This source file includes following definitions.
- keyring_ptr_is_keyring
- keyring_ptr_to_key
- keyring_key_to_ptr
- key_free_user_ns
- keyring_publish_name
- keyring_preparse
- keyring_free_preparse
- keyring_instantiate
- mult_64x32_and_fold
- hash_key_type_and_desc
- key_set_index_key
- key_put_tag
- key_remove_domain
- keyring_get_key_chunk
- keyring_get_object_key_chunk
- keyring_compare_object
- keyring_diff_objects
- keyring_free_object
- keyring_destroy
- keyring_describe
- keyring_read_iterator
- keyring_read
- keyring_alloc
- restrict_link_reject
- key_default_cmp
- keyring_search_iterator
- search_keyring
- search_nested_keyrings
- keyring_search_rcu
- keyring_search
- keyring_restriction_alloc
- keyring_detect_restriction_cycle
- keyring_restrict
- find_key_to_update
- find_keyring_by_name
- keyring_detect_cycle_iterator
- keyring_detect_cycle
- __key_link_lock
- __key_move_lock
- __key_link_begin
- __key_link_check_live_key
- __key_link
- __key_link_end
- __key_link_check_restriction
- key_link
- __key_unlink_lock
- __key_unlink_begin
- __key_unlink
- __key_unlink_end
- key_unlink
- key_move
- keyring_clear
- keyring_revoke
- keyring_gc_select_iterator
- keyring_gc_check_iterator
- keyring_gc
- keyring_restriction_gc
1
2
3
4
5
6
7
8 #include <linux/export.h>
9 #include <linux/init.h>
10 #include <linux/sched.h>
11 #include <linux/slab.h>
12 #include <linux/security.h>
13 #include <linux/seq_file.h>
14 #include <linux/err.h>
15 #include <linux/user_namespace.h>
16 #include <linux/nsproxy.h>
17 #include <keys/keyring-type.h>
18 #include <keys/user-type.h>
19 #include <linux/assoc_array_priv.h>
20 #include <linux/uaccess.h>
21 #include <net/net_namespace.h>
22 #include "internal.h"
23
24
25
26
27
28 #define KEYRING_SEARCH_MAX_DEPTH 6
29
30
31
32
33
34 #define KEYRING_PTR_SUBTYPE 0x2UL
35
36 static inline bool keyring_ptr_is_keyring(const struct assoc_array_ptr *x)
37 {
38 return (unsigned long)x & KEYRING_PTR_SUBTYPE;
39 }
40 static inline struct key *keyring_ptr_to_key(const struct assoc_array_ptr *x)
41 {
42 void *object = assoc_array_ptr_to_leaf(x);
43 return (struct key *)((unsigned long)object & ~KEYRING_PTR_SUBTYPE);
44 }
45 static inline void *keyring_key_to_ptr(struct key *key)
46 {
47 if (key->type == &key_type_keyring)
48 return (void *)((unsigned long)key | KEYRING_PTR_SUBTYPE);
49 return key;
50 }
51
52 static DEFINE_RWLOCK(keyring_name_lock);
53
54
55
56
57 void key_free_user_ns(struct user_namespace *ns)
58 {
59 write_lock(&keyring_name_lock);
60 list_del_init(&ns->keyring_name_list);
61 write_unlock(&keyring_name_lock);
62
63 key_put(ns->user_keyring_register);
64 #ifdef CONFIG_PERSISTENT_KEYRINGS
65 key_put(ns->persistent_keyring_register);
66 #endif
67 }
68
69
70
71
72
73
74 static int keyring_preparse(struct key_preparsed_payload *prep);
75 static void keyring_free_preparse(struct key_preparsed_payload *prep);
76 static int keyring_instantiate(struct key *keyring,
77 struct key_preparsed_payload *prep);
78 static void keyring_revoke(struct key *keyring);
79 static void keyring_destroy(struct key *keyring);
80 static void keyring_describe(const struct key *keyring, struct seq_file *m);
81 static long keyring_read(const struct key *keyring,
82 char __user *buffer, size_t buflen);
83
84 struct key_type key_type_keyring = {
85 .name = "keyring",
86 .def_datalen = 0,
87 .preparse = keyring_preparse,
88 .free_preparse = keyring_free_preparse,
89 .instantiate = keyring_instantiate,
90 .revoke = keyring_revoke,
91 .destroy = keyring_destroy,
92 .describe = keyring_describe,
93 .read = keyring_read,
94 };
95 EXPORT_SYMBOL(key_type_keyring);
96
97
98
99
100
101 static DEFINE_MUTEX(keyring_serialise_link_lock);
102
103
104
105
106
107 static void keyring_publish_name(struct key *keyring)
108 {
109 struct user_namespace *ns = current_user_ns();
110
