1/* Keyring handling 2 * 3 * Copyright (C) 2004-2005, 2008, 2013 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12#include <linux/module.h> 13#include <linux/init.h> 14#include <linux/sched.h> 15#include <linux/slab.h> 16#include <linux/security.h> 17#include <linux/seq_file.h> 18#include <linux/err.h> 19#include <keys/keyring-type.h> 20#include <keys/user-type.h> 21#include <linux/assoc_array_priv.h> 22#include <linux/uaccess.h> 23#include "internal.h" 24 25/* 26 * When plumbing the depths of the key tree, this sets a hard limit 27 * set on how deep we're willing to go. 28 */ 29#define KEYRING_SEARCH_MAX_DEPTH 6 30 31/* 32 * We keep all named keyrings in a hash to speed looking them up. 33 */ 34#define KEYRING_NAME_HASH_SIZE (1 << 5) 35 36/* 37 * We mark pointers we pass to the associative array with bit 1 set if 38 * they're keyrings and clear otherwise. 39 */ 40#define KEYRING_PTR_SUBTYPE 0x2UL 41 42static inline bool keyring_ptr_is_keyring(const struct assoc_array_ptr *x) 43{ 44 return (unsigned long)x & KEYRING_PTR_SUBTYPE; 45} 46static inline struct key *keyring_ptr_to_key(const struct assoc_array_ptr *x) 47{ 48 void *object = assoc_array_ptr_to_leaf(x); 49 return (struct key *)((unsigned long)object & ~KEYRING_PTR_SUBTYPE); 50} 51static inline void *keyring_key_to_ptr(struct key *key) 52{ 53 if (key->type == &key_type_keyring) 54 return (void *)((unsigned long)key | KEYRING_PTR_SUBTYPE); 55 return key; 56} 57 58static struct list_head keyring_name_hash[KEYRING_NAME_HASH_SIZE]; 59static DEFINE_RWLOCK(keyring_name_lock); 60 61static inline unsigned keyring_hash(const char *desc) 62{ 63 unsigned bucket = 0; 64 65 for (; *desc; desc++) 66 bucket += (unsigned char)*desc; 67 68 return bucket & (KEYRING_NAME_HASH_SIZE - 1); 69} 70 71/* 72 * The keyring key type definition. Keyrings are simply keys of this type and 73 * can be treated as ordinary keys in addition to having their own special 74 * operations. 75 */ 76static int keyring_preparse(struct key_preparsed_payload *prep); 77static void keyring_free_preparse(struct key_preparsed_payload *prep); 78static int keyring_instantiate(struct key *keyring, 79 struct key_preparsed_payload *prep); 80static void keyring_revoke(struct key *keyring); 81static void keyring_destroy(struct key *keyring); 82static void keyring_describe(const struct key *keyring, struct seq_file *m); 83static long keyring_read(const struct key *keyring, 84 char __user *buffer, size_t buflen); 85 86struct key_type key_type_keyring = { 87 .name = "keyring", 88 .def_datalen = 0, 89 .preparse = keyring_preparse, 90 .free_preparse = keyring_free_preparse, 91 .instantiate = keyring_instantiate, 92 .revoke = keyring_revoke, 93 .destroy = keyring_destroy, 94 .describe = keyring_describe, 95 .read = keyring_read, 96}; 97EXPORT_SYMBOL(key_type_keyring); 98 99/* 100 * Semaphore to serialise link/link calls to prevent two link calls in parallel 101 * introducing a cycle. 102 */ 103static DECLARE_RWSEM(keyring_serialise_link_sem); 104 105/* 106 * Publish the name of a keyring so that it can be found by name (if it has 107 * one). 108 */ 109static void keyring_publish_name(struct key *keyring) 110{ 111 int bucket; 112 113 if (keyring->description) { 114 bucket = keyring_hash(keyring->description); 115 116 write_lock(&keyring_name_lock); 117 118 if (!keyring_name_hash[bucket].next) 119 INIT_LIST_HEAD(&keyring_name_hash[bucket]); 120 121 list_add_tail(&keyring->type_data.link, 122 &keyring_name_hash[bucket]); 123 124 write_unlock(&keyring_name_lock); 125 } 126} 127 128/* 129 * Preparse a keyring payload 130 */ 131static int keyring_preparse(struct key_preparsed_payload *prep) 132{ 133 return prep->datalen != 0 ? -EINVAL : 0; 134} 135 136/* 137 * Free a preparse of a user defined key payload 138 */ 139static void keyring_free_preparse(struct key_preparsed_payload *prep) 140{ 141} 142 143/* 144 * Initialise a keyring. 145 * 146 * Returns 0 on success, -EINVAL if given any data. 147 */ 148static int keyring_instantiate(struct key *keyring, 149 struct key_preparsed_payload *prep) 150{ 151 assoc_array_init(&keyring->keys); 152 /* make the keyring available by name if it has one */ 153 keyring_publish_name(keyring); 154 return 0; 155} 156 157/* 158 * Multiply 64-bits by 32-bits to 96-bits and fold back to 64-bit. Ideally we'd 159 * fold the carry back too, but that requires inline asm. 160 */ 161static u64 mult_64x32_and_fold(u64 x, u32 y) 162{ 163 u64 hi = (u64)(u32)(x >> 32) * y; 164 u64 lo = (u64)(u32)(x) * y; 165 return lo + ((u64)(u32)hi << 32) + (u32)(hi >> 32); 166} 167 168/* 169 * Hash a key type and description. 