root/security/keys/keyring.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. keyring_ptr_is_keyring
  2. keyring_ptr_to_key
  3. keyring_key_to_ptr
  4. key_free_user_ns
  5. keyring_publish_name
  6. keyring_preparse
  7. keyring_free_preparse
  8. keyring_instantiate
  9. mult_64x32_and_fold
  10. hash_key_type_and_desc
  11. key_set_index_key
  12. key_put_tag
  13. key_remove_domain
  14. keyring_get_key_chunk
  15. keyring_get_object_key_chunk
  16. keyring_compare_object
  17. keyring_diff_objects
  18. keyring_free_object
  19. keyring_destroy
  20. keyring_describe
  21. keyring_read_iterator
  22. keyring_read
  23. keyring_alloc
  24. restrict_link_reject
  25. key_default_cmp
  26. keyring_search_iterator
  27. search_keyring
  28. search_nested_keyrings
  29. keyring_search_rcu
  30. keyring_search
  31. keyring_restriction_alloc
  32. keyring_detect_restriction_cycle
  33. keyring_restrict
  34. find_key_to_update
  35. find_keyring_by_name
  36. keyring_detect_cycle_iterator
  37. keyring_detect_cycle
  38. __key_link_lock
  39. __key_move_lock
  40. __key_link_begin
  41. __key_link_check_live_key
  42. __key_link
  43. __key_link_end
  44. __key_link_check_restriction
  45. key_link
  46. __key_unlink_lock
  47. __key_unlink_begin
  48. __key_unlink
  49. __key_unlink_end
  50. key_unlink
  51. key_move
  52. keyring_clear
  53. keyring_revoke
  54. keyring_gc_select_iterator
  55. keyring_gc_check_iterator
  56. keyring_gc
  57. keyring_restriction_gc

   1 // SPDX-License-Identifier: GPL-2.0-or-later
   2 /* Keyring handling
   3  *
   4  * Copyright (C) 2004-2005, 2008, 2013 Red Hat, Inc. All Rights Reserved.
   5  * Written by David Howells (dhowells@redhat.com)
   6  */
   7 
   8 #include <linux/export.h>
   9 #include <linux/init.h>
  10 #include <linux/sched.h>
  11 #include <linux/slab.h>
  12 #include <linux/security.h>
  13 #include <linux/seq_file.h>
  14 #include <linux/err.h>
  15 #include <linux/user_namespace.h>
  16 #include <linux/nsproxy.h>
  17 #include <keys/keyring-type.h>
  18 #include <keys/user-type.h>
  19 #include <linux/assoc_array_priv.h>
  20 #include <linux/uaccess.h>
  21 #include <net/net_namespace.h>
  22 #include "internal.h"
  23 
  24 /*
  25  * When plumbing the depths of the key tree, this sets a hard limit
  26  * set on how deep we're willing to go.
  27  */
  28 #define KEYRING_SEARCH_MAX_DEPTH 6
  29 
  30 /*
  31  * We mark pointers we pass to the associative array with bit 1 set if
  32  * they're keyrings and clear otherwise.
  33  */
  34 #define KEYRING_PTR_SUBTYPE     0x2UL
  35 
  36 static inline bool keyring_ptr_is_keyring(const struct assoc_array_ptr *x)
  37 {
  38         return (unsigned long)x & KEYRING_PTR_SUBTYPE;
  39 }
  40 static inline struct key *keyring_ptr_to_key(const struct assoc_array_ptr *x)
  41 {
  42         void *object = assoc_array_ptr_to_leaf(x);
  43         return (struct key *)((unsigned long)object & ~KEYRING_PTR_SUBTYPE);
  44 }
  45 static inline void *keyring_key_to_ptr(struct key *key)
  46 {
  47         if (key->type == &key_type_keyring)
  48                 return (void *)((unsigned long)key | KEYRING_PTR_SUBTYPE);
  49         return key;
  50 }
  51 
  52 static DEFINE_RWLOCK(keyring_name_lock);
  53 
  54 /*
  55  * Clean up the bits of user_namespace that belong to us.
  56  */
  57 void key_free_user_ns(struct user_namespace *ns)
  58 {
  59         write_lock(&keyring_name_lock);
  60         list_del_init(&ns->keyring_name_list);
  61         write_unlock(&keyring_name_lock);
  62 
  63         key_put(ns->user_keyring_register);
  64 #ifdef CONFIG_PERSISTENT_KEYRINGS
  65         key_put(ns->persistent_keyring_register);
  66 #endif
  67 }
  68 
  69 /*
  70  * The keyring key type definition.  Keyrings are simply keys of this type and
  71  * can be treated as ordinary keys in addition to having their own special
  72  * operations.
  73  */
  74 static int keyring_preparse(struct key_preparsed_payload *prep);
  75 static void keyring_free_preparse(struct key_preparsed_payload *prep);
  76 static int keyring_instantiate(struct key *keyring,
  77                                struct key_preparsed_payload *prep);
  78 static void keyring_revoke(struct key *keyring);
  79 static void keyring_destroy(struct key *keyring);
  80 static void keyring_describe(const struct key *keyring, struct seq_file *m);
  81 static long keyring_read(const struct key *keyring,
  82                          char __user *buffer, size_t buflen);
  83 
  84 struct key_type key_type_keyring = {
  85         .name           = "keyring",
  86         .def_datalen    = 0,
  87         .preparse       = keyring_preparse,
  88         .free_preparse  = keyring_free_preparse,
  89         .instantiate    = keyring_instantiate,
  90         .revoke         = keyring_revoke,
  91         .destroy        = keyring_destroy,
  92         .describe       = keyring_describe,
  93         .read           = keyring_read,
  94 };
  95 EXPORT_SYMBOL(key_type_keyring);
  96 
  97 /*
  98  * Semaphore to serialise link/link calls to prevent two link calls in parallel
  99  * introducing a cycle.
 100  */
 101 static DEFINE_MUTEX(keyring_serialise_link_lock);
 102 
 103 /*
 104  * Publish the name of a keyring so that it can be found by name (if it has
 105  * one and it doesn't begin with a dot).
 106  */
 107 static void keyring_publish_name(struct key *keyring)
 108 {
 109         struct user_namespace *ns = current_user_ns();
 110 
 111         if (keyring->description &&
 112             keyring->description[0] &&
 113             keyring->description[0] != '.') {
 114                 write_lock(&keyring_name_lock);
 115                 list_add_tail(&keyring->name_link, &ns->keyring_name_list);
 116                 write_unlock(&keyring_name_lock);
 117         }
 118 }
 119 
 120 /*
 121  * Preparse a keyring payload
 122  */
 123 static int keyring_preparse(struct key_preparsed_payload *prep)
 124 {
 125         return prep->datalen != 0 ? -EINVAL : 0;
 126 }
 127 
 128 /*
 129  * Free a preparse of a user defined key payload
 130  */
 131 static void keyring_free_preparse(struct key_preparsed_payload *prep)
 132 {
 133 }
 134 
 135 /*
 136  * Initialise a keyring.
 137  *
 138  * Returns 0 on success, -EINVAL if given any data.
 139  */
 140 static int keyring_instantiate(struct key *keyring,
 141                                struct key_preparsed_payload *prep)
 142 {
 143         assoc_array_init(&keyring->keys);
 144         /* make the keyring available by name if it has one */
 145         keyring_publish_name(keyring);
 146         return 0;
 147 }
 148 
 149 /*
 150  * Multiply 64-bits by 32-bits to 96-bits and fold back to 64-bit.  Ideally we'd
 151  * fold the carry back too, but that requires inline asm.
 152  */
 153 static u64 mult_64x32_and_fold(u64 x, u32 y)
 154 {
 155         u64 hi = (u64)(u32)(x >> 32) * y;
 156         u64 lo = (u64)(u32)(x) * y;
 157         return lo + ((u64)(u32)hi << 32) + (u32)(hi >> 32);
 158 }
 159 
 160 /*
 161  * Hash a key type and description.
