_keyring);
583 if (ret < 0) 603 if (ret < 0)
584 goto error; 604 goto error;
585 } 605 }
@@ -588,16 +608,19 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
588 key = rcu_dereference(context->signal->session_keyring); 608 key = rcu_dereference(context->signal->session_keyring);
589 atomic_inc(&key->usage); 609 atomic_inc(&key->usage);
590 rcu_read_unlock(); 610 rcu_read_unlock();
611 key_ref = make_key_ref(key, 1);
591 break; 612 break;
592 613
593 case KEY_SPEC_USER_KEYRING: 614 case KEY_SPEC_USER_KEYRING:
594 key = context->user->uid_keyring; 615 key = context->user->uid_keyring;
595 atomic_inc(&key->usage); 616 atomic_inc(&key->usage);
617 key_ref = make_key_ref(key, 1);
596 break; 618 break;
597 619
598 case KEY_SPEC_USER_SESSION_KEYRING: 620 case KEY_SPEC_USER_SESSION_KEYRING:
599 key = context->user->session_keyring; 621 key = context->user->session_keyring;
600 atomic_inc(&key->usage); 622 atomic_inc(&key->usage);
623 key_ref = make_key_ref(key, 1);
601 break; 624 break;
602 625
603 case KEY_SPEC_GROUP_KEYRING: 626 case KEY_SPEC_GROUP_KEYRING:
@@ -606,13 +629,28 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
606 goto error; 629 goto error;
607 630
608 default: 631 default:
609 key = ERR_PTR(-EINVAL); 632 key_ref = ERR_PTR(-EINVAL);
610 if (id < 1) 633 if (id < 1)
611 goto error; 634 goto error;
612 635
613 key = key_lookup(id); 636 key = key_lookup(id);
614 if (IS_ERR(key)) 637 if (IS_ERR(key)) {
638 key_ref = ERR_PTR(PTR_ERR(key));
615 goto error; 639 goto error;
640 }
641
642 key_ref = make_key_ref(key, 0);
643
644 /* check to see if we possess the key */
645 skey_ref = search_process_keyrings(key->type, key,
646 lookup_user_key_possessed,
647 current);
648
649 if (!IS_ERR(skey_ref)) {
650 key_put(key);
651 key_ref = skey_ref;
652 }
653
616 break; 654 break;
617 } 655 }
618 656
@@ -630,15 +668,15 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
630 /* check the permissions */ 668 /* check the permissions */
631 ret = -EACCES; 669 ret = -EACCES;
632 670
633 if (!key_task_permission(key, context, perm)) 671 if (!key_task_permission(key_ref, context, perm))
634 goto invalid_key; 672 goto invalid_key;
635 673
636 error: 674error:
637 return key; 675 return key_ref;
638 676
639 invalid_key: 677invalid_key:
640 key_put(key); 678 key_ref_put(key_ref);
641 key = ERR_PTR(ret); 679 key_ref = ERR_PTR(ret);
642 goto error; 680 goto error;
643 681
644} /* end lookup_user_key() */ 682} /* end lookup_user_key() */
@@ -694,9 +732,9 @@ long join_session_keyring(const char *name)
694 ret = keyring->serial; 732 ret = keyring->serial;
695 key_put(keyring); 733 key_put(keyring);
696 734
697 error2: 735error2:
698 up(&key_session_sem); 736 up(&key_session_sem);
699 error: 737error:
700 return ret; 738 return ret;
701 739
702} /* end join_session_keyring() */ 740} /* end join_session_keyring() */
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index 90c1506d007c..e6dd366d43a3 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -129,7 +129,7 @@ static struct key *__request_key_construction(struct key_type *type,
129 129
130 /* create a key and add it to the queue */ 130 /* create a key and add it to the queue */
131 key = key_alloc(type, description, 131 key = key_alloc(type, description,
132 current->fsuid, current->fsgid, KEY_USR_ALL, 0); 132 current->fsuid, current->fsgid, KEY_POS_ALL, 0);
133 if (IS_ERR(key)) 133 if (IS_ERR(key))
134 goto alloc_failed; 134 goto alloc_failed;
135 135
@@ -365,14 +365,24 @@ struct key *request_key_and_link(struct key_type *type,