170 */ 171static unsigned long hash_key_type_and_desc(const struct keyring_index_key *index_key) 172{ 173 const unsigned level_shift = ASSOC_ARRAY_LEVEL_STEP; 174 const unsigned long fan_mask = ASSOC_ARRAY_FAN_MASK; 175 const char *description = index_key->description; 176 unsigned long hash, type; 177 u32 piece; 178 u64 acc; 179 int n, desc_len = index_key->desc_len; 180 181 type = (unsigned long)index_key->type; 182 183 acc = mult_64x32_and_fold(type, desc_len + 13); 184 acc = mult_64x32_and_fold(acc, 9207); 185 for (;;) { 186 n = desc_len; 187 if (n <= 0) 188 break; 189 if (n > 4) 190 n = 4; 191 piece = 0; 192 memcpy(&piece, description, n); 193 description += n; 194 desc_len -= n; 195 acc = mult_64x32_and_fold(acc, piece); 196 acc = mult_64x32_and_fold(acc, 9207); 197 } 198 199 /* Fold the hash down to 32 bits if need be. */ 200 hash = acc; 201 if (ASSOC_ARRAY_KEY_CHUNK_SIZE == 32) 202 hash ^= acc >> 32; 203 204 /* Squidge all the keyrings into a separate part of the tree to 205 * ordinary keys by making sure the lowest level segment in the hash is 206 * zero for keyrings and non-zero otherwise. 207 */ 208 if (index_key->type != &key_type_keyring && (hash & fan_mask) == 0) 209 return hash | (hash >> (ASSOC_ARRAY_KEY_CHUNK_SIZE - level_shift)) | 1; 210 if (index_key->type == &key_type_keyring && (hash & fan_mask) != 0) 211 return (hash + (hash << level_shift)) & ~fan_mask; 212 return hash; 213} 214 215/* 216 * Build the next index key chunk. 217 * 218 * On 32-bit systems the index key is laid out as: 219 * 220 * 0 4 5 9... 221 * hash desclen typeptr desc[] 222 * 223 * On 64-bit systems: 224 * 225 * 0 8 9 17... 226 * hash desclen typeptr desc[] 227 * 228 * We return it one word-sized chunk at a time. 229 */ 230static unsigned long keyring_get_key_chunk(const void *data, int level) 231{ 232 const struct keyring_index_key *index_key = data; 233 unsigned long chunk = 0; 234 long offset = 0; 235 int desc_len = index_key->desc_len, n = sizeof(chunk); 236 237 level /= ASSOC_ARRAY_KEY_CHUNK_SIZE; 238 switch (level) { 239 case 0: 240 return hash_key_type_and_desc(index_key); 241 case 1: 242 return ((unsigned long)index_key->type << 8) | desc_len; 243 case 2: 244 if (desc_len == 0) 245 return (u8)((unsigned long)index_key->type >> 246 (ASSOC_ARRAY_KEY_CHUNK_SIZE - 8)); 247 n--; 248 offset = 1; 249 default: 250 offset += sizeof(chunk) - 1; 251 offset += (level - 3) * sizeof(chunk); 252 if (offset >= desc_len) 253 return 0; 254 desc_len -= offset; 255 if (desc_len > n) 256 desc_len = n; 257 offset += desc_len; 258 do { 259 chunk <<= 8; 260 chunk |= ((u8*)index_key->description)[--offset]; 261 } while (--desc_len > 0); 262 263 if (level == 2) { 264 chunk <<= 8; 265 chunk |= (u8)((unsigned long)index_key->type >> 266 (ASSOC_ARRAY_KEY_CHUNK_SIZE - 8)); 267 } 268 return chunk; 269 } 270} 271 272static unsigned long keyring_get_object_key_chunk(const void *object, int level) 273{ 274 const struct key *key = keyring_ptr_to_key(object); 275 return keyring_get_key_chunk(&key->index_key, level); 276} 277 278static bool keyring_compare_object(const void *object, const void *data) 279{ 280 const struct keyring_index_key *index_key = data; 281 const struct key *key = keyring_ptr_to_key(object); 282 283 return key->index_key.type == index_key->type && 284 key->index_key.desc_len == index_key->desc_len && 285 memcmp(key->index_key.description, index_key->description, 286 index_key->desc_len) == 0; 287} 288 289/* 290 * Compare the index keys of a pair of objects and determine the bit position 291 * at which they differ - if they differ. 292 */ 293static int keyring_diff_objects(const void *object, const void *data) 294{ 295 const struct key *key_a = keyring_ptr_to_key(object); 296 const struct keyring_index_key *a = &key_a->index_key; 297 const struct keyring_index_key *b = data; 298 unsigned long seg_a, seg_b; 299 int level, i; 300 301 level = 0; 302 seg_a = hash_key_type_and_desc(a); 303 seg_b = hash_key_type_and_desc(b); 304 if ((seg_a ^ seg_b) != 0) 305 goto differ; 306 307 /* The number of bits contributed by the hash is controlled by a 308 * constant in the assoc_array headers. Everything else thereafter we 309 * can deal with as being machine word-size dependent. 310 */ 311 level += ASSOC_ARRAY_KEY_CHUNK_SIZE / 8; 312 seg_a = a->desc_len; 313 seg_b = b->desc_len; 314 if ((seg_a ^ seg_b) != 0) 315 goto differ; 316 317 /* The next bit may not work on big endian */ 318 level++; 319 seg_a = (unsigned long)a->type; 320 seg_b = (unsigned long)b->type; 321 if ((seg_a ^ seg_b) != 0) 322 goto differ; 323 324 level += sizeof(unsigned long); 325 if (a->desc_len == 0) 326 goto same; 327 328 i = 0; 329 if (((unsigned long)a->description | (unsigned long)b->description) & 330 (sizeof(unsigned long) - 1)) { 331 do { 332 seg_a = *(unsigned long *)(a->description + i); 333 seg_b = *(unsigned long *)(b->description + i); 334 if ((seg_a ^ seg_b) != 0) 335 goto differ_plus_i; 336 i += sizeof(unsigned long); 337 } while (i < (a->desc_len & (sizeof(unsigned long) - 1))); 338 } 339 340 for (; i < a->desc_len; i++) { 341 seg_a = *(unsigned char *)(a->description + i); 342 seg_b = *(unsigned char *)(b->description + i); 343 if ((seg_a ^ seg_b) != 0) 344 goto differ_plus_i; 345 } 346 347same: 348 return -1; 349 350differ_plus_i: 351 level += i; 352differ: 353 i = level * 8 + __ffs(seg_a ^ seg_b); 354 return i; 355} 356 357/* 358 * Free an object after stripping the keyring flag off of the pointer. 359 */ 360static void keyring_free_object(void *object) 361{ 362 key_put(keyring_ptr_to_key(object)); 363} 364 365/* 366 * Operations for keyring management by the index-tree routines. 