 162  */
 163 static void hash_key_type_and_desc(struct keyring_index_key *index_key)
 164 {
 165         const unsigned level_shift = ASSOC_ARRAY_LEVEL_STEP;
 166         const unsigned long fan_mask = ASSOC_ARRAY_FAN_MASK;
 167         const char *description = index_key->description;
 168         unsigned long hash, type;
 169         u32 piece;
 170         u64 acc;
 171         int n, desc_len = index_key->desc_len;
 172 
 173         type = (unsigned long)index_key->type;
 174         acc = mult_64x32_and_fold(type, desc_len + 13);
 175         acc = mult_64x32_and_fold(acc, 9207);
 176         piece = (unsigned long)index_key->domain_tag;
 177         acc = mult_64x32_and_fold(acc, piece);
 178         acc = mult_64x32_and_fold(acc, 9207);
 179 
 180         for (;;) {
 181                 n = desc_len;
 182                 if (n <= 0)
 183                         break;
 184                 if (n > 4)
 185                         n = 4;
 186                 piece = 0;
 187                 memcpy(&piece, description, n);
 188                 description += n;
 189                 desc_len -= n;
 190                 acc = mult_64x32_and_fold(acc, piece);
 191                 acc = mult_64x32_and_fold(acc, 9207);
 192         }
 193 
 194         /* Fold the hash down to 32 bits if need be. */
 195         hash = acc;
 196         if (ASSOC_ARRAY_KEY_CHUNK_SIZE == 32)
 197                 hash ^= acc >> 32;
 198 
 199         /* Squidge all the keyrings into a separate part of the tree to
 200          * ordinary keys by making sure the lowest level segment in the hash is
 201          * zero for keyrings and non-zero otherwise.
 202          */
 203         if (index_key->type != &key_type_keyring && (hash & fan_mask) == 0)
 204                 hash |= (hash >> (ASSOC_ARRAY_KEY_CHUNK_SIZE - level_shift)) | 1;
 205         else if (index_key->type == &key_type_keyring && (hash & fan_mask) != 0)
 206                 hash = (hash + (hash << level_shift)) & ~fan_mask;
 207         index_key->hash = hash;
 208 }
 209 
 210 /*
 211  * Finalise an index key to include a part of the description actually in the
 212  * index key, to set the domain tag and to calculate the hash.
 213  */
 214 void key_set_index_key(struct keyring_index_key *index_key)
 215 {
 216         static struct key_tag default_domain_tag = { .usage = REFCOUNT_INIT(1), };
 217         size_t n = min_t(size_t, index_key->desc_len, sizeof(index_key->desc));
 218 
 219         memcpy(index_key->desc, index_key->description, n);
 220 
 221         if (!index_key->domain_tag) {
 222                 if (index_key->type->flags & KEY_TYPE_NET_DOMAIN)
 223                         index_key->domain_tag = current->nsproxy->net_ns->key_domain;
 224                 else
 225                         index_key->domain_tag = &default_domain_tag;
 226         }
 227 
 228         hash_key_type_and_desc(index_key);
 229 }
 230 
 231 /**
 232  * key_put_tag - Release a ref on a tag.
 233  * @tag: The tag to release.
 234  *
 235  * This releases a reference the given tag and returns true if that ref was the
 236  * last one.
 237  */
 238 bool key_put_tag(struct key_tag *tag)
 239 {
 240         if (refcount_dec_and_test(&tag->usage)) {
 241                 kfree_rcu(tag, rcu);
 242                 return true;
 243         }
 244 
 245         return false;
 246 }
 247 
 248 /**
 249  * key_remove_domain - Kill off a key domain and gc its keys
 250  * @domain_tag: The domain tag to release.
 251  *
 252  * This marks a domain tag as being dead and releases a ref on it.  If that
 253  * wasn't the last reference, the garbage collector is poked to try and delete
 254  * all keys that were in the domain.
 255  */
 256 void key_remove_domain(struct key_tag *domain_tag)
 257 {
 258         domain_tag->removed = true;
 259         if (!key_put_tag(domain_tag))
 260                 key_schedule_gc_links();
 261 }
 262 
 263 /*
 264  * Build the next index key chunk.
 265  *
 266  * We return it one word-sized chunk at a time.
 267  */
 268 static unsigned long keyring_get_key_chunk(const void *data, int level)
 269 {
 270         const struct keyring_index_key *index_key = data;
 271         unsigned long chunk = 0;
 272         const u8 *d;
 273         int desc_len = index_key->desc_len, n = sizeof(chunk);
 274 
 275         level /= ASSOC_ARRAY_KEY_CHUNK_SIZE;
 276         switch (level) {
 277         case 0:
 278                 return index_key->hash;
 279         case 1:
 280                 return index_key->x;
 281         case 2:
 282                 return (unsigned long)index_key->type;
 283         case 3:
 284                 return (unsigned long)index_key->domain_tag;
 285         default:
 286                 level -= 4;
 287                 if (desc_len <= sizeof(index_key->desc))
 288                         return 0;
 289 
 290                 d = index_key->description + sizeof(index_key->desc);
 291                 d += level * sizeof(long);
 292                 desc_len -= sizeof(index_key->desc);
 293                 if (desc_len > n)
 294                         desc_len = n;
 295                 do {
 296                         chunk <<= 8;
 297                         chunk |= *d++;
 298                 } while (--desc_len > 0);
 299                 return chunk;
 300         }
 301 }
 302 
 303 static unsigned long keyring_get_object_key_chunk(const void *object, int level)
 304 {
 305         const struct key *key = keyring_ptr_to_key(object);
 306         return keyring_get_key_chunk(&key->index_key, level);
 307 }
 308 
 309 static bool keyring_compare_object(const void *object, const void *data)
 310 {
 311         const struct keyring_index_key *index_key = data;
 312         const struct key *key = keyring_ptr_to_key(object);
 313 
 314         return key->index_key.type == index_key->type &&
 315                 key->index_key.domain_tag == index_key->domain_tag &&
 316                 key->index_key.desc_len == index_key->desc_len &&
 317                 memcmp(key->index_key.description, index_key->description,
 318                        index_key->desc_len) == 0;
 319 }
 320 
 321 /*
 322  * Compare the index keys of a pair of objects and determine the bit position
 323  * at which they differ - if they differ.
 324  */
 325 static int keyring_diff_objects(const void *object, const void *data)
 326 {
 327         const struct key *key_a = keyring_ptr_to_key(object);
 328         const struct keyring_index_key *a = &key_a->index_key;
 329         const struct keyring_index_key *b = data;
 330         unsigned long seg_a, seg_b;
 331         int level, i;
 332 
 333         level = 0;
 334         seg_a = a->hash;
 335         seg_b = b->hash;
 336         if ((seg_a ^ seg_b) != 0)
 337                 goto differ;
 338         level += ASSOC_ARRAY_KEY_CHUNK_SIZE / 8;
 339 
 340         /* The number of bits contributed by the hash is controlled by a
 341          * constant in the assoc_array headers.  Everything else thereafter we
 342          * can deal with as being machine word-size dependent.
 343          */
 344         seg_a = a->x;
 345         seg_b = b->x;
 346         if ((seg_a ^ seg_b) != 0)
 347                 goto differ;
 348         level += sizeof(unsigned long);
 349 
 350         /* The next bit may not work on big endian */
 351         seg_a = (unsigned long)a->type;
 352         seg_b = (unsigned long)b->type;
 353         if ((seg_a ^ seg_b) != 0)
 354                 goto differ;
 355         level += sizeof(unsigned long);
 356 
 357         seg_a = (unsigned long)a->domain_tag;
 358         seg_b = (unsigned long)b->domain_tag;
 359         if ((seg_a ^ seg_b) != 0)
 360                 goto differ;
 361         level += sizeof(unsigned long);
 362 
 363         i = sizeof(a->desc);
 364         if (a->desc_len <= i)
 365                 goto same;
 366 
 367         for (; i < a->desc_len; i++) {
 368                 seg_a = *(unsigned char *)(a->description + i);
 369                 seg_b = *(unsigned char *)(b->description + i);
 370                 if ((seg_a ^ seg_b) != 0)
 371                         goto differ_plus_i;
 372         }
 373 
 374 same:
 375         return -1;
 376 
 377 differ_plus_i:
 378         level += i;
 379 differ:
 380         i = level * 8 + __ffs(seg_a ^ seg_b);
 381         return i;
 382 }
 383 
 384 /*
 385  * Free an object after stripping the keyring flag off of the pointer.
 386  */
 387 static void keyring_free_object(void *object)
 388 {
 389         key_put(keyring_ptr_to_key(object));
 390 }
 391 
 392 /*
 393  * Operations for keyring management by the index-tree routines.