365{ 365{
366 struct key_user *user; 366 struct key_user *user;
367 struct key *key; 367 struct key *key;
368 key_ref_t key_ref;
368 369
369 kenter("%s,%s,%s,%p", 370 kenter("%s,%s,%s,%p",
370 type->name, description, callout_info, dest_keyring); 371 type->name, description, callout_info, dest_keyring);
371 372
372 /* search all the process keyrings for a key */ 373 /* search all the process keyrings for a key */
373 key = search_process_keyrings(type, description, type->match, current); 374 key_ref = search_process_keyrings(type, description, type->match,
375 current);
374 376
375 if (PTR_ERR(key) == -EAGAIN) { 377 kdebug("search 1: %p", key_ref);
378
379 if (!IS_ERR(key_ref)) {
380 key = key_ref_to_ptr(key_ref);
381 }
382 else if (PTR_ERR(key_ref) != -EAGAIN) {
383 key = ERR_PTR(PTR_ERR(key_ref));
384 }
385 else {
376 /* the search failed, but the keyrings were searchable, so we 386 /* the search failed, but the keyrings were searchable, so we
377 * should consult userspace if we can */ 387 * should consult userspace if we can */
378 key = ERR_PTR(-ENOKEY); 388 key = ERR_PTR(-ENOKEY);
@@ -384,7 +394,7 @@ struct key *request_key_and_link(struct key_type *type,
384 if (!user) 394 if (!user)
385 goto nomem; 395 goto nomem;
386 396
387 do { 397 for (;;) {
388 if (signal_pending(current)) 398 if (signal_pending(current))
389 goto interrupted; 399 goto interrupted;
390 400
@@ -397,10 +407,22 @@ struct key *request_key_and_link(struct key_type *type,
397 407
398 /* someone else made the key we want, so we need to 408 /* someone else made the key we want, so we need to
399 * search again as it might now be available to us */ 409 * search again as it might now be available to us */
400 key = search_process_keyrings(type, description, 410 key_ref = search_process_keyrings(type, description,
401 type->match, current); 411 type->match,
412 current);
413
414 kdebug("search 2: %p", key_ref);
402 415
403 } while (PTR_ERR(key) == -EAGAIN); 416 if (!IS_ERR(key_ref)) {
417 key = key_ref_to_ptr(key_ref);
418 break;
419 }
420
421 if (PTR_ERR(key_ref) != -EAGAIN) {
422 key = ERR_PTR(PTR_ERR(key_ref));
423 break;
424 }
425 }
404 426
405 key_user_put(user); 427 key_user_put(user);
406 428
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index f22264632229..1ecd3d3fa9f8 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -126,7 +126,7 @@ struct key *request_key_auth_new(struct key *target, struct key **_rkakey)
126 126
127 rkakey = key_alloc(&key_type_request_key_auth, desc, 127 rkakey = key_alloc(&key_type_request_key_auth, desc,
128 current->fsuid, current->fsgid, 128 current->fsuid, current->fsgid,
129 KEY_USR_VIEW, 1); 129 KEY_POS_VIEW | KEY_USR_VIEW, 1);
130 if (IS_ERR(rkakey)) { 130 if (IS_ERR(rkakey)) {
131 key_put(keyring); 131 key_put(keyring);
132 kleave("= %ld", PTR_ERR(rkakey)); 132 kleave("= %ld", PTR_ERR(rkakey));
diff --git a/security/seclvl.c b/security/seclvl.c
index 96b1f2122f67..1caac0164643 100644
--- a/security/seclvl.c
+++ b/security/seclvl.c
@@ -119,69 +119,6 @@ MODULE_PARM_DESC(hideHash, "When set to 0, reading seclvl/passwd from sysfs "
119 } while (0) 119 } while (0)
120 120
121/** 121/**
122 * kobject stuff
123 */
124
125struct subsystem seclvl_subsys;
126
127struct seclvl_obj {
128 char *name;
129 struct list_head slot_list;
130 struct kobject kobj;
131};
132
133/**
134 * There is a seclvl_attribute struct for each file in sysfs.
135 *
136 * In our case, we have one of these structs for "passwd" and another
137 * for "seclvl".