367 */ 368static const struct assoc_array_ops keyring_assoc_array_ops = { 369 .get_key_chunk = keyring_get_key_chunk, 370 .get_object_key_chunk = keyring_get_object_key_chunk, 371 .compare_object = keyring_compare_object, 372 .diff_objects = keyring_diff_objects, 373 .free_object = keyring_free_object, 374}; 375 376/* 377 * Clean up a keyring when it is destroyed. Unpublish its name if it had one 378 * and dispose of its data. 379 * 380 * The garbage collector detects the final key_put(), removes the keyring from 381 * the serial number tree and then does RCU synchronisation before coming here, 382 * so we shouldn't need to worry about code poking around here with the RCU 383 * readlock held by this time. 384 */ 385static void keyring_destroy(struct key *keyring) 386{ 387 if (keyring->description) { 388 write_lock(&keyring_name_lock); 389 390 if (keyring->type_data.link.next != NULL && 391 !list_empty(&keyring->type_data.link)) 392 list_del(&keyring->type_data.link); 393 394 write_unlock(&keyring_name_lock); 395 } 396 397 assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops); 398} 399 400/* 401 * Describe a keyring for /proc. 402 */ 403static void keyring_describe(const struct key *keyring, struct seq_file *m) 404{ 405 if (keyring->description) 406 seq_puts(m, keyring->description); 407 else 408 seq_puts(m, "[anon]"); 409 410 if (key_is_instantiated(keyring)) { 411 if (keyring->keys.nr_leaves_on_tree != 0) 412 seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree); 413 else 414 seq_puts(m, ": empty"); 415 } 416} 417 418struct keyring_read_iterator_context { 419 size_t qty; 420 size_t count; 421 key_serial_t __user *buffer; 422}; 423 424static int keyring_read_iterator(const void *object, void *data) 425{ 426 struct keyring_read_iterator_context *ctx = data; 427 const struct key *key = keyring_ptr_to_key(object); 428 int ret; 429 430 kenter("{%s,%d},,{%zu/%zu}", 431 key->type->name, key->serial, ctx->count, ctx->qty); 432 433 if (ctx->count >= ctx->qty) 434 return 1; 435 436 ret = put_user(key->serial, ctx->buffer); 437 if (ret < 0) 438 return ret; 439 ctx->buffer++; 440 ctx->count += sizeof(key->serial); 441 return 0; 442} 443 444/* 445 * Read a list of key IDs from the keyring's contents in binary form 446 * 447 * The keyring's semaphore is read-locked by the caller. This prevents someone 448 * from modifying it under us - which could cause us to read key IDs multiple 449 * times. 450 */ 451static long keyring_read(const struct key *keyring, 452 char __user *buffer, size_t buflen) 453{ 454 struct keyring_read_iterator_context ctx; 455 unsigned long nr_keys; 456 int ret; 457 458 kenter("{%d},,%zu", key_serial(keyring), buflen); 459 460 if (buflen & (sizeof(key_serial_t) - 1)) 461 return -EINVAL; 462 463 nr_keys = keyring->keys.nr_leaves_on_tree; 464 if (nr_keys == 0) 465 return 0; 466 467 /* Calculate how much data we could return */ 468 ctx.qty = nr_keys * sizeof(key_serial_t); 469 470 if (!buffer || !buflen) 471 return ctx.qty; 472 473 if (buflen > ctx.qty) 474 ctx.qty = buflen; 475 476 /* Copy the IDs of the subscribed keys into the buffer */ 477 ctx.buffer = (key_serial_t __user *)buffer; 478 ctx.count = 0; 479 ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx); 480 if (ret < 0) { 481 kleave(" = %d [iterate]", ret); 482 return ret; 483 } 484 485 kleave(" = %zu [ok]", ctx.count); 486 return ctx.count; 487} 488 489/* 490 * Allocate a keyring and link into the destination keyring. 491 */ 492struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid, 493 const struct cred *cred, key_perm_t perm, 494 unsigned long flags, struct key *dest) 495{ 496 struct key *keyring; 497 int ret; 498 499 keyring = key_alloc(&key_type_keyring, description, 500 uid, gid, cred, perm, flags); 501 if (!IS_ERR(keyring)) { 502 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL); 503 if (ret < 0) { 504 key_put(keyring); 505 keyring = ERR_PTR(ret); 506 } 507 } 508 509 return keyring; 510} 511EXPORT_SYMBOL(keyring_alloc); 512 513/* 514 * By default, we keys found by getting an exact match on their descriptions. 515 */ 516bool key_default_cmp(const struct key *key, 517 const struct key_match_data *match_data) 518{ 519 return strcmp(key->description, match_data->raw_data) == 0; 520} 521 522/* 523 * Iteration function to consider each key found. 524 */ 525static int keyring_search_iterator(const void *object, void *iterator_data) 526{ 527 struct keyring_search_context *ctx = iterator_data; 528 const struct key *key = keyring_ptr_to_key(object); 529 unsigned long kflags = key->flags; 530 531 kenter("{%d}", key->serial); 532 533 /* ignore keys not of this type */ 534 if (key->type != ctx->index_key.type) { 535 kleave(" = 0 [!type]"); 536 return 0; 537 } 538 539 /* skip invalidated, revoked and expired keys */ 540 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) { 541 if (kflags & ((1 << KEY_FLAG_INVALIDATED) | 542 (1 << KEY_FLAG_REVOKED))) { 543 ctx->result = ERR_PTR(-EKEYREVOKED); 544 kleave(" = %d [invrev]", ctx->skipped_ret); 545 goto skipped; 546 } 547 548 if (key->expiry && ctx->now.tv_sec >= key->expiry) { 549 if (!