 394  */
 395 static const struct assoc_array_ops keyring_assoc_array_ops = {
 396         .get_key_chunk          = keyring_get_key_chunk,
 397         .get_object_key_chunk   = keyring_get_object_key_chunk,
 398         .compare_object         = keyring_compare_object,
 399         .diff_objects           = keyring_diff_objects,
 400         .free_object            = keyring_free_object,
 401 };
 402 
 403 /*
 404  * Clean up a keyring when it is destroyed.  Unpublish its name if it had one
 405  * and dispose of its data.
 406  *
 407  * The garbage collector detects the final key_put(), removes the keyring from
 408  * the serial number tree and then does RCU synchronisation before coming here,
 409  * so we shouldn't need to worry about code poking around here with the RCU
 410  * readlock held by this time.
 411  */
 412 static void keyring_destroy(struct key *keyring)
 413 {
 414         if (keyring->description) {
 415                 write_lock(&keyring_name_lock);
 416 
 417                 if (keyring->name_link.next != NULL &&
 418                     !list_empty(&keyring->name_link))
 419                         list_del(&keyring->name_link);
 420 
 421                 write_unlock(&keyring_name_lock);
 422         }
 423 
 424         if (keyring->restrict_link) {
 425                 struct key_restriction *keyres = keyring->restrict_link;
 426 
 427                 key_put(keyres->key);
 428                 kfree(keyres);
 429         }
 430 
 431         assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops);
 432 }
 433 
 434 /*
 435  * Describe a keyring for /proc.
 436  */
 437 static void keyring_describe(const struct key *keyring, struct seq_file *m)
 438 {
 439         if (keyring->description)
 440                 seq_puts(m, keyring->description);
 441         else
 442                 seq_puts(m, "[anon]");
 443 
 444         if (key_is_positive(keyring)) {
 445                 if (keyring->keys.nr_leaves_on_tree != 0)
 446                         seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree);
 447                 else
 448                         seq_puts(m, ": empty");
 449         }
 450 }
 451 
 452 struct keyring_read_iterator_context {
 453         size_t                  buflen;
 454         size_t                  count;
 455         key_serial_t __user     *buffer;
 456 };
 457 
 458 static int keyring_read_iterator(const void *object, void *data)
 459 {
 460         struct keyring_read_iterator_context *ctx = data;
 461         const struct key *key = keyring_ptr_to_key(object);
 462 
 463         kenter("{%s,%d},,{%zu/%zu}",
 464                key->type->name, key->serial, ctx->count, ctx->buflen);
 465 
 466         if (ctx->count >= ctx->buflen)
 467                 return 1;
 468 
 469         *ctx->buffer++ = key->serial;
 470         ctx->count += sizeof(key->serial);
 471         return 0;
 472 }
 473 
 474 /*
 475  * Read a list of key IDs from the keyring's contents in binary form
 476  *
 477  * The keyring's semaphore is read-locked by the caller.  This prevents someone
 478  * from modifying it under us - which could cause us to read key IDs multiple
 479  * times.
 480  */
 481 static long keyring_read(const struct key *keyring,
 482                          char __user *buffer, size_t buflen)
 483 {
 484         struct keyring_read_iterator_context ctx;
 485         long ret;
 486 
 487         kenter("{%d},,%zu", key_serial(keyring), buflen);
 488 
 489         if (buflen & (sizeof(key_serial_t) - 1))
 490                 return -EINVAL;
 491 
 492         /* Copy as many key IDs as fit into the buffer */
 493         if (buffer && buflen) {
 494                 ctx.buffer = (key_serial_t __user *)buffer;
 495                 ctx.buflen = buflen;
 496                 ctx.count = 0;
 497                 ret = assoc_array_iterate(&keyring->keys,
 498                                           keyring_read_iterator, &ctx);
 499                 if (ret < 0) {
 500                         kleave(" = %ld [iterate]", ret);
 501                         return ret;
 502                 }
 503         }
 504 
 505         /* Return the size of the buffer needed */
 506         ret = keyring->keys.nr_leaves_on_tree * sizeof(key_serial_t);
 507         if (ret <= buflen)
 508                 kleave("= %ld [ok]", ret);
 509         else
 510                 kleave("= %ld [buffer too small]", ret);
 511         return ret;
 512 }
 513 
 514 /*
 515  * Allocate a keyring and link into the destination keyring.
 516  */
 517 struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
 518                           const struct cred *cred, key_perm_t perm,
 519                           unsigned long flags,
 520                           struct key_restriction *restrict_link,
 521                           struct key *dest)
 522 {
 523         struct key *keyring;
 524         int ret;
 525 
 526         keyring = key_alloc(&key_type_keyring, description,
 527                             uid, gid, cred, perm, flags, restrict_link);
 528         if (!IS_ERR(keyring)) {
 529                 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
 530                 if (ret < 0) {
 531                         key_put(keyring);
 532                         keyring = ERR_PTR(ret);
 533                 }
 534         }
 535 
 536         return keyring;
 537 }
 538 EXPORT_SYMBOL(keyring_alloc);
 539 
 540 /**
 541  * restrict_link_reject - Give -EPERM to restrict link
 542  * @keyring: The keyring being added to.
 543  * @type: The type of key being added.
 544  * @payload: The payload of the key intended to be added.
 545  * @restriction_key: Keys providing additional data for evaluating restriction.
 546  *
 547  * Reject the addition of any links to a keyring.  It can be overridden by
 548  * passing KEY_ALLOC_BYPASS_RESTRICTION to key_instantiate_and_link() when
 549  * adding a key to a keyring.
 550  *
 551  * This is meant to be stored in a key_restriction structure which is passed
 552  * in the restrict_link parameter to keyring_alloc().
 553  */
 554 int restrict_link_reject(struct key *keyring,
 555                          const struct key_type *type,
 556                          const union key_payload *payload,
 557                          struct key *restriction_key)
 558 {
 559         return -EPERM;
 560 }
 561 
 562 /*
 563  * By default, we keys found by getting an exact match on their descriptions.
 564  */
 565 bool key_default_cmp(const struct key *key,
 566                      const struct key_match_data *match_data)
 567 {
 568         return strcmp(key->description, match_data->raw_data) == 0;
 569 }
 570 
 571 /*
 572  * Iteration function to consider each key found.
 573  */
 574 static int keyring_search_iterator(const void *object, void *iterator_data)
 575 {
 576         struct keyring_search_context *ctx = iterator_data;
 577         const struct key *key = keyring_ptr_to_key(object);
 578         unsigned long kflags = READ_ONCE(key->flags);
 579         short state = READ_ONCE(key->state);
 580 
 581         kenter("{%d}", key->serial);
 582 
 583         /* ignore keys not of this type */
 584         if (key->type != ctx->index_key.type) {
 585                 kleave(" = 0 [!type]");
 586                 return 0;
 587         }
 588 
 589         /* skip invalidated, revoked and expired keys */
 590         if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) {
 591                 time64_t expiry = READ_ONCE(key->expiry);
 592 
 593                 if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
 594                               (1 << KEY_FLAG_REVOKED))) {
 595                         ctx->result = ERR_PTR(-EKEYREVOKED);
 596                         kleave(" = %d [invrev]", ctx->skipped_ret);
 597                         goto skipped;
 598                 }
 599 
 600                 if (expiry && ctx->now >= expiry) {
 601                         if (!(ctx->flags & KEYRING_SEARCH_SKIP_EXPIRED))
 602                                 ctx->result = ERR_PTR(-EKEYEXPIRED);
 603                         kleave(" = %d [expire]", ctx->skipped_ret);
 604                         goto skipped;
 605                 }
 606         }
 607 
 608         /* keys that don't match */
 609         if (!ctx->match_data.cmp(key, &ctx->match_data)) {
 610                 kleave(" = 0 [!match]");
 611                 return 0;
 612         }
 613 
 614         /* key must have search permissions */
 615         if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
 616             key_task_permission(make_key_ref(key, ctx->possessed),
 617                                 ctx->cred, KEY_NEED_SEARCH) < 0) {
 618                 ctx->result = ERR_PTR(-EACCES);
 619                 kleave(" = %d [!perm]", ctx->skipped_ret);
 620                 goto skipped;
 621         }
 622 
 623         if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) {
 624                 /* we set a different error code if we pass a negative key */
 625                 if (state < 0) {
 626                         ctx->result = ERR_PTR(state);
 627                         kleave(" = %d [neg]", ctx->skipped_ret);
 628                         goto skipped;
 629                 }
 630         }
 631 
 632         /* Found */
 633         ctx->result = make_key_ref(key, ctx->possessed);
 634         kleave(" = 1 [found]");
 635         return 1;
 636 
 637 skipped:
 638         return ctx->skipped_ret;
 639 }
 640 
 641 /*
 642  * Search inside a keyring for a key.  We can search by walking to it
 643  * directly based on its index-key or we can iterate over the entire
 644  * tree looking for it, based on the match function.