138 */
139struct seclvl_attribute {
140 struct attribute attr;
141 ssize_t(*show) (struct seclvl_obj *, char *);
142 ssize_t(*store) (struct seclvl_obj *, const char *, size_t);
143};
144
145/**
146 * When this function is called, one of the files in sysfs is being
147 * written to. attribute->store is a function pointer to whatever the
148 * struct seclvl_attribute store function pointer points to. It is
149 * unique for "passwd" and "seclvl".
150 */
151static ssize_t
152seclvl_attr_store(struct kobject *kobj,
153 struct attribute *attr, const char *buf, size_t len)
154{
155 struct seclvl_obj *obj = container_of(kobj, struct seclvl_obj, kobj);
156 struct seclvl_attribute *attribute =
157 container_of(attr, struct seclvl_attribute, attr);
158 return attribute->store ? attribute->store(obj, buf, len) : -EIO;
159}
160
161static ssize_t
162seclvl_attr_show(struct kobject *kobj, struct attribute *attr, char *buf)
163{
164 struct seclvl_obj *obj = container_of(kobj, struct seclvl_obj, kobj);
165 struct seclvl_attribute *attribute =
166 container_of(attr, struct seclvl_attribute, attr);
167 return attribute->show ? attribute->show(obj, buf) : -EIO;
168}
169
170/**
171 * Callback function pointers for show and store
172 */
173static struct sysfs_ops seclvlfs_sysfs_ops = {
174 .show = seclvl_attr_show,
175 .store = seclvl_attr_store,
176};
177
178static struct kobj_type seclvl_ktype = {
179 .sysfs_ops = &seclvlfs_sysfs_ops
180};
181
182decl_subsys(seclvl, &seclvl_ktype, NULL);
183
184/**
185 * The actual security level. Ranges between -1 and 2 inclusive. 122 * The actual security level. Ranges between -1 and 2 inclusive.
186 */ 123 */
187static int seclvl; 124static int seclvl;
@@ -213,97 +150,44 @@ static int seclvl_sanity(int reqlvl)
213} 150}
214 151
215/** 152/**
216 * Called whenever the user reads the sysfs handle to this kernel
217 * object
218 */
219static ssize_t seclvl_read_file(struct seclvl_obj *obj, char *buff)
220{
221 return snprintf(buff, PAGE_SIZE, "%d\n", seclvl);
222}
223
224/**
225 * security level advancement rules: 153 * security level advancement rules:
226 * Valid levels are -1 through 2, inclusive. 154 * Valid levels are -1 through 2, inclusive.
227 * From -1, stuck. [ in case compiled into kernel ] 155 * From -1, stuck. [ in case compiled into kernel ]
228 * From 0 or above, can only increment. 156 * From 0 or above, can only increment.
229 */ 157 */
230static int do_seclvl_advance(int newlvl) 158static void do_seclvl_advance(void *data, u64 val)
231{ 159{
232 if (newlvl <= seclvl) { 160 int ret;
233 seclvl_printk(1, KERN_WARNING, "Cannot advance to seclvl " 161 int newlvl = (int)val;
234 "[%d]\n", newlvl); 162
235 return -EINVAL; 163 ret = seclvl_sanity(newlvl);
236 } 164 if (ret)
165 return;
166
237 if (newlvl > 2) { 167 if (newlvl > 2) {
238 seclvl_printk(1, KERN_WARNING, "Cannot advance to seclvl " 168 seclvl_printk(1, KERN_WARNING, "Cannot advance to seclvl "
239 "[%d]\n", newlvl); 169 "[%d]\n", newlvl);
240 return -EINVAL; 170 return;
241 } 171 }
242 if (seclvl == -1) { 172 if (seclvl == -1) {
243 seclvl_printk(1, KERN_WARNING, "Not allowed to advance to " 173 seclvl_printk(1, KERN_WARNING, "Not allowed to advance to "
244 "seclvl [%d]\n", seclvl); 174 "seclvl [%d]\n", seclvl);
245 return -EPERM; 175 return;
246 } 176 }
247 seclvl = newlvl; 177 seclvl = newlvl; /* would it be more "correct" to set *data? */
248 return 0; 178 return;
249} 179}
250 180
251/** 181static u64 seclvl_int_get(void *data)
252 * Called whenever the user writes to the sysfs handle to this kernel
253 * object (seclvl/seclvl). It expects a single-digit number.