(ctx->flags & KEYRING_SEARCH_SKIP_EXPIRED)) 550 ctx->result = ERR_PTR(-EKEYEXPIRED); 551 kleave(" = %d [expire]", ctx->skipped_ret); 552 goto skipped; 553 } 554 } 555 556 /* keys that don't match */ 557 if (!ctx->match_data.cmp(key, &ctx->match_data)) { 558 kleave(" = 0 [!match]"); 559 return 0; 560 } 561 562 /* key must have search permissions */ 563 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) && 564 key_task_permission(make_key_ref(key, ctx->possessed), 565 ctx->cred, KEY_NEED_SEARCH) < 0) { 566 ctx->result = ERR_PTR(-EACCES); 567 kleave(" = %d [!perm]", ctx->skipped_ret); 568 goto skipped; 569 } 570 571 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) { 572 /* we set a different error code if we pass a negative key */ 573 if (kflags & (1 << KEY_FLAG_NEGATIVE)) { 574 smp_rmb(); 575 ctx->result = ERR_PTR(key->type_data.reject_error); 576 kleave(" = %d [neg]", ctx->skipped_ret); 577 goto skipped; 578 } 579 } 580 581 /* Found */ 582 ctx->result = make_key_ref(key, ctx->possessed); 583 kleave(" = 1 [found]"); 584 return 1; 585 586skipped: 587 return ctx->skipped_ret; 588} 589 590/* 591 * Search inside a keyring for a key. We can search by walking to it 592 * directly based on its index-key or we can iterate over the entire 593 * tree looking for it, based on the match function. 594 */ 595static int search_keyring(struct key *keyring, struct keyring_search_context *ctx) 596{ 597 if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_DIRECT) { 598 const void *object; 599 600 object = assoc_array_find(&keyring->keys, 601 &keyring_assoc_array_ops, 602 &ctx->index_key); 603 return object ? ctx->iterator(object, ctx) : 0; 604 } 605 return assoc_array_iterate(&keyring->keys, ctx->iterator, ctx); 606} 607 608/* 609 * Search a tree of keyrings that point to other keyrings up to the maximum 610 * depth. 611 */ 612static bool search_nested_keyrings(struct key *keyring, 613 struct keyring_search_context *ctx) 614{ 615 struct { 616 struct key *keyring; 617 struct assoc_array_node *node; 618 int slot; 619 } stack[KEYRING_SEARCH_MAX_DEPTH]; 620 621 struct assoc_array_shortcut *shortcut; 622 struct assoc_array_node *node; 623 struct assoc_array_ptr *ptr; 624 struct key *key; 625 int sp = 0, slot; 626 627 kenter("{%d},{%s,%s}", 628 keyring->serial, 629 ctx->index_key.type->name, 630 ctx->index_key.description); 631 632#define STATE_CHECKS (KEYRING_SEARCH_NO_STATE_CHECK | KEYRING_SEARCH_DO_STATE_CHECK) 633 BUG_ON((ctx->flags & STATE_CHECKS) == 0 || 634 (ctx->flags & STATE_CHECKS) == STATE_CHECKS); 635 636 if (ctx->index_key.description) 637 ctx->index_key.desc_len = strlen(ctx->index_key.description); 638 639 /* Check to see if this top-level keyring is what we are looking for 640 * and whether it is valid or not. 641 */ 642 if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_ITERATE || 643 keyring_compare_object(keyring, &ctx->index_key)) { 644 ctx->skipped_ret = 2; 645 switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) { 646 case 1: 647 goto found; 648 case 2: 649 return false; 650 default: 651 break; 652 } 653 } 654 655 ctx->skipped_ret = 0; 656 657 /* Start processing a new keyring */ 658descend_to_keyring: 659 kdebug("descend to %d", keyring->serial); 660 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) | 661 (1 << KEY_FLAG_REVOKED))) 662 goto not_this_keyring; 663 664 /* Search through the keys in this keyring before its searching its 665 * subtrees. 666 */ 667 if (search_keyring(keyring, ctx)) 668 goto found; 669 670 /* Then manually iterate through the keyrings nested in this one. 671 * 672 * Start from the root node of the index tree. Because of the way the 673 * hash function has been set up, keyrings cluster on the leftmost 674 * branch of the root node (root slot 0) or in the root node itself. 675 * Non-keyrings avoid the leftmost branch of the root entirely (root 676 * slots 1-15). 677 */ 678 ptr = ACCESS_ONCE(keyring->keys.root); 679 if (!ptr) 680 goto not_this_keyring; 681 682 if (assoc_array_ptr_is_shortcut(ptr)) { 683 /* If the root is a shortcut, either the keyring only contains 684 * keyring pointers (everything clusters behind root slot 0) or 685 * doesn't contain any keyring pointers. 686 */ 687 shortcut = assoc_array_ptr_to_shortcut(ptr); 688 smp_read_barrier_depends(); 689 if ((shortcut->index_key[0] & ASSOC_ARRAY_FAN_MASK) != 0) 690 goto not_this_keyring; 691 692 ptr = ACCESS_ONCE(shortcut->next_node); 693 node = assoc_array_ptr_to_node(ptr); 694 goto begin_node; 695 } 696 697 node = assoc_array_ptr_to_node(ptr); 698 smp_read_barrier_depends(); 699 700 ptr = node->slots[0]; 701 if (!assoc_array_ptr_is_meta(ptr)) 702 goto begin_node; 703 704descend_to_node: 705 /* Descend to a more distal node in this keyring's content tree and go 706 * through that. 707 */ 708 kdebug("descend"); 709 if (assoc_array_ptr_is_shortcut(ptr)) { 710 shortcut = assoc_array_ptr_to_shortcut(ptr); 711 smp_read_barrier_depends(); 712 ptr = ACCESS_ONCE(shortcut->next_node); 713 BUG_ON(!assoc_array_ptr_is_node(ptr)); 714 } 715 node = assoc_array_ptr_to_node(ptr); 716 717begin_node: 718 kdebug("begin_node"); 719 smp_read_barrier_depends(); 720 slot = 0; 721ascend_to_node: 722 /* Go through the slots in a node */ 