 645  */
 646 static int search_keyring(struct key *keyring, struct keyring_search_context *ctx)
 647 {
 648         if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_DIRECT) {
 649                 const void *object;
 650 
 651                 object = assoc_array_find(&keyring->keys,
 652                                           &keyring_assoc_array_ops,
 653                                           &ctx->index_key);
 654                 return object ? ctx->iterator(object, ctx) : 0;
 655         }
 656         return assoc_array_iterate(&keyring->keys, ctx->iterator, ctx);
 657 }
 658 
 659 /*
 660  * Search a tree of keyrings that point to other keyrings up to the maximum
 661  * depth.
 662  */
 663 static bool search_nested_keyrings(struct key *keyring,
 664                                    struct keyring_search_context *ctx)
 665 {
 666         struct {
 667                 struct key *keyring;
 668                 struct assoc_array_node *node;
 669                 int slot;
 670         } stack[KEYRING_SEARCH_MAX_DEPTH];
 671 
 672         struct assoc_array_shortcut *shortcut;
 673         struct assoc_array_node *node;
 674         struct assoc_array_ptr *ptr;
 675         struct key *key;
 676         int sp = 0, slot;
 677 
 678         kenter("{%d},{%s,%s}",
 679                keyring->serial,
 680                ctx->index_key.type->name,
 681                ctx->index_key.description);
 682 
 683 #define STATE_CHECKS (KEYRING_SEARCH_NO_STATE_CHECK | KEYRING_SEARCH_DO_STATE_CHECK)
 684         BUG_ON((ctx->flags & STATE_CHECKS) == 0 ||
 685                (ctx->flags & STATE_CHECKS) == STATE_CHECKS);
 686 
 687         if (ctx->index_key.description)
 688                 key_set_index_key(&ctx->index_key);
 689 
 690         /* Check to see if this top-level keyring is what we are looking for
 691          * and whether it is valid or not.
 692          */
 693         if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_ITERATE ||
 694             keyring_compare_object(keyring, &ctx->index_key)) {
 695                 ctx->skipped_ret = 2;
 696                 switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) {
 697                 case 1:
 698                         goto found;
 699                 case 2:
 700                         return false;
 701                 default:
 702                         break;
 703                 }
 704         }
 705 
 706         ctx->skipped_ret = 0;
 707 
 708         /* Start processing a new keyring */
 709 descend_to_keyring:
 710         kdebug("descend to %d", keyring->serial);
 711         if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
 712                               (1 << KEY_FLAG_REVOKED)))
 713                 goto not_this_keyring;
 714 
 715         /* Search through the keys in this keyring before its searching its
 716          * subtrees.
 717          */
 718         if (search_keyring(keyring, ctx))
 719                 goto found;
 720 
 721         /* Then manually iterate through the keyrings nested in this one.
 722          *
 723          * Start from the root node of the index tree.  Because of the way the
 724          * hash function has been set up, keyrings cluster on the leftmost
 725          * branch of the root node (root slot 0) or in the root node itself.
 726          * Non-keyrings avoid the leftmost branch of the root entirely (root
 727          * slots 1-15).
 728          */
 729         if (!(ctx->flags & KEYRING_SEARCH_RECURSE))
 730                 goto not_this_keyring;
 731 
 732         ptr = READ_ONCE(keyring->keys.root);
 733         if (!ptr)
 734                 goto not_this_keyring;
 735 
 736         if (assoc_array_ptr_is_shortcut(ptr)) {
 737                 /* If the root is a shortcut, either the keyring only contains
 738                  * keyring pointers (everything clusters behind root slot 0) or
 739                  * doesn't contain any keyring pointers.
 740                  */
 741                 shortcut = assoc_array_ptr_to_shortcut(ptr);
 742                 if ((shortcut->index_key[0] & ASSOC_ARRAY_FAN_MASK) != 0)
 743                         goto not_this_keyring;
 744 
 745                 ptr = READ_ONCE(shortcut->next_node);
 746                 node = assoc_array_ptr_to_node(ptr);
 747                 goto begin_node;
 748         }
 749 
 750         node = assoc_array_ptr_to_node(ptr);
 751         ptr = node->slots[0];
 752         if (!assoc_array_ptr_is_meta(ptr))
 753                 goto begin_node;
 754 
 755 descend_to_node:
 756         /* Descend to a more distal node in this keyring's content tree and go
 757          * through that.
 758          */
 759         kdebug("descend");
 760         if (assoc_array_ptr_is_shortcut(ptr)) {
 761                 shortcut = assoc_array_ptr_to_shortcut(ptr);
 762                 ptr = READ_ONCE(shortcut->next_node);
 763                 BUG_ON(!assoc_array_ptr_is_node(ptr));
 764         }
 765         node = assoc_array_ptr_to_node(ptr);
 766 
 767 begin_node:
 768         kdebug("begin_node");
 769         slot = 0;
 770 ascend_to_node:
 771         /* Go through the slots in a node */
 772         for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) {
 773                 ptr = READ_ONCE(node->slots[slot]);
 774 
 775                 if (assoc_array_ptr_is_meta(ptr) && node->back_pointer)
 776                         goto descend_to_node;
 777 
 778                 if (!keyring_ptr_is_keyring(ptr))
 779                         continue;
 780 
 781                 key = keyring_ptr_to_key(ptr);
 782 
 783                 if (sp >= KEYRING_SEARCH_MAX_DEPTH) {
 784                         if (ctx->flags & KEYRING_SEARCH_DETECT_TOO_DEEP) {
 785                                 ctx->result = ERR_PTR(-ELOOP);
 786                                 return false;
 787                         }
 788                         goto not_this_keyring;
 789                 }
 790 
 791                 /* Search a nested keyring */
 792                 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
 793                     key_task_permission(make_key_ref(key, ctx->possessed),
 794                                         ctx->cred, KEY_NEED_SEARCH) < 0)
 795                         continue;
 796 
 797                 /* stack the current position */
 798                 stack[sp].keyring = keyring;
 799                 stack[sp].node = node;
 800                 stack[sp].slot = slot;
 801                 sp++;
 802 
 803                 /* begin again with the new keyring */
 804                 keyring = key;
 805                 goto descend_to_keyring;
 806         }
 807 
 808         /* We've dealt with all the slots in the current node, so now we need
 809          * to ascend to the parent and continue processing there.
 810          */
 811         ptr = READ_ONCE(node->back_pointer);
 812         slot = node->parent_slot;
 813 
 814         if (ptr && assoc_array_ptr_is_shortcut(ptr)) {
 815                 shortcut = assoc_array_ptr_to_shortcut(ptr);
 816                 ptr = READ_ONCE(shortcut->back_pointer);
 817                 slot = shortcut->parent_slot;
 818         }
 819         if (!ptr)
 820                 goto not_this_keyring;
 821         node = assoc_array_ptr_to_node(ptr);
 822         slot++;
 823 
 824         /* If we've ascended to the root (zero backpointer), we must have just
 825          * finished processing the leftmost branch rather than the root slots -
 826          * so there can't be any more keyrings for us to find.
 827          */
 828         if (node->back_pointer) {
 829                 kdebug("ascend %d", slot);
 830                 goto ascend_to_node;
 831         }
 832 
 833         /* The keyring we're looking at was disqualified or didn't contain a
 834          * matching key.
 835          */
 836 not_this_keyring:
 837         kdebug("not_this_keyring %d", sp);
 838         if (sp <= 0) {
 839                 kleave(" = false");
 840                 return false;
 841         }
 842 
 843         /* Resume the processing of a keyring higher up in the tree */
 844         sp--;
 845         keyring = stack[sp].keyring;
 846         node = stack[sp].node;
 847         slot = stack[sp].slot + 1;
 848         kdebug("ascend to %d [%d]", keyring->serial, slot);
 849         goto ascend_to_node;
 850 
 851         /* We found a viable match */
 852 found:
 853         key = key_ref_to_ptr(ctx->result);
 854         key_check(key);
 855         if (!(ctx->flags & KEYRING_SEARCH_NO_UPDATE_TIME)) {
 856                 key->last_used_at = ctx->now;
 857                 keyring->last_used_at = ctx->now;
 858                 while (sp > 0)
 859                         stack[--sp].keyring->last_used_at = ctx->now;
 860         }
 861         kleave(" = true");
 862         return true;
 863 }
 864 
 865 /**
 866  * keyring_search_rcu - Search a keyring tree for a matching key under RCU
 867  * @keyring_ref: A pointer to the keyring with possession indicator.