111 if (keyring->description &&
112 keyring->description[0] &&
113 keyring->description[0] != '.') {
114 write_lock(&keyring_name_lock);
115 list_add_tail(&keyring->name_link, &ns->keyring_name_list);
116 write_unlock(&keyring_name_lock);
117 }
118 }
119
120
121
122
123 static int keyring_preparse(struct key_preparsed_payload *prep)
124 {
125 return prep->datalen != 0 ? -EINVAL : 0;
126 }
127
128
129
130
131 static void keyring_free_preparse(struct key_preparsed_payload *prep)
132 {
133 }
134
135
136
137
138
139
140 static int keyring_instantiate(struct key *keyring,
141 struct key_preparsed_payload *prep)
142 {
143 assoc_array_init(&keyring->keys);
144
145 keyring_publish_name(keyring);
146 return 0;
147 }
148
149
150
151
152
153 static u64 mult_64x32_and_fold(u64 x, u32 y)
154 {
155 u64 hi = (u64)(u32)(x >> 32) * y;
156 u64 lo = (u64)(u32)(x) * y;
157 return lo + ((u64)(u32)hi << 32) + (u32)(hi >> 32);
158 }
159
160
161
162
163 static void hash_key_type_and_desc(struct keyring_index_key *index_key)
164 {
165 const unsigned level_shift = ASSOC_ARRAY_LEVEL_STEP;
166 const unsigned long fan_mask = ASSOC_ARRAY_FAN_MASK;
167 const char *description = index_key->description;
168 unsigned long hash, type;
169 u32 piece;
170 u64 acc;
171 int n, desc_len = index_key->desc_len;
172
173 type = (unsigned long)index_key->type;
174 acc = mult_64x32_and_fold(type, desc_len + 13);
175 acc = mult_64x32_and_fold(acc, 9207);
176 piece = (unsigned long)index_key->domain_tag;
177 acc = mult_64x32_and_fold(acc, piece);
178 acc = mult_64x32_and_fold(acc, 9207);
179
180 for (;;) {
181 n = desc_len;
182 if (n <= 0)
183 break;
184 if (n > 4)
185 n = 4;
186 piece = 0;
187 memcpy(&piece, description, n);
188 description += n;
189 desc_len -= n;
190 acc = mult_64x32_and_fold(acc, piece);
191 acc = mult_64x32_and_fold(acc, 9207);
192 }
193
194
195 hash = acc;
196 if (ASSOC_ARRAY_KEY_CHUNK_SIZE == 32)
197 hash ^= acc >> 32;
198
199
200
201
202
203 if (index_key->type != &key_type_keyring && (hash & fan_mask) == 0)
204 hash |= (hash >> (ASSOC_ARRAY_KEY_CHUNK_SIZE - level_shift)) | 1;
205 else if (index_key->type == &key_type_keyring && (hash & fan_mask) != 0)
206 hash = (hash + (hash << level_shift)) & ~fan_mask;
207 index_key->hash = hash;
208 }
209
210
211
212
213
214 void key_set_index_key(struct keyring_index_key *index_key)
215 {
216 static struct key_tag default_domain_tag = { .usage = REFCOUNT_INIT(1), };
217 size_t n = min_t(size_t, index_key->desc_len, sizeof(index_key->desc));
218
219 memcpy(index_key->desc, index_key->description, n);
220
221 if (!index_key->domain_tag) {
222 if (index_key->type->flags & KEY_TYPE_NET_DOMAIN)
223 index_key->domain_tag = current->nsproxy->net_ns->key_domain;
224 else
225 index_key->domain_tag = &default_domain_tag;
226 }
227
228 hash_key_type_and_desc(index_key);
229 }
230
231
232
233
234
235
236
237
238 bool key_put_tag(struct key_tag *tag)
239 {
240 if (refcount_dec_and_test(&tag->usage)) {
241 kfree_rcu(tag, rcu);
242 return true;
243 }
244
245 return false;
246 }
247
248
249
250
251
252
253
254
255
256 void key_remove_domain(struct key_tag *domain_tag)
257 {
258 domain_tag->removed = true;
259 if (!key_put_tag(domain_tag))
260 key_schedule_gc_links();
261 }
262
263
264
265
266
267
268 static unsigned long keyring_get_key_chunk(const void *data, int level)
269 {
270 const struct keyring_index_key *index_key = data;
271 unsigned long chunk = 0;
272 const u8 *d;
273 int desc_len = index_key->desc_len, n = sizeof(chunk);
274
275 level /= ASSOC_ARRAY_KEY_CHUNK_SIZE;
276 switch (level) {
277 case 0:
278 return index_key->hash;
279 case 1:
280 return index_key->x;
281 case 2:
282 return (unsigned long)index_key->type;
283 case 3:
284 return (unsigned long)index_key->domain_tag;
285 default:
286 level -= 4;
287 if (desc_len <= sizeof(index_key->desc))
288 return 0;
289