723 for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) { 724 ptr = ACCESS_ONCE(node->slots[slot]); 725 726 if (assoc_array_ptr_is_meta(ptr) && node->back_pointer) 727 goto descend_to_node; 728 729 if (!keyring_ptr_is_keyring(ptr)) 730 continue; 731 732 key = keyring_ptr_to_key(ptr); 733 734 if (sp >= KEYRING_SEARCH_MAX_DEPTH) { 735 if (ctx->flags & KEYRING_SEARCH_DETECT_TOO_DEEP) { 736 ctx->result = ERR_PTR(-ELOOP); 737 return false; 738 } 739 goto not_this_keyring; 740 } 741 742 /* Search a nested keyring */ 743 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) && 744 key_task_permission(make_key_ref(key, ctx->possessed), 745 ctx->cred, KEY_NEED_SEARCH) < 0) 746 continue; 747 748 /* stack the current position */ 749 stack[sp].keyring = keyring; 750 stack[sp].node = node; 751 stack[sp].slot = slot; 752 sp++; 753 754 /* begin again with the new keyring */ 755 keyring = key; 756 goto descend_to_keyring; 757 } 758 759 /* We've dealt with all the slots in the current node, so now we need 760 * to ascend to the parent and continue processing there. 761 */ 762 ptr = ACCESS_ONCE(node->back_pointer); 763 slot = node->parent_slot; 764 765 if (ptr && assoc_array_ptr_is_shortcut(ptr)) { 766 shortcut = assoc_array_ptr_to_shortcut(ptr); 767 smp_read_barrier_depends(); 768 ptr = ACCESS_ONCE(shortcut->back_pointer); 769 slot = shortcut->parent_slot; 770 } 771 if (!ptr) 772 goto not_this_keyring; 773 node = assoc_array_ptr_to_node(ptr); 774 smp_read_barrier_depends(); 775 slot++; 776 777 /* If we've ascended to the root (zero backpointer), we must have just 778 * finished processing the leftmost branch rather than the root slots - 779 * so there can't be any more keyrings for us to find. 780 */ 781 if (node->back_pointer) { 782 kdebug("ascend %d", slot); 783 goto ascend_to_node; 784 } 785 786 /* The keyring we're looking at was disqualified or didn't contain a 787 * matching key. 788 */ 789not_this_keyring: 790 kdebug("not_this_keyring %d", sp); 791 if (sp <= 0) { 792 kleave(" = false"); 793 return false; 794 } 795 796 /* Resume the processing of a keyring higher up in the tree */ 797 sp--; 798 keyring = stack[sp].keyring; 799 node = stack[sp].node; 800 slot = stack[sp].slot + 1; 801 kdebug("ascend to %d [%d]", keyring->serial, slot); 802 goto ascend_to_node; 803 804 /* We found a viable match */ 805found: 806 key = key_ref_to_ptr(ctx->result); 807 key_check(key); 808 if (!(ctx->flags & KEYRING_SEARCH_NO_UPDATE_TIME)) { 809 key->last_used_at = ctx->now.tv_sec; 810 keyring->last_used_at = ctx->now.tv_sec; 811 while (sp > 0) 812 stack[--sp].keyring->last_used_at = ctx->now.tv_sec; 813 } 814 kleave(" = true"); 815 return true; 816} 817 818/** 819 * keyring_search_aux - Search a keyring tree for a key matching some criteria 820 * @keyring_ref: A pointer to the keyring with possession indicator. 821 * @ctx: The keyring search context. 822 * 823 * Search the supplied keyring tree for a key that matches the criteria given. 824 * The root keyring and any linked keyrings must grant Search permission to the 825 * caller to be searchable and keys can only be found if they too grant Search 826 * to the caller. The possession flag on the root keyring pointer controls use 827 * of the possessor bits in permissions checking of the entire tree. In 828 * addition, the LSM gets to forbid keyring searches and key matches. 829 * 830 * The search is performed as a breadth-then-depth search up to the prescribed 831 * limit (KEYRING_SEARCH_MAX_DEPTH). 832 * 833 * Keys are matched to the type provided and are then filtered by the match 834 * function, which is given the description to use in any way it sees fit. The 835 * match function may use any attributes of a key that it wishes to to 836 * determine the match. Normally the match function from the key type would be 837 * used. 838 * 839 * RCU can be used to prevent the keyring key lists from disappearing without 840 * the need to take lots of locks. 841 * 842 * Returns a pointer to the found key and increments the key usage count if 843 * successful; -EAGAIN if no matching keys were found, or if expired or revoked 844 * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the 845 * specified keyring wasn't a keyring. 846 * 847 * In the case of a successful return, the possession attribute from 848 * @keyring_ref is propagated to the returned key reference. 849 */ 850key_ref_t keyring_search_aux(key_ref_t keyring_ref, 851 struct keyring_search_context *ctx) 852{ 853 struct key *keyring; 854 long err; 855 856 ctx->iterator = keyring_search_iterator; 857 ctx->possessed = is_key_possessed(keyring_ref); 858 ctx->result = ERR_PTR(-EAGAIN); 859 860 keyring = key_ref_to_ptr(keyring_ref); 861 key_check(keyring); 862 863 if (keyring->type != &key_type_keyring) 864 return ERR_PTR(-ENOTDIR); 865 866 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM)) { 867 err = key_task_permission(keyring_ref, ctx->cred, KEY_NEED_SEARCH); 868 if (err < 0) 869 return ERR_PTR(err); 870 } 871 872 rcu_read_lock(); 873 ctx->now = current_kernel_time(); 874 if (search_nested_keyrings(keyring, ctx)) 875 __key_get(key_ref_to_ptr(ctx->result)); 876 rcu_read_unlock(); 877 return ctx->result; 878} 879 880/** 881 * keyring_search - Search the supplied keyring tree for a matching key 882 * @keyring: The root of the keyring tree to be searched. 