254 */
255static ssize_t
256seclvl_write_file(struct seclvl_obj *obj, const char *buff, size_t count)
257{ 182{
258 unsigned long val; 183 return *(int *)data;
259 if (count > 2 || (count == 2 && buff[1] != '\n')) {
260 seclvl_printk(1, KERN_WARNING, "Invalid value passed to "
261 "seclvl: [%s]\n", buff);
262 return -EINVAL;
263 }
264 val = buff[0] - 48;
265 if (seclvl_sanity(val)) {
266 seclvl_printk(1, KERN_WARNING, "Illegal secure level "
267 "requested: [%d]\n", (int)val);
268 return -EPERM;
269 }
270 if (do_seclvl_advance(val)) {
271 seclvl_printk(0, KERN_ERR, "Failure advancing security level "
272 "to %lu\n", val);
273 }
274 return count;
275} 184}
276 185
277/* Generate sysfs_attr_seclvl */ 186DEFINE_SIMPLE_ATTRIBUTE(seclvl_file_ops, seclvl_int_get, do_seclvl_advance, "%lld\n");
278static struct seclvl_attribute sysfs_attr_seclvl =
279__ATTR(seclvl, (S_IFREG | S_IRUGO | S_IWUSR), seclvl_read_file,
280 seclvl_write_file);
281 187
282static unsigned char hashedPassword[SHA1_DIGEST_SIZE]; 188static unsigned char hashedPassword[SHA1_DIGEST_SIZE];
283 189
284/** 190/**
285 * Called whenever the user reads the sysfs passwd handle.
286 */
287static ssize_t seclvl_read_passwd(struct seclvl_obj *obj, char *buff)
288{
289 /* So just how good *is* your password? :-) */
290 char tmp[3];
291 int i = 0;
292 buff[0] = '\0';
293 if (hideHash) {
294 /* Security through obscurity */
295 return 0;
296 }
297 while (i < SHA1_DIGEST_SIZE) {
298 snprintf(tmp, 3, "%02x", hashedPassword[i]);
299 strncat(buff, tmp, 2);
300 i++;
301 }
302 strcat(buff, "\n");
303 return ((SHA1_DIGEST_SIZE * 2) + 1);
304}
305
306/**
307 * Converts a block of plaintext of into its SHA1 hashed value. 191 * Converts a block of plaintext of into its SHA1 hashed value.
308 * 192 *
309 * It would be nice if crypto had a wrapper to do this for us linear 193 * It would be nice if crypto had a wrapper to do this for us linear
@@ -347,12 +231,15 @@ plaintext_to_sha1(unsigned char *hash, const char *plaintext, int len)
347 * object. It hashes the password and compares the hashed results. 231 * object. It hashes the password and compares the hashed results.
348 */ 232 */
349static ssize_t 233static ssize_t
350seclvl_write_passwd(struct seclvl_obj *obj, const char *buff, size_t count) 234passwd_write_file(struct file * file, const char __user * buf,
235 size_t count, loff_t *ppos)
351{ 236{
352 int i; 237 int i;
353 unsigned char tmp[SHA1_DIGEST_SIZE]; 238 unsigned char tmp[SHA1_DIGEST_SIZE];
239 char *page;
354 int rc; 240 int rc;
355 int len; 241 int len;
242
356 if (!*passwd && !*sha1_passwd) { 243 if (!*passwd && !*sha1_passwd) {
357 seclvl_printk(0, KERN_ERR, "Attempt to password-unlock the " 244 seclvl_printk(0, KERN_ERR, "Attempt to password-unlock the "
358 "seclvl module, but neither a plain text " 245 "seclvl module, but neither a plain text "
@@ -363,32 +250,45 @@ seclvl_write_passwd(struct seclvl_obj *obj, const char *buff, size_t count)
363 "maintainer about this event.\n"); 250 "maintainer about this event.\n");
364 return -EINVAL; 251 return -EINVAL;
365 } 252 }
366 len = strlen(buff); 253
254 if (count < 0 || count >= PAGE_SIZE)
255 return -EINVAL;
256 if (*ppos != 0)
257 return -EINVAL;
258 page = (char *)get_zeroed_page(GFP_KERNEL);
259 if (!page)
260 return -ENOMEM;
261 len = -EFAULT;
262 if (copy_from_user(page, buf, count))
263 goto out;
264
265 len = strlen(page);
367 /* ``echo "secret" > seclvl/passwd'' includes a newline */ 266 /* ``echo "secret" > seclvl/passwd'' includes a newline */
368 if (buff[len - 1] == '\n') { 267 if (page[len - 1] == '\n')