 868  * @ctx: The keyring search context.
 869  *
 870  * Search the supplied keyring tree for a key that matches the criteria given.
 871  * The root keyring and any linked keyrings must grant Search permission to the
 872  * caller to be searchable and keys can only be found if they too grant Search
 873  * to the caller. The possession flag on the root keyring pointer controls use
 874  * of the possessor bits in permissions checking of the entire tree.  In
 875  * addition, the LSM gets to forbid keyring searches and key matches.
 876  *
 877  * The search is performed as a breadth-then-depth search up to the prescribed
 878  * limit (KEYRING_SEARCH_MAX_DEPTH).  The caller must hold the RCU read lock to
 879  * prevent keyrings from being destroyed or rearranged whilst they are being
 880  * searched.
 881  *
 882  * Keys are matched to the type provided and are then filtered by the match
 883  * function, which is given the description to use in any way it sees fit.  The
 884  * match function may use any attributes of a key that it wishes to to
 885  * determine the match.  Normally the match function from the key type would be
 886  * used.
 887  *
 888  * RCU can be used to prevent the keyring key lists from disappearing without
 889  * the need to take lots of locks.
 890  *
 891  * Returns a pointer to the found key and increments the key usage count if
 892  * successful; -EAGAIN if no matching keys were found, or if expired or revoked
 893  * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the
 894  * specified keyring wasn't a keyring.
 895  *
 896  * In the case of a successful return, the possession attribute from
 897  * @keyring_ref is propagated to the returned key reference.
 898  */
 899 key_ref_t keyring_search_rcu(key_ref_t keyring_ref,
 900                              struct keyring_search_context *ctx)
 901 {
 902         struct key *keyring;
 903         long err;
 904 
 905         ctx->iterator = keyring_search_iterator;
 906         ctx->possessed = is_key_possessed(keyring_ref);
 907         ctx->result = ERR_PTR(-EAGAIN);
 908 
 909         keyring = key_ref_to_ptr(keyring_ref);
 910         key_check(keyring);
 911 
 912         if (keyring->type != &key_type_keyring)
 913                 return ERR_PTR(-ENOTDIR);
 914 
 915         if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM)) {
 916                 err = key_task_permission(keyring_ref, ctx->cred, KEY_NEED_SEARCH);
 917                 if (err < 0)
 918                         return ERR_PTR(err);
 919         }
 920 
 921         ctx->now = ktime_get_real_seconds();
 922         if (search_nested_keyrings(keyring, ctx))
 923                 __key_get(key_ref_to_ptr(ctx->result));
 924         return ctx->result;
 925 }
 926 
 927 /**
 928  * keyring_search - Search the supplied keyring tree for a matching key
 929  * @keyring: The root of the keyring tree to be searched.
 930  * @type: The type of keyring we want to find.
 931  * @description: The name of the keyring we want to find.
 932  * @recurse: True to search the children of @keyring also
 933  *
 934  * As keyring_search_rcu() above, but using the current task's credentials and
 935  * type's default matching function and preferred search method.
 936  */
 937 key_ref_t keyring_search(key_ref_t keyring,
 938                          struct key_type *type,
 939                          const char *description,
 940                          bool recurse)
 941 {
 942         struct keyring_search_context ctx = {
 943                 .index_key.type         = type,
 944                 .index_key.description  = description,
 945                 .index_key.desc_len     = strlen(description),
 946                 .cred                   = current_cred(),
 947                 .match_data.cmp         = key_default_cmp,
 948                 .match_data.raw_data    = description,
 949                 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
 950                 .flags                  = KEYRING_SEARCH_DO_STATE_CHECK,
 951         };
 952         key_ref_t key;
 953         int ret;
 954 
 955         if (recurse)
 956                 ctx.flags |= KEYRING_SEARCH_RECURSE;
 957         if (type->match_preparse) {
 958                 ret = type->match_preparse(&ctx.match_data);
 959                 if (ret < 0)
 960                         return ERR_PTR(ret);
 961         }
 962 
 963         rcu_read_lock();
 964         key = keyring_search_rcu(keyring, &ctx);
 965         rcu_read_unlock();
 966 
 967         if (type->match_free)
 968                 type->match_free(&ctx.match_data);
 969         return key;
 970 }
 971 EXPORT_SYMBOL(keyring_search);
 972 
 973 static struct key_restriction *keyring_restriction_alloc(
 974         key_restrict_link_func_t check)
 975 {
 976         struct key_restriction *keyres =
 977                 kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
 978 
 979         if (!keyres)
 980                 return ERR_PTR(-ENOMEM);
 981 
 982         keyres->check = check;
 983 
 984         return keyres;
 985 }
 986 
 987 /*
 988  * Semaphore to serialise restriction setup to prevent reference count
 989  * cycles through restriction key pointers.
 990  */
 991 static DECLARE_RWSEM(keyring_serialise_restrict_sem);
 992 
 993 /*
 994  * Check for restriction cycles that would prevent keyring garbage collection.
 995  * keyring_serialise_restrict_sem must be held.
 996  */
 997 static bool keyring_detect_restriction_cycle(const struct key *dest_keyring,
 998                                              struct key_restriction *keyres)
 999 {
1000         while (keyres && keyres->key &&
1001                keyres->key->type == &key_type_keyring) {
1002                 if (keyres->key == dest_keyring)
1003                         return true;
1004 
1005                 keyres = keyres->key->restrict_link;
1006         }
1007 
1008         return false;
1009 }
1010 
1011 /**
1012  * keyring_restrict - Look up and apply a restriction to a keyring
1013  * @keyring_ref: The keyring to be restricted
1014  * @type: The key type that will provide the restriction checker.
1015  * @restriction: The restriction options to apply to the keyring
1016  *
1017  * Look up a keyring and apply a restriction to it.  The restriction is managed
1018  * by the specific key type, but can be configured by the options specified in
1019  * the restriction string.
1020  */
1021 int keyring_restrict(key_ref_t keyring_ref, const char *type,
1022                      const char *restriction)
1023 {
1024         struct key *keyring;
1025         struct key_type *restrict_type = NULL;
1026         struct key_restriction *restrict_link;
1027         int ret = 0;
1028 
1029         keyring = key_ref_to_ptr(keyring_ref);
1030         key_check(keyring);
1031 
1032         if (keyring->type != &key_type_keyring)
1033                 return -ENOTDIR;
1034 
1035         if (!type) {
1036                 restrict_link = keyring_restriction_alloc(restrict_link_reject);
1037         } else {
1038                 restrict_type = key_type_lookup(type);
1039 
1040                 if (IS_ERR(restrict_type))
1041                         return PTR_ERR(restrict_type);
1042 
1043                 if (!restrict_type->lookup_restriction) {
1044                         ret = -ENOENT;
1045                         goto error;
1046                 }
1047 
1048                 restrict_link = restrict_type->lookup_restriction(restriction);
1049         }
1050 
1051         if (IS_ERR(restrict_link)) {
1052                 ret = PTR_ERR(restrict_link);
1053                 goto error;
1054         }
1055 
1056         down_write(&keyring->sem);
1057         down_write(&keyring_serialise_restrict_sem);
1058 
1059         if (keyring->restrict_link)
1060                 ret = -EEXIST;
1061         else if (keyring_detect_restriction_cycle(keyring, restrict_link))
1062                 ret = -EDEADLK;
1063         else
1064                 keyring->restrict_link = restrict_link;
1065 
1066         up_write(&keyring_serialise_restrict_sem);
1067         up_write(&keyring->sem);
1068 
1069         if (ret < 0) {
1070                 key_put(restrict_link->key);
1071                 kfree(restrict_link);
1072         }
1073 
1074 error:
1075         if (restrict_type)
1076                 key_type_put(restrict_type);
1077 
1078         return ret;
1079 }
1080 EXPORT_SYMBOL(keyring_restrict);
1081 
1082 /*
1083  * Search the given keyring for a key that might be updated.
1084  *
1085  * The caller must guarantee that the keyring is a keyring and that the
1086  * permission is granted to modify the keyring as no check is made here.  The
1087  * caller must also hold a lock on the keyring semaphore.