883 * @type: The type of keyring we want to find. 884 * @description: The name of the keyring we want to find. 885 * 886 * As keyring_search_aux() above, but using the current task's credentials and 887 * type's default matching function and preferred search method. 888 */ 889key_ref_t keyring_search(key_ref_t keyring, 890 struct key_type *type, 891 const char *description) 892{ 893 struct keyring_search_context ctx = { 894 .index_key.type = type, 895 .index_key.description = description, 896 .cred = current_cred(), 897 .match_data.cmp = key_default_cmp, 898 .match_data.raw_data = description, 899 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 900 .flags = KEYRING_SEARCH_DO_STATE_CHECK, 901 }; 902 key_ref_t key; 903 int ret; 904 905 if (type->match_preparse) { 906 ret = type->match_preparse(&ctx.match_data); 907 if (ret < 0) 908 return ERR_PTR(ret); 909 } 910 911 key = keyring_search_aux(keyring, &ctx); 912 913 if (type->match_free) 914 type->match_free(&ctx.match_data); 915 return key; 916} 917EXPORT_SYMBOL(keyring_search); 918 919/* 920 * Search the given keyring for a key that might be updated. 921 * 922 * The caller must guarantee that the keyring is a keyring and that the 923 * permission is granted to modify the keyring as no check is made here. The 924 * caller must also hold a lock on the keyring semaphore. 925 * 926 * Returns a pointer to the found key with usage count incremented if 927 * successful and returns NULL if not found. Revoked and invalidated keys are 928 * skipped over. 929 * 930 * If successful, the possession indicator is propagated from the keyring ref 931 * to the returned key reference. 932 */ 933key_ref_t find_key_to_update(key_ref_t keyring_ref, 934 const struct keyring_index_key *index_key) 935{ 936 struct key *keyring, *key; 937 const void *object; 938 939 keyring = key_ref_to_ptr(keyring_ref); 940 941 kenter("{%d},{%s,%s}", 942 keyring->serial, index_key->type->name, index_key->description); 943 944 object = assoc_array_find(&keyring->keys, &keyring_assoc_array_ops, 945 index_key); 946 947 if (object) 948 goto found; 949 950 kleave(" = NULL"); 951 return NULL; 952 953found: 954 key = keyring_ptr_to_key(object); 955 if (key->flags & ((1 << KEY_FLAG_INVALIDATED) | 956 (1 << KEY_FLAG_REVOKED))) { 957 kleave(" = NULL [x]"); 958 return NULL; 959 } 960 __key_get(key); 961 kleave(" = {%d}", key->serial); 962 return make_key_ref(key, is_key_possessed(keyring_ref)); 963} 964 965/* 966 * Find a keyring with the specified name. 967 * 968 * All named keyrings in the current user namespace are searched, provided they 969 * grant Search permission directly to the caller (unless this check is 970 * skipped). Keyrings whose usage points have reached zero or who have been 971 * revoked are skipped. 972 * 973 * Returns a pointer to the keyring with the keyring's refcount having being 974 * incremented on success. -ENOKEY is returned if a key could not be found. 975 */ 976struct key *find_keyring_by_name(const char *name, bool skip_perm_check) 977{ 978 struct key *keyring; 979 int bucket; 980 981 if (!name) 982 return ERR_PTR(-EINVAL); 983 984 bucket = keyring_hash(name); 985 986 read_lock(&keyring_name_lock); 987 988 if (keyring_name_hash[bucket].next) { 989 /* search this hash bucket for a keyring with a matching name 990 * that's readable and that hasn't been revoked */ 991 list_for_each_entry(keyring, 992 &keyring_name_hash[bucket], 993 type_data.link 994 ) { 995 if (!kuid_has_mapping(current_user_ns(), keyring->user->uid)) 996 continue; 997 998 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 999 continue; 1000 1001 if (strcmp(keyring->description, name) != 0) 1002 continue; 1003 1004 if (!skip_perm_check && 1005 key_permission(make_key_ref(keyring, 0), 1006 KEY_NEED_SEARCH) < 0) 1007 continue; 1008 1009 /* we've got a match but we might end up racing with 1010 * key_cleanup() if the keyring is currently 'dead' 1011 * (ie. it has a zero usage count) */ 1012 if (!atomic_inc_not_zero(&keyring->usage)) 1013 continue; 1014 keyring->last_used_at = current_kernel_time().tv_sec; 1015 goto out; 1016 } 1017 } 1018 1019 keyring = ERR_PTR(-ENOKEY); 1020out: 1021 read_unlock(&keyring_name_lock); 1022 return keyring; 1023} 1024 1025static int keyring_detect_cycle_iterator(const void *object, 1026 void *iterator_data) 1027{ 1028 struct keyring_search_context *ctx = iterator_data; 1029 const struct key *key = keyring_ptr_to_key(object); 1030 1031 kenter("{%d}", key->serial); 1032 1033 /* We might get a keyring with matching index-key that is nonetheless a 1034 * different keyring. */ 1035 if (key != ctx->match_data.raw_data) 1036 return 0; 1037 1038 ctx->result = ERR_PTR(-EDEADLK); 1039 return 1; 1040} 1041 1042/* 1043 * See if a cycle will will be created by inserting acyclic tree B in acyclic 1044 * tree A at the topmost level (ie: as a direct child of A). 