290 d = index_key->description + sizeof(index_key->desc);
291 d += level * sizeof(long);
292 desc_len -= sizeof(index_key->desc);
293 if (desc_len > n)
294 desc_len = n;
295 do {
296 chunk <<= 8;
297 chunk |= *d++;
298 } while (--desc_len > 0);
299 return chunk;
300 }
301 }
302
303 static unsigned long keyring_get_object_key_chunk(const void *object, int level)
304 {
305 const struct key *key = keyring_ptr_to_key(object);
306 return keyring_get_key_chunk(&key->index_key, level);
307 }
308
309 static bool keyring_compare_object(const void *object, const void *data)
310 {
311 const struct keyring_index_key *index_key = data;
312 const struct key *key = keyring_ptr_to_key(object);
313
314 return key->index_key.type == index_key->type &&
315 key->index_key.domain_tag == index_key->domain_tag &&
316 key->index_key.desc_len == index_key->desc_len &&
317 memcmp(key->index_key.description, index_key->description,
318 index_key->desc_len) == 0;
319 }
320
321
322
323
324
325 static int keyring_diff_objects(const void *object, const void *data)
326 {
327 const struct key *key_a = keyring_ptr_to_key(object);
328 const struct keyring_index_key *a = &key_a->index_key;
329 const struct keyring_index_key *b = data;
330 unsigned long seg_a, seg_b;
331 int level, i;
332
333 level = 0;
334 seg_a = a->hash;
335 seg_b = b->hash;
336 if ((seg_a ^ seg_b) != 0)
337 goto differ;
338 level += ASSOC_ARRAY_KEY_CHUNK_SIZE / 8;
339
340
341
342
343
344 seg_a = a->x;
345 seg_b = b->x;
346 if ((seg_a ^ seg_b) != 0)
347 goto differ;
348 level += sizeof(unsigned long);
349
350
351 seg_a = (unsigned long)a->type;
352 seg_b = (unsigned long)b->type;
353 if ((seg_a ^ seg_b) != 0)
354 goto differ;
355 level += sizeof(unsigned long);
356
357 seg_a = (unsigned long)a->domain_tag;
358 seg_b = (unsigned long)b->domain_tag;
359 if ((seg_a ^ seg_b) != 0)
360 goto differ;
361 level += sizeof(unsigned long);
362
363 i = sizeof(a->desc);
364 if (a->desc_len <= i)
365 goto same;
366
367 for (; i < a->desc_len; i++) {
368 seg_a = *(unsigned char *)(a->description + i);
369 seg_b = *(unsigned char *)(b->description + i);
370 if ((seg_a ^ seg_b) != 0)
371 goto differ_plus_i;
372 }
373
374 same:
375 return -1;
376
377 differ_plus_i:
378 level += i;
379 differ:
380 i = level * 8 + __ffs(seg_a ^ seg_b);
381 return i;
382 }
383
384
385
386
387 static void keyring_free_object(void *object)
388 {
389 key_put(keyring_ptr_to_key(object));
390 }
391
392
393
394
395 static const struct assoc_array_ops keyring_assoc_array_ops = {
396 .get_key_chunk = keyring_get_key_chunk,
397 .get_object_key_chunk = keyring_get_object_key_chunk,
398 .compare_object = keyring_compare_object,
399 .diff_objects = keyring_diff_objects,
400 .free_object = keyring_free_object,
401 };
402
403
404
405
406
407
408
409
410
411
412 static void keyring_destroy(struct key *keyring)
413 {
414 if (keyring->description) {
415 write_lock(&keyring_name_lock);
416
417 if (keyring->name_link.next != NULL &&
418 !list_empty(&keyring->name_link))
419 list_del(&keyring->name_link);
420
421 write_unlock(&keyring_name_lock);
422 }
423
424 if (keyring->restrict_link) {
425 struct key_restriction *keyres = keyring->restrict_link;
426
427 key_put(keyres->key);
428 kfree(keyres);
429 }
430
431 assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops);
432 }
433
434
435
436
437 static void keyring_describe(const struct key *keyring, struct seq_file *m)
438 {
439 if (keyring->description)
440 seq_puts(m, keyring->description);
441 else
442 seq_puts(m, "[anon]");
443
444 if (key_is_positive(keyring)) {
445 if (keyring->keys.nr_leaves_on_tree != 0)
446 seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree);
447 else
448 seq_puts(m, ": empty");
449 }
450 }
451
452 struct keyring_read_iterator_context {
453 size_t buflen;
454 size_t count;
455 key_serial_t __user *buffer;
456 };
457