369 len--; 268 len--;
370 }
371 /* Hash the password, then compare the hashed values */ 269 /* Hash the password, then compare the hashed values */
372 if ((rc = plaintext_to_sha1(tmp, buff, len))) { 270 if ((rc = plaintext_to_sha1(tmp, page, len))) {
373 seclvl_printk(0, KERN_ERR, "Error hashing password: rc = " 271 seclvl_printk(0, KERN_ERR, "Error hashing password: rc = "
374 "[%d]\n", rc); 272 "[%d]\n", rc);
375 return rc; 273 return rc;
376 } 274 }
377 for (i = 0; i < SHA1_DIGEST_SIZE; i++) { 275 for (i = 0; i < SHA1_DIGEST_SIZE; i++) {
378 if (hashedPassword[i] != tmp[i]) { 276 if (hashedPassword[i] != tmp[i])
379 return -EPERM; 277 return -EPERM;
380 }
381 } 278 }
382 seclvl_printk(0, KERN_INFO, 279 seclvl_printk(0, KERN_INFO,
383 "Password accepted; seclvl reduced to 0.\n"); 280 "Password accepted; seclvl reduced to 0.\n");
384 seclvl = 0; 281 seclvl = 0;
385 return count; 282 len = count;
283
284out:
285 free_page((unsigned long)page);
286 return len;
386} 287}
387 288
388/* Generate sysfs_attr_passwd */ 289static struct file_operations passwd_file_ops = {
389static struct seclvl_attribute sysfs_attr_passwd = 290 .write = passwd_write_file,
390__ATTR(passwd, (S_IFREG | S_IRUGO | S_IWUSR), seclvl_read_passwd, 291};
391 seclvl_write_passwd);
392 292
393/** 293/**
394 * Explicitely disallow ptrace'ing the init process. 294 * Explicitely disallow ptrace'ing the init process.
@@ -579,9 +479,8 @@ static void seclvl_file_free_security(struct file *filp)
579 */ 479 */
580static int seclvl_umount(struct vfsmount *mnt, int flags) 480static int seclvl_umount(struct vfsmount *mnt, int flags)
581{ 481{
582 if (current->pid == 1) { 482 if (current->pid == 1)
583 return 0; 483 return 0;
584 }
585 if (seclvl == 2) { 484 if (seclvl == 2) {
586 seclvl_printk(1, KERN_WARNING, "Attempt to unmount in secure " 485 seclvl_printk(1, KERN_WARNING, "Attempt to unmount in secure "
587 "level %d\n", seclvl); 486 "level %d\n", seclvl);
@@ -647,22 +546,34 @@ static int processPassword(void)
647} 546}
648 547
649/** 548/**
650 * Sysfs registrations 549 * securityfs registrations
651 */ 550 */
652static int doSysfsRegistrations(void) 551struct dentry *dir_ino, *seclvl_ino, *passwd_ino;
552
553static int seclvlfs_register(void)
653{ 554{
654 int rc = 0; 555 dir_ino = securityfs_create_dir("seclvl", NULL);
655 if ((rc = subsystem_register(&seclvl_subsys))) { 556 if (!dir_ino)
656 seclvl_printk(0, KERN_WARNING, 557 return -EFAULT;
657 "Error [%d] registering seclvl subsystem\n", rc); 558
658 return rc; 559 seclvl_ino = securityfs_create_file("seclvl", S_IRUGO | S_IWUSR,
659 } 560 dir_ino, &seclvl, &seclvl_file_ops);
660 sysfs_create_file(&seclvl_subsys.kset.kobj, &sysfs_attr_seclvl.attr); 561 if (!seclvl_ino)
562 goto out_deldir;
661 if (*passwd || *sha1_passwd) { 563 if (*passwd || *sha1_passwd) {
662 sysfs_create_file(&seclvl_subsys.kset.kobj, 564 passwd_ino = securityfs_create_file("passwd", S_IRUGO | S_IWUSR,
663 &sysfs_attr_passwd.attr); 565 dir_ino, NULL, &passwd_file_ops);
566 if (!passwd_ino)
567 goto out_delf;
664 } 568 }
665 return 0; 569 return 0;
570
571out_deldir:
572 securityfs_remove(dir_ino);
573out_delf:
574 securityfs_remove(seclvl_ino);
575
576 return -EFAULT;
666} 577}
667 578
668/** 579/**
@@ -677,8 +588,6 @@ static int __init seclvl_init(void)
677 rc = -EINVAL; 588 rc = -EINVAL;
678 goto exit; 589 goto exit;
679 } 590 }
680 sysfs_attr_seclvl.attr.owner = THIS_MODULE;
681 sysfs_attr_passwd.attr.owner = THIS_MODULE;
682 if (initlvl < -1 || initlvl > 2) { 591 if (initlvl < -1 || initlvl > 2) {