1045 * 1046 * Since we are adding B to A at the top level, checking for cycles should just 1047 * be a matter of seeing if node A is somewhere in tree B. 1048 */ 1049static int keyring_detect_cycle(struct key *A, struct key *B) 1050{ 1051 struct keyring_search_context ctx = { 1052 .index_key = A->index_key, 1053 .match_data.raw_data = A, 1054 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 1055 .iterator = keyring_detect_cycle_iterator, 1056 .flags = (KEYRING_SEARCH_NO_STATE_CHECK | 1057 KEYRING_SEARCH_NO_UPDATE_TIME | 1058 KEYRING_SEARCH_NO_CHECK_PERM | 1059 KEYRING_SEARCH_DETECT_TOO_DEEP), 1060 }; 1061 1062 rcu_read_lock(); 1063 search_nested_keyrings(B, &ctx); 1064 rcu_read_unlock(); 1065 return PTR_ERR(ctx.result) == -EAGAIN ? 0 : PTR_ERR(ctx.result); 1066} 1067 1068/* 1069 * Preallocate memory so that a key can be linked into to a keyring. 1070 */ 1071int __key_link_begin(struct key *keyring, 1072 const struct keyring_index_key *index_key, 1073 struct assoc_array_edit **_edit) 1074 __acquires(&keyring->sem) 1075 __acquires(&keyring_serialise_link_sem) 1076{ 1077 struct assoc_array_edit *edit; 1078 int ret; 1079 1080 kenter("%d,%s,%s,", 1081 keyring->serial, index_key->type->name, index_key->description); 1082 1083 BUG_ON(index_key->desc_len == 0); 1084 1085 if (keyring->type != &key_type_keyring) 1086 return -ENOTDIR; 1087 1088 down_write(&keyring->sem); 1089 1090 ret = -EKEYREVOKED; 1091 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 1092 goto error_krsem; 1093 1094 /* serialise link/link calls to prevent parallel calls causing a cycle 1095 * when linking two keyring in opposite orders */ 1096 if (index_key->type == &key_type_keyring) 1097 down_write(&keyring_serialise_link_sem); 1098 1099 /* Create an edit script that will insert/replace the key in the 1100 * keyring tree. 1101 */ 1102 edit = assoc_array_insert(&keyring->keys, 1103 &keyring_assoc_array_ops, 1104 index_key, 1105 NULL); 1106 if (IS_ERR(edit)) { 1107 ret = PTR_ERR(edit); 1108 goto error_sem; 1109 } 1110 1111 /* If we're not replacing a link in-place then we're going to need some 1112 * extra quota. 1113 */ 1114 if (!edit->dead_leaf) { 1115 ret = key_payload_reserve(keyring, 1116 keyring->datalen + KEYQUOTA_LINK_BYTES); 1117 if (ret < 0) 1118 goto error_cancel; 1119 } 1120 1121 *_edit = edit; 1122 kleave(" = 0"); 1123 return 0; 1124 1125error_cancel: 1126 assoc_array_cancel_edit(edit); 1127error_sem: 1128 if (index_key->type == &key_type_keyring) 1129 up_write(&keyring_serialise_link_sem); 1130error_krsem: 1131 up_write(&keyring->sem); 1132 kleave(" = %d", ret); 1133 return ret; 1134} 1135 1136/* 1137 * Check already instantiated keys aren't going to be a problem. 1138 * 1139 * The caller must have called __key_link_begin(). Don't need to call this for 1140 * keys that were created since __key_link_begin() was called. 1141 */ 1142int __key_link_check_live_key(struct key *keyring, struct key *key) 1143{ 1144 if (key->type == &key_type_keyring) 1145 /* check that we aren't going to create a cycle by linking one 1146 * keyring to another */ 1147 return keyring_detect_cycle(keyring, key); 1148 return 0; 1149} 1150 1151/* 1152 * Link a key into to a keyring. 1153 * 1154 * Must be called with __key_link_begin() having being called. Discards any 1155 * already extant link to matching key if there is one, so that each keyring 1156 * holds at most one link to any given key of a particular type+description 1157 * combination. 1158 */ 1159void __key_link(struct key *key, struct assoc_array_edit **_edit) 1160{ 1161 __key_get(key); 1162 assoc_array_insert_set_object(*_edit, keyring_key_to_ptr(key)); 1163 assoc_array_apply_edit(*_edit); 1164 *_edit = NULL; 1165} 1166 1167/* 1168 * Finish linking a key into to a keyring. 1169 * 1170 * Must be called with __key_link_begin() having being called. 1171 */ 1172void __key_link_end(struct key *keyring, 1173 const struct keyring_index_key *index_key, 1174 struct assoc_array_edit *edit) 1175 __releases(&keyring->sem) 1176 __releases(&keyring_serialise_link_sem) 1177{ 1178 BUG_ON(index_key->type == NULL); 1179 kenter("%d,%s,", keyring->serial, index_key->type->name); 1180 1181 if (index_key->type == &key_type_keyring) 1182 up_write(&keyring_serialise_link_sem); 1183 1184 if (edit) { 1185 if (!edit->dead_leaf) { 1186 key_payload_reserve(keyring, 1187 keyring->datalen - KEYQUOTA_LINK_BYTES); 1188 } 1189 assoc_array_cancel_edit(edit); 1190 } 1191 up_write(&keyring->sem); 1192} 1193 1194/** 1195 * key_link - Link a key to a keyring 1196 * @keyring: The keyring to make the link in. 1197 * @key: The key to link to. 1198 * 1199 * Make a link in a keyring to a key, such that the keyring holds a reference 1200 * on that key and the key can potentially be found by searching that keyring. 1201 * 1202 * This function will write-lock the keyring's semaphore and will consume some 1203 * of the user's key data quota to hold the link. 1204 * 1205 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, 1206 * -EKEYREVOKED if the keyring has been revoked, -ENFILE if the keyring is 1207 * full, -EDQUOT if there is insufficient key data quota remaining to add 1208 * another link or -ENOMEM if there's insufficient memory. 