1088  *
1089  * Returns a pointer to the found key with usage count incremented if
1090  * successful and returns NULL if not found.  Revoked and invalidated keys are
1091  * skipped over.
1092  *
1093  * If successful, the possession indicator is propagated from the keyring ref
1094  * to the returned key reference.
1095  */
1096 key_ref_t find_key_to_update(key_ref_t keyring_ref,
1097                              const struct keyring_index_key *index_key)
1098 {
1099         struct key *keyring, *key;
1100         const void *object;
1101 
1102         keyring = key_ref_to_ptr(keyring_ref);
1103 
1104         kenter("{%d},{%s,%s}",
1105                keyring->serial, index_key->type->name, index_key->description);
1106 
1107         object = assoc_array_find(&keyring->keys, &keyring_assoc_array_ops,
1108                                   index_key);
1109 
1110         if (object)
1111                 goto found;
1112 
1113         kleave(" = NULL");
1114         return NULL;
1115 
1116 found:
1117         key = keyring_ptr_to_key(object);
1118         if (key->flags & ((1 << KEY_FLAG_INVALIDATED) |
1119                           (1 << KEY_FLAG_REVOKED))) {
1120                 kleave(" = NULL [x]");
1121                 return NULL;
1122         }
1123         __key_get(key);
1124         kleave(" = {%d}", key->serial);
1125         return make_key_ref(key, is_key_possessed(keyring_ref));
1126 }
1127 
1128 /*
1129  * Find a keyring with the specified name.
1130  *
1131  * Only keyrings that have nonzero refcount, are not revoked, and are owned by a
1132  * user in the current user namespace are considered.  If @uid_keyring is %true,
1133  * the keyring additionally must have been allocated as a user or user session
1134  * keyring; otherwise, it must grant Search permission directly to the caller.
1135  *
1136  * Returns a pointer to the keyring with the keyring's refcount having being
1137  * incremented on success.  -ENOKEY is returned if a key could not be found.
1138  */
1139 struct key *find_keyring_by_name(const char *name, bool uid_keyring)
1140 {
1141         struct user_namespace *ns = current_user_ns();
1142         struct key *keyring;
1143 
1144         if (!name)
1145                 return ERR_PTR(-EINVAL);
1146 
1147         read_lock(&keyring_name_lock);
1148 
1149         /* Search this hash bucket for a keyring with a matching name that
1150          * grants Search permission and that hasn't been revoked
1151          */
1152         list_for_each_entry(keyring, &ns->keyring_name_list, name_link) {
1153                 if (!kuid_has_mapping(ns, keyring->user->uid))
1154                         continue;
1155 
1156                 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
1157                         continue;
1158 
1159                 if (strcmp(keyring->description, name) != 0)
1160                         continue;
1161 
1162                 if (uid_keyring) {
1163                         if (!test_bit(KEY_FLAG_UID_KEYRING,
1164                                       &keyring->flags))
1165                                 continue;
1166                 } else {
1167                         if (key_permission(make_key_ref(keyring, 0),
1168                                            KEY_NEED_SEARCH) < 0)
1169                                 continue;
1170                 }
1171 
1172                 /* we've got a match but we might end up racing with
1173                  * key_cleanup() if the keyring is currently 'dead'
1174                  * (ie. it has a zero usage count) */
1175                 if (!refcount_inc_not_zero(&keyring->usage))
1176                         continue;
1177                 keyring->last_used_at = ktime_get_real_seconds();
1178                 goto out;
1179         }
1180 
1181         keyring = ERR_PTR(-ENOKEY);
1182 out:
1183         read_unlock(&keyring_name_lock);
1184         return keyring;
1185 }
1186 
1187 static int keyring_detect_cycle_iterator(const void *object,
1188                                          void *iterator_data)
1189 {
1190         struct keyring_search_context *ctx = iterator_data;
1191         const struct key *key = keyring_ptr_to_key(object);
1192 
1193         kenter("{%d}", key->serial);
1194 
1195         /* We might get a keyring with matching index-key that is nonetheless a
1196          * different keyring. */
1197         if (key != ctx->match_data.raw_data)
1198                 return 0;
1199 
1200         ctx->result = ERR_PTR(-EDEADLK);
1201         return 1;
1202 }
1203 
1204 /*
1205  * See if a cycle will will be created by inserting acyclic tree B in acyclic
1206  * tree A at the topmost level (ie: as a direct child of A).
1207  *
1208  * Since we are adding B to A at the top level, checking for cycles should just
1209  * be a matter of seeing if node A is somewhere in tree B.
1210  */
1211 static int keyring_detect_cycle(struct key *A, struct key *B)
1212 {
1213         struct keyring_search_context ctx = {
1214                 .index_key              = A->index_key,
1215                 .match_data.raw_data    = A,
1216                 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
1217                 .iterator               = keyring_detect_cycle_iterator,
1218                 .flags                  = (KEYRING_SEARCH_NO_STATE_CHECK |
1219                                            KEYRING_SEARCH_NO_UPDATE_TIME |
1220                                            KEYRING_SEARCH_NO_CHECK_PERM |
1221                                            KEYRING_SEARCH_DETECT_TOO_DEEP |
1222                                            KEYRING_SEARCH_RECURSE),
1223         };
1224 
1225         rcu_read_lock();
1226         search_nested_keyrings(B, &ctx);
1227         rcu_read_unlock();
1228         return PTR_ERR(ctx.result) == -EAGAIN ? 0 : PTR_ERR(ctx.result);
1229 }
1230 
1231 /*
1232  * Lock keyring for link.
1233  */
1234 int __key_link_lock(struct key *keyring,
1235                     const struct keyring_index_key *index_key)
1236         __acquires(&keyring->sem)
1237         __acquires(&keyring_serialise_link_lock)
1238 {
1239         if (keyring->type != &key_type_keyring)
1240                 return -ENOTDIR;
1241 
1242         down_write(&keyring->sem);
1243 
1244         /* Serialise link/link calls to prevent parallel calls causing a cycle
1245          * when linking two keyring in opposite orders.
1246          */
1247         if (index_key->type == &key_type_keyring)
1248                 mutex_lock(&keyring_serialise_link_lock);
1249 
1250         return 0;
1251 }
1252 
1253 /*
1254  * Lock keyrings for move (link/unlink combination).
1255  */
1256 int __key_move_lock(struct key *l_keyring, struct key *u_keyring,
1257                     const struct keyring_index_key *index_key)
1258         __acquires(&l_keyring->sem)
1259         __acquires(&u_keyring->sem)
1260         __acquires(&keyring_serialise_link_lock)
1261 {
1262         if (l_keyring->type != &key_type_keyring ||
1263             u_keyring->type != &key_type_keyring)
1264                 return -ENOTDIR;
1265 
1266         /* We have to be very careful here to take the keyring locks in the
1267          * right order, lest we open ourselves to deadlocking against another
1268          * move operation.
1269          */
1270         if (l_keyring < u_keyring) {
1271                 down_write(&l_keyring->sem);
1272                 down_write_nested(&u_keyring->sem, 1);
1273         } else {
1274                 down_write(&u_keyring->sem);
1275                 down_write_nested(&l_keyring->sem, 1);
1276         }
1277 
1278         /* Serialise link/link calls to prevent parallel calls causing a cycle
1279          * when linking two keyring in opposite orders.
1280          */
1281         if (index_key->type == &key_type_keyring)
1282                 mutex_lock(&keyring_serialise_link_lock);
1283 
1284         return 0;
1285 }
1286 
1287 /*
1288  * Preallocate memory so that a key can be linked into to a keyring.
1289  */
1290 int __key_link_begin(struct key *keyring,
1291                      const struct keyring_index_key *index_key,
1292                      struct assoc_array_edit **_edit)
1293 {
1294         struct assoc_array_edit *edit;
1295         int ret;
1296 
1297         kenter("%d,%s,%s,",
1298                keyring->serial, index_key->type->name, index_key->description);
1299 
1300         BUG_ON(index_key->desc_len == 0);
1301         BUG_ON(*_edit != NULL);
1302 
1303         *_edit = NULL;
1304 
1305         ret = -EKEYREVOKED;
1306         if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
1307                 goto error;
1308 
1309         /* Create an edit script that will insert/replace the key in the
1310          * keyring tree.