683 seclvl_printk(0, KERN_ERR, "Error: bad initial securelevel " 592 seclvl_printk(0, KERN_ERR, "Error: bad initial securelevel "
684 "[%d].\n", initlvl); 593 "[%d].\n", initlvl);
@@ -706,7 +615,7 @@ static int __init seclvl_init(void)
706 } /* if primary module registered */ 615 } /* if primary module registered */
707 secondary = 1; 616 secondary = 1;
708 } /* if we registered ourselves with the security framework */ 617 } /* if we registered ourselves with the security framework */
709 if ((rc = doSysfsRegistrations())) { 618 if ((rc = seclvlfs_register())) {
710 seclvl_printk(0, KERN_ERR, "Error registering with sysfs\n"); 619 seclvl_printk(0, KERN_ERR, "Error registering with sysfs\n");
711 goto exit; 620 goto exit;
712 } 621 }
@@ -724,12 +633,10 @@ static int __init seclvl_init(void)
724 */ 633 */
725static void __exit seclvl_exit(void) 634static void __exit seclvl_exit(void)
726{ 635{
727 sysfs_remove_file(&seclvl_subsys.kset.kobj, &sysfs_attr_seclvl.attr); 636 securityfs_remove(seclvl_ino);
728 if (*passwd || *sha1_passwd) { 637 if (*passwd || *sha1_passwd)
729 sysfs_remove_file(&seclvl_subsys.kset.kobj, 638 securityfs_remove(passwd_ino);
730 &sysfs_attr_passwd.attr); 639 securityfs_remove(dir_ino);
731 }
732 subsystem_unregister(&seclvl_subsys);
733 if (secondary == 1) { 640 if (secondary == 1) {
734 mod_unreg_security(MY_NAME, &seclvl_ops); 641 mod_unreg_security(MY_NAME, &seclvl_ops);
735 } else if (unregister_security(&seclvl_ops)) { 642 } else if (unregister_security(&seclvl_ops)) {
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index cf6020f85403..12e4fb72bf0f 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -242,7 +242,7 @@ void __init avc_init(void)
242 avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), 242 avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node),
243 0, SLAB_PANIC, NULL, NULL); 243 0, SLAB_PANIC, NULL, NULL);
244 244
245 audit_log(current->audit_context, AUDIT_KERNEL, "AVC INITIALIZED\n"); 245 audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC INITIALIZED\n");
246} 246}
247 247
248int avc_get_hash_stats(char *page) 248int avc_get_hash_stats(char *page)
@@ -550,7 +550,7 @@ void avc_audit(u32 ssid, u32 tsid,
550 return; 550 return;
551 } 551 }
552 552
553 ab = audit_log_start(current->audit_context, AUDIT_AVC); 553 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_AVC);
554 if (!ab) 554 if (!ab)
555 return; /* audit_panic has been called */ 555 return; /* audit_panic has been called */
556 audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); 556 audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f40c8221ec1b..b13be15165f5 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -630,6 +630,16 @@ static inline u16 inode_mode_to_security_class(umode_t mode)
630 return SECCLASS_FILE; 630 return SECCLASS_FILE;
631} 631}
632 632
633static inline int default_protocol_stream(int protocol)
634{
635 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
636}
637
638static inline int default_protocol_dgram(int protocol)
639{
640 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
641}
642
633static inline u16 socket_type_to_security_class(int family, int type, int protocol) 643static inline u16 socket_type_to_security_class(int family, int type, int protocol)
634{ 644{
635 switch (family) { 645 switch (family) {
@@ -646,10 +656,16 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
646 case PF_INET6: 656 case PF_INET6:
647 switch (type) { 657 switch (type) {
648 case SOCK_STREAM: 658 case SOCK_STREAM:
649 return SECCLASS_TCP_SOCKET; 659 if (default_protocol_stream(protocol))
660 return SECCLASS_TCP_SOCKET;
661 else
662 return SECCLASS_RAWIP_SOCKET;
650 case SOCK_DGRAM: 663 case SOCK_DGRAM:
651 return SECCLASS_UDP_SOCKET; 664 if (default_protocol_dgram(protocol))
652 case SOCK_RAW: 665 return SECCLASS_UDP_SOCKET;
666 else
667 return SECCLASS_RAWIP_SOCKET;
668 default:
653 return SECCLASS_RAWIP_SOCKET; 669 return SECCLASS_RAWIP_SOCKET;
654 } 670 }
655 break; 671 break;
@@ -2970,6 +2986,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
2970 2986
2971 /* 2987 /*
2972 * If PF_INET or PF_INET6, check name_bind permission for the port. 2988 * If PF_INET or PF_INET6, check name_bind permission for the port.
2989 * Multiple address binding for SCTP is not supported yet: we just
2990 * check the first address now.
2973 */ 2991 */
2974 family = sock->sk->sk_family; 2992 family = sock->sk->sk_family;
2975 if (family == PF_INET || family == PF_INET6) { 2993 if (family == PF_INET || family == PF_INET6) {
@@ -3014,12 +3032,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3014 goto out; 3032 goto out;
3015 } 3033 }
3016 3034
3017 switch(sk->sk_protocol) { 3035 switch(isec->sclass) {
3018 case IPPROTO_TCP: 3036 case SECCLASS_TCP_SOCKET:
3019 node_perm = TCP_SOCKET__NODE_BIND; 3037 node_perm = TCP_SOCKET__NODE_BIND;
3020 break; 3038 break;
3021 3039
3022 case IPPROTO_UDP: 3040 case SECCLASS_UDP_SOCKET:
3023 node_perm = UDP_SOCKET__NODE_BIND; 3041 node_perm = UDP_SOCKET__NODE_BIND;
3024 break; 3042 break;
3025 3043
@@ -3389,7 +3407,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3389 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 3407 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3390 if (err) { 3408 if (err) {
3391 if (err == -EINVAL) { 3409 if (err == -EINVAL) {
3392 audit_log(current->audit_context, AUDIT_SELINUX_ERR, 3410 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3393 "SELinux: unrecognized netlink message" 3411 "SELinux: unrecognized netlink message"
3394 " type=%hu for sclass=%hu\n", 3412 " type=%hu for sclass=%hu\n",
3395 nlh->nlmsg_type, isec->sclass); 3413 nlh->nlmsg_type, isec->sclass);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 92b89dc99bcd..aecdded55e74 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -381,7 +381,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
381 goto out; 381 goto out;
382 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 382 if (context_struct_to_string(tcontext, &t, &tlen) < 0)
383 goto out; 383 goto out;
384 audit_log(current->audit_context, AUDIT_SELINUX_ERR, 384 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
385 "security_validate_transition: denied for" 385 "security_validate_transition: denied for"
386 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 386 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
387 o, n, t, policydb.p_class_val_to_name[tclass-1]); 387 o, n, t, policydb.p_class_val_to_name[tclass-1]);
@@ -787,7 +787,7 @@ static int compute_sid_handle_invalid_context(
787 goto out; 787 goto out;
788 if (context_struct_to_string(newcontext, &n, &nlen) < 0) 788 if (context_struct_to_string(newcontext, &n, &nlen) < 0)
789 goto out; 789 goto out;
790 audit_log(current->audit_context, AUDIT_SELINUX_ERR, 790 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
791 "security_compute_sid: invalid context %s" 791 "security_compute_sid: invalid context %s"
792 " for scontext=%s" 792 " for scontext=%s"
793 " tcontext=%s" 793 " tcontext=%s"
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-09 23:25:13 -0500