1209 * 1210 * It is assumed that the caller has checked that it is permitted for a link to 1211 * be made (the keyring should have Write permission and the key Link 1212 * permission). 1213 */ 1214int key_link(struct key *keyring, struct key *key) 1215{ 1216 struct assoc_array_edit *edit; 1217 int ret; 1218 1219 kenter("{%d,%d}", keyring->serial, atomic_read(&keyring->usage)); 1220 1221 key_check(keyring); 1222 key_check(key); 1223 1224 if (test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags) && 1225 !test_bit(KEY_FLAG_TRUSTED, &key->flags)) 1226 return -EPERM; 1227 1228 ret = __key_link_begin(keyring, &key->index_key, &edit); 1229 if (ret == 0) { 1230 kdebug("begun {%d,%d}", keyring->serial, atomic_read(&keyring->usage)); 1231 ret = __key_link_check_live_key(keyring, key); 1232 if (ret == 0) 1233 __key_link(key, &edit); 1234 __key_link_end(keyring, &key->index_key, edit); 1235 } 1236 1237 kleave(" = %d {%d,%d}", ret, keyring->serial, atomic_read(&keyring->usage)); 1238 return ret; 1239} 1240EXPORT_SYMBOL(key_link); 1241 1242/** 1243 * key_unlink - Unlink the first link to a key from a keyring. 1244 * @keyring: The keyring to remove the link from. 1245 * @key: The key the link is to. 1246 * 1247 * Remove a link from a keyring to a key. 1248 * 1249 * This function will write-lock the keyring's semaphore. 1250 * 1251 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, -ENOENT if 1252 * the key isn't linked to by the keyring or -ENOMEM if there's insufficient 1253 * memory. 1254 * 1255 * It is assumed that the caller has checked that it is permitted for a link to 1256 * be removed (the keyring should have Write permission; no permissions are 1257 * required on the key). 1258 */ 1259int key_unlink(struct key *keyring, struct key *key) 1260{ 1261 struct assoc_array_edit *edit; 1262 int ret; 1263 1264 key_check(keyring); 1265 key_check(key); 1266 1267 if (keyring->type != &key_type_keyring) 1268 return -ENOTDIR; 1269 1270 down_write(&keyring->sem); 1271 1272 edit = assoc_array_delete(&keyring->keys, &keyring_assoc_array_ops, 1273 &key->index_key); 1274 if (IS_ERR(edit)) { 1275 ret = PTR_ERR(edit); 1276 goto error; 1277 } 1278 ret = -ENOENT; 1279 if (edit == NULL) 1280 goto error; 1281 1282 assoc_array_apply_edit(edit); 1283 key_payload_reserve(keyring, keyring->datalen - KEYQUOTA_LINK_BYTES); 1284 ret = 0; 1285 1286error: 1287 up_write(&keyring->sem); 1288 return ret; 1289} 1290EXPORT_SYMBOL(key_unlink); 1291 1292/** 1293 * keyring_clear - Clear a keyring 1294 * @keyring: The keyring to clear. 1295 * 1296 * Clear the contents of the specified keyring. 1297 * 1298 * Returns 0 if successful or -ENOTDIR if the keyring isn't a keyring. 1299 */ 1300int keyring_clear(struct key *keyring) 1301{ 1302 struct assoc_array_edit *edit; 1303 int ret; 1304 1305 if (keyring->type != &key_type_keyring) 1306 return -ENOTDIR; 1307 1308 down_write(&keyring->sem); 1309 1310 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops); 1311 if (IS_ERR(edit)) { 1312 ret = PTR_ERR(edit); 1313 } else { 1314 if (edit) 1315 assoc_array_apply_edit(edit); 1316 key_payload_reserve(keyring, 0); 1317 ret = 0; 1318 } 1319 1320 up_write(&keyring->sem); 1321 return ret; 1322} 1323EXPORT_SYMBOL(keyring_clear); 1324 1325/* 1326 * Dispose of the links from a revoked keyring. 1327 * 1328 * This is called with the key sem write-locked. 1329 */ 1330static void keyring_revoke(struct key *keyring) 1331{ 1332 struct assoc_array_edit *edit; 1333 1334 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops); 1335 if (!IS_ERR(edit)) { 1336 if (edit) 1337 assoc_array_apply_edit(edit); 1338 key_payload_reserve(keyring, 0); 1339 } 1340} 1341 1342static bool keyring_gc_select_iterator(void *object, void *iterator_data) 1343{ 1344 struct key *key = keyring_ptr_to_key(object); 1345 time_t *limit = iterator_data; 1346 1347 if (key_is_dead(key, *limit)) 1348 return false; 1349 key_get(key); 1350 return true; 1351} 1352 1353static int keyring_gc_check_iterator(const void *object, void *iterator_data) 1354{ 1355 const struct key *key = keyring_ptr_to_key(object); 1356 time_t *limit = iterator_data; 1357 1358 key_check(key); 1359 return key_is_dead(key, *limit); 1360} 1361 1362/* 1363 * Garbage collect pointers from a keyring. 1364 * 1365 * Not called with any locks held. The keyring's key struct will not be 1366 * deallocated under us as only our caller may deallocate it. 1367 */ 1368void keyring_gc(struct key *keyring, time_t limit) 1369{ 1370 int result; 1371 1372 kenter("%x{%s}", keyring->serial, keyring->description ?: ""); 1373 1374 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) | 1375 (1 << KEY_FLAG_REVOKED))) 1376 goto dont_gc; 1377 1378 /* scan the keyring looking for dead keys */ 1379 rcu_read_lock(); 1380 result = assoc_array_iterate(&keyring->keys, 1381 keyring_gc_check_iterator, &limit); 1382 rcu_read_unlock(); 1383 if (result == true) 1384 goto do_gc; 1385 1386dont_gc: 1387 kleave(" [no gc]"); 1388 return; 1389 1390do_gc: 1391 down_write(&keyring->sem); 1392 assoc_array_gc(&keyring->keys, &keyring_assoc_array_ops, 1393 keyring_gc_select_iterator, &limit); 1394 up_write(&keyring->sem); 1395 kleave(" [gc]"); 1396} 1397