1311          */
1312         edit = assoc_array_insert(&keyring->keys,
1313                                   &keyring_assoc_array_ops,
1314                                   index_key,
1315                                   NULL);
1316         if (IS_ERR(edit)) {
1317                 ret = PTR_ERR(edit);
1318                 goto error;
1319         }
1320 
1321         /* If we're not replacing a link in-place then we're going to need some
1322          * extra quota.
1323          */
1324         if (!edit->dead_leaf) {
1325                 ret = key_payload_reserve(keyring,
1326                                           keyring->datalen + KEYQUOTA_LINK_BYTES);
1327                 if (ret < 0)
1328                         goto error_cancel;
1329         }
1330 
1331         *_edit = edit;
1332         kleave(" = 0");
1333         return 0;
1334 
1335 error_cancel:
1336         assoc_array_cancel_edit(edit);
1337 error:
1338         kleave(" = %d", ret);
1339         return ret;
1340 }
1341 
1342 /*
1343  * Check already instantiated keys aren't going to be a problem.
1344  *
1345  * The caller must have called __key_link_begin(). Don't need to call this for
1346  * keys that were created since __key_link_begin() was called.
1347  */
1348 int __key_link_check_live_key(struct key *keyring, struct key *key)
1349 {
1350         if (key->type == &key_type_keyring)
1351                 /* check that we aren't going to create a cycle by linking one
1352                  * keyring to another */
1353                 return keyring_detect_cycle(keyring, key);
1354         return 0;
1355 }
1356 
1357 /*
1358  * Link a key into to a keyring.
1359  *
1360  * Must be called with __key_link_begin() having being called.  Discards any
1361  * already extant link to matching key if there is one, so that each keyring
1362  * holds at most one link to any given key of a particular type+description
1363  * combination.
1364  */
1365 void __key_link(struct key *key, struct assoc_array_edit **_edit)
1366 {
1367         __key_get(key);
1368         assoc_array_insert_set_object(*_edit, keyring_key_to_ptr(key));
1369         assoc_array_apply_edit(*_edit);
1370         *_edit = NULL;
1371 }
1372 
1373 /*
1374  * Finish linking a key into to a keyring.
1375  *
1376  * Must be called with __key_link_begin() having being called.
1377  */
1378 void __key_link_end(struct key *keyring,
1379                     const struct keyring_index_key *index_key,
1380                     struct assoc_array_edit *edit)
1381         __releases(&keyring->sem)
1382         __releases(&keyring_serialise_link_lock)
1383 {
1384         BUG_ON(index_key->type == NULL);
1385         kenter("%d,%s,", keyring->serial, index_key->type->name);
1386 
1387         if (edit) {
1388                 if (!edit->dead_leaf) {
1389                         key_payload_reserve(keyring,
1390                                 keyring->datalen - KEYQUOTA_LINK_BYTES);
1391                 }
1392                 assoc_array_cancel_edit(edit);
1393         }
1394         up_write(&keyring->sem);
1395 
1396         if (index_key->type == &key_type_keyring)
1397                 mutex_unlock(&keyring_serialise_link_lock);
1398 }
1399 
1400 /*
1401  * Check addition of keys to restricted keyrings.
1402  */
1403 static int __key_link_check_restriction(struct key *keyring, struct key *key)
1404 {
1405         if (!keyring->restrict_link || !keyring->restrict_link->check)
1406                 return 0;
1407         return keyring->restrict_link->check(keyring, key->type, &key->payload,
1408                                              keyring->restrict_link->key);
1409 }
1410 
1411 /**
1412  * key_link - Link a key to a keyring
1413  * @keyring: The keyring to make the link in.
1414  * @key: The key to link to.
1415  *
1416  * Make a link in a keyring to a key, such that the keyring holds a reference
1417  * on that key and the key can potentially be found by searching that keyring.
1418  *
1419  * This function will write-lock the keyring's semaphore and will consume some
1420  * of the user's key data quota to hold the link.
1421  *
1422  * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring,
1423  * -EKEYREVOKED if the keyring has been revoked, -ENFILE if the keyring is
1424  * full, -EDQUOT if there is insufficient key data quota remaining to add
1425  * another link or -ENOMEM if there's insufficient memory.
1426  *
1427  * It is assumed that the caller has checked that it is permitted for a link to
1428  * be made (the keyring should have Write permission and the key Link
1429  * permission).
1430  */
1431 int key_link(struct key *keyring, struct key *key)
1432 {
1433         struct assoc_array_edit *edit = NULL;
1434         int ret;
1435 
1436         kenter("{%d,%d}", keyring->serial, refcount_read(&keyring->usage));
1437 
1438         key_check(keyring);
1439         key_check(key);
1440 
1441         ret = __key_link_lock(keyring, &key->index_key);
1442         if (ret < 0)
1443                 goto error;
1444 
1445         ret = __key_link_begin(keyring, &key->index_key, &edit);
1446         if (ret < 0)
1447                 goto error_end;
1448 
1449         kdebug("begun {%d,%d}", keyring->serial, refcount_read(&keyring->usage));
1450         ret = __key_link_check_restriction(keyring, key);
1451         if (ret == 0)
1452                 ret = __key_link_check_live_key(keyring, key);
1453         if (ret == 0)
1454                 __key_link(key, &edit);
1455 
1456 error_end:
1457         __key_link_end(keyring, &key->index_key, edit);
1458 error:
1459         kleave(" = %d {%d,%d}", ret, keyring->serial, refcount_read(&keyring->usage));
1460         return ret;
1461 }
1462 EXPORT_SYMBOL(key_link);
1463 
1464 /*
1465  * Lock a keyring for unlink.
1466  */
1467 static int __key_unlink_lock(struct key *keyring)
1468         __acquires(&keyring->sem)
1469 {
1470         if (keyring->type != &key_type_keyring)
1471                 return -ENOTDIR;
1472 
1473         down_write(&keyring->sem);
1474         return 0;
1475 }
1476 
1477 /*
1478  * Begin the process of unlinking a key from a keyring.
1479  */
1480 static int __key_unlink_begin(struct key *keyring, struct key *key,
1481                               struct assoc_array_edit **_edit)
1482 {
1483         struct assoc_array_edit *edit;
1484 
1485         BUG_ON(*_edit != NULL);
1486         
1487         edit = assoc_array_delete(&keyring->keys, &keyring_assoc_array_ops,
1488                                   &key->index_key);
1489         if (IS_ERR(edit))
1490                 return PTR_ERR(edit);
1491 
1492         if (!edit)
1493                 return -ENOENT;
1494 
1495         *_edit = edit;
1496         return 0;
1497 }
1498 
1499 /*
1500  * Apply an unlink change.
1501  */
1502 static void __key_unlink(struct key *keyring, struct key *key,
1503                          struct assoc_array_edit **_edit)
1504 {
1505         assoc_array_apply_edit(*_edit);
1506         *_edit = NULL;
1507         key_payload_reserve(keyring, keyring->datalen - KEYQUOTA_LINK_BYTES);
1508 }
1509 
1510 /*
1511  * Finish unlinking a key from to a keyring.
1512  */
1513 static void __key_unlink_end(struct key *keyring,
1514                              struct key *key,
1515                              struct assoc_array_edit *edit)
1516         __releases(&keyring->sem)
1517 {
1518         if (edit)
1519                 assoc_array_cancel_edit(edit);
1520         up_write(&keyring->sem);
1521 }
1522 
1523 /**
1524  * key_unlink - Unlink the first link to a key from a keyring.
1525  * @keyring: The keyring to remove the link from.
1526  * @key: The key the link is to.
1527  *
1528  * Remove a link from a keyring to a key.
1529  *
1530  * This function will write-lock the keyring's semaphore.
1531  *
1532  * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, -ENOENT if
1533  * the key isn't linked to by the keyring or -ENOMEM if there's insufficient
1534  * memory.
1535  *
1536  * It is assumed that the caller has checked that it is permitted for a link to
1537  * be removed (the keyring should have Write permission; no permissions are
1538  * required on the key).
1539  */
1540 int key_unlink(struct key *keyring, struct key *key)
1541 {
1542         struct assoc_array_edit *edit = NULL;
1543         int ret;
1544 
1545         key_check(keyring);
1546         key_check(key);
1547 
1548         ret = __key_unlink_lock(keyring);
1549         if (ret < 0)
1550                 return ret;
1551 
1552         ret = __key_unlink_begin(keyring, key, &edit);
1553         if (ret == 0)
1554                 __key_unlink(keyring, key, &edit);
1555         __key_unlink_end(keyring, key, edit);
1556         return ret;
1557 }
1558 EXPORT_SYMBOL(key_unlink);
1559 
1560 /**
1561  * key_move - Move a key from one keyring to another
1562  * @key: The key to move
1563  * @from_keyring: The keyring to remove the link from.
1564  * @to_keyring: The keyring to make the link in.
1565  * @flags: Qualifying flags, such as KEYCTL_MOVE_EXCL.
1566  *
1567  * Make a link in @to_keyring to a key, such that the keyring holds a reference
1568  * on that key and the key can potentially be found by searching that keyring
1569  * whilst simultaneously removing a link to the key from @from_keyring.
1570  *
1571  * This function will write-lock both keyring's semaphores and will consume
1572  * some of the user's key data quota to hold the link on @to_keyring.
1573  *
1574  * Returns 0 if successful, -ENOTDIR if either keyring isn't a keyring,
1575  * -EKEYREVOKED if either keyring has been revoked, -ENFILE if the second
1576  * keyring is full, -EDQUOT if there is insufficient key data quota remaining
1577  * to add another link or -ENOMEM if there's insufficient memory.  If
1578  * KEYCTL_MOVE_EXCL is set, then -EEXIST will be returned if there's already a
1579  * matching key in @to_keyring.
1580  *
1581  * It is assumed that the caller has checked that it is permitted for a link to
1582  * be made (the keyring should have Write permission and the key Link
1583  * permission).
1584  */
1585 int key_move(struct key *key,
1586              struct key *from_keyring,
1587              struct key *to_keyring,
1588              unsigned int flags)
1589 {
1590         struct assoc_array_edit *from_edit = NULL, *to_edit = NULL;
1591         int ret;
1592 
1593         kenter("%d,%d,%d", key->serial, from_keyring->serial, to_keyring->serial);
1594 
1595         if (from_keyring == to_keyring)
1596                 return 0;
1597 
1598         key_check(key);
1599         key_check(from_keyring);
1600         key_check(to_keyring);
1601 
1602         ret = __key_move_lock(from_keyring, to_keyring, &key->index_key);
1603         if (ret < 0)
1604                 goto out;
1605         ret = __key_unlink_begin(from_keyring, key, &from_edit);
1606         if (ret < 0)
1607                 goto error;
1608         ret = __key_link_begin(to_keyring, &key->index_key, &to_edit);
1609         if (ret < 0)
1610                 goto error;
1611 
1612         ret = -EEXIST;
1613         if (to_edit->dead_leaf && (flags & KEYCTL_MOVE_EXCL))
1614                 goto error;
1615 
1616         ret = __key_link_check_restriction(to_keyring, key);
1617         if (ret < 0)
1618                 goto error;
1619         ret = __key_link_check_live_key(to_keyring, key);
1620         if (ret < 0)
1621                 goto error;
1622 
1623         __key_unlink(from_keyring, key, &from_edit);
1624         __key_link(key, &to_edit);
1625 error:
1626         __key_link_end(to_keyring, &key->index_key, to_edit);
1627         __key_unlink_end(from_keyring, key, from_edit);
1628 out:
1629         kleave(" = %d", ret);
1630         return ret;
1631 }
1632 EXPORT_SYMBOL(key_move);
1633 
1634 /**
1635  * keyring_clear - Clear a keyring
1636  * @keyring: The keyring to clear.
1637  *
1638  * Clear the contents of the specified keyring.
1639  *
1640  * Returns 0 if successful or -ENOTDIR if the keyring isn't a keyring.
1641  */
1642 int keyring_clear(struct key *keyring)
1643 {
1644         struct assoc_array_edit *edit;
1645         int ret;
1646 
1647         if (keyring->type != &key_type_keyring)
1648                 return -ENOTDIR;
1649 
1650         down_write(&keyring->sem);
1651 
1652         edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops);
1653         if (IS_ERR(edit)) {
1654                 ret = PTR_ERR(edit);
1655         } else {
1656                 if (edit)
1657                         assoc_array_apply_edit(edit);
1658                 key_payload_reserve(keyring, 0);
1659                 ret = 0;
1660         }
1661 
1662         up_write(&keyring->sem);
1663         return ret;
1664 }
1665 EXPORT_SYMBOL(keyring_clear);
1666 
1667 /*
1668  * Dispose of the links from a revoked keyring.
1669  *
1670  * This is called with the key sem write-locked.
1671  */
1672 static void keyring_revoke(struct key *keyring)
1673 {
1674         struct assoc_array_edit *edit;
1675 
1676         edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops);
1677         if (!IS_ERR(edit)) {
1678                 if (edit)
1679                         assoc_array_apply_edit(edit);
1680                 key_payload_reserve(keyring, 0);
1681         }
1682 }
1683 
1684 static bool keyring_gc_select_iterator(void *object, void *iterator_data)
1685 {
1686         struct key *key = keyring_ptr_to_key(object);
1687         time64_t *limit = iterator_data;
1688 
1689         if (key_is_dead(key, *limit))
1690                 return false;
1691         key_get(key);
1692         return true;
1693 }
1694 
1695 static int keyring_gc_check_iterator(const void *object, void *iterator_data)
1696 {
1697         const struct key *key = keyring_ptr_to_key(object);
1698         time64_t *limit = iterator_data;
1699 
1700         key_check(key);
1701         return key_is_dead(key, *limit);
1702 }
1703 
1704 /*
1705  * Garbage collect pointers from a keyring.
1706  *
1707  * Not called with any locks held.  The keyring's key struct will not be
1708  * deallocated under us as only our caller may deallocate it.
1709  */
1710 void keyring_gc(struct key *keyring, time64_t limit)
1711 {
1712         int result;
1713 
1714         kenter("%x{%s}", keyring->serial, keyring->description ?: "");
1715 
1716         if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
1717                               (1 << KEY_FLAG_REVOKED)))
1718                 goto dont_gc;
1719 
1720         /* scan the keyring looking for dead keys */
1721         rcu_read_lock();
1722         result = assoc_array_iterate(&keyring->keys,
1723                                      keyring_gc_check_iterator, &limit);
1724         rcu_read_unlock();
1725         if (result == true)
1726                 goto do_gc;
1727 
1728 dont_gc:
1729         kleave(" [no gc]");
1730         return;
1731 
1732 do_gc:
1733         down_write(&keyring->sem);
1734         assoc_array_gc(&keyring->keys, &keyring_assoc_array_ops,
1735                        keyring_gc_select_iterator, &limit);
1736         up_write(&keyring->sem);
1737         kleave(" [gc]");
1738 }
1739 
1740 /*
1741  * Garbage collect restriction pointers from a keyring.
1742  *
1743  * Keyring restrictions are associated with a key type, and must be cleaned
1744  * up if the key type is unregistered. The restriction is altered to always
1745  * reject additional keys so a keyring cannot be opened up by unregistering
1746  * a key type.
1747  *
1748  * Not called with any keyring locks held. The keyring's key struct will not
1749  * be deallocated under us as only our caller may deallocate it.
1750  *
1751  * The caller is required to hold key_types_sem and dead_type->sem. This is
1752  * fulfilled by key_gc_keytype() holding the locks on behalf of
1753  * key_garbage_collector(), which it invokes on a workqueue.
1754  */
1755 void keyring_restriction_gc(struct key *keyring, struct key_type *dead_type)
1756 {
1757         struct key_restriction *keyres;
1758 
1759         kenter("%x{%s}", keyring->serial, keyring->description ?: "");
1760 
1761         /*
1762          * keyring->restrict_link is only assigned at key allocation time
1763          * or with the key type locked, so the only values that could be
1764          * concurrently assigned to keyring->restrict_link are for key
1765          * types other than dead_type. Given this, it's ok to check
1766          * the key type before acquiring keyring->sem.
1767          */
1768         if (!dead_type || !keyring->restrict_link ||
1769             keyring->restrict_link->keytype != dead_type) {
1770                 kleave(" [no restriction gc]");
1771                 return;
1772         }
1773 
1774         /* Lock the keyring to ensure that a link is not in progress */
1775         down_write(&keyring->sem);
1776 
1777         keyres = keyring->restrict_link;
1778 
1779         keyres->check = restrict_link_reject;
1780 
1781         key_put(keyres->key);
1782         keyres->key = NULL;
1783         keyres->keytype = NULL;
1784 
1785         up_write(&keyring->sem);
1786 
1787         kleave(" [restriction gc]");
1788 }

/* [<][>][^][v][top][bottom][index][help] */