458 static int keyring_read_iterator(const void *object, void *data)
459 {
460 struct keyring_read_iterator_context *ctx = data;
461 const struct key *key = keyring_ptr_to_key(object);
462
463 kenter("{%s,%d},,{%zu/%zu}",
464 key->type->name, key->serial, ctx->count, ctx->buflen);
465
466 if (ctx->count >= ctx->buflen)
467 return 1;
468
469 *ctx->buffer++ = key->serial;
470 ctx->count += sizeof(key->serial);
471 return 0;
472 }
473
474
475
476
477
478
479
480
481 static long keyring_read(const struct key *keyring,
482 char __user *buffer, size_t buflen)
483 {
484 struct keyring_read_iterator_context ctx;
485 long ret;
486
487 kenter("{%d},,%zu", key_serial(keyring), buflen);
488
489 if (buflen & (sizeof(key_serial_t) - 1))
490 return -EINVAL;
491
492
493 if (buffer && buflen) {
494 ctx.buffer = (key_serial_t __user *)buffer;
495 ctx.buflen = buflen;
496 ctx.count = 0;
497 ret = assoc_array_iterate(&keyring->keys,
498 keyring_read_iterator, &ctx);
499 if (ret < 0) {
500 kleave(" = %ld [iterate]", ret);
501 return ret;
502 }
503 }
504
505
506 ret = keyring->keys.nr_leaves_on_tree * sizeof(key_serial_t);
507 if (ret <= buflen)
508 kleave("= %ld [ok]", ret);
509 else
510 kleave("= %ld [buffer too small]", ret);
511 return ret;
512 }
513
514
515
516
517 struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
518 const struct cred *cred, key_perm_t perm,
519 unsigned long flags,
520 struct key_restriction *restrict_link,
521 struct key *dest)
522 {
523 struct key *keyring;
524 int ret;
525
526 keyring = key_alloc(&key_type_keyring, description,
527 uid, gid, cred, perm, flags, restrict_link);
528 if (!IS_ERR(keyring)) {
529 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
530 if (ret < 0) {
531 key_put(keyring);
532 keyring = ERR_PTR(ret);
533 }
534 }
535
536 return keyring;
537 }
538 EXPORT_SYMBOL(keyring_alloc);
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554 int restrict_link_reject(struct key *keyring,
555 const struct key_type *type,
556 const union key_payload *payload,
557 struct key *restriction_key)
558 {
559 return -EPERM;
560 }
561
562
563
564
565 bool key_default_cmp(const struct key *key,
566 const struct key_match_data *match_data)
567 {
568 return strcmp(key->description, match_data->raw_data) == 0;
569 }
570
571
572
573
574 static int keyring_search_iterator(const void *object, void *iterator_data)
575 {
576 struct keyring_search_context *ctx = iterator_data;
577 const struct key *key = keyring_ptr_to_key(object);
578 unsigned long kflags = READ_ONCE(key->flags);
579 short state = READ_ONCE(key->state);
580
581 kenter("{%d}", key->serial);
582
583
584 if (key->type != ctx->index_key.type) {
585 kleave(" = 0 [!type]");
586 return 0;
587 }
588
589
590 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) {
591 time64_t expiry = READ_ONCE(key->expiry);
592
593 if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
594 (1 << KEY_FLAG_REVOKED))) {
595 ctx->result = ERR_PTR(-EKEYREVOKED);
596 kleave(" = %d [invrev]", ctx->skipped_ret);
597 goto skipped;
598 }
599
600 if (expiry && ctx->now >= expiry) {
601 if (!(ctx->flags & KEYRING_SEARCH_SKIP_EXPIRED))
602 ctx->result = ERR_PTR(-EKEYEXPIRED);
603 kleave(" = %d [expire]", ctx->skipped_ret);
604 goto skipped;
605 }
606 }
607
608
609 if (!ctx->match_data.cmp(key, &ctx->match_data)) {
610 kleave(" = 0 [!match]");
611 return 0;
612 }
613
614
615 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
616 key_task_permission(make_key_ref(key, ctx->possessed),
617 ctx->cred, KEY_NEED_SEARCH) < 0) {
618 ctx->result = ERR_PTR(-EACCES);
619 kleave(" = %d [!perm]", ctx->skipped_ret);
620 goto skipped;
621 }
622
623 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) {
624
625 if (state < 0) {
626 ctx->result = ERR_PTR(state);
627 kleave(" = %d [neg]", ctx->skipped_ret);
628 goto skipped;
629 }
630 }
631
632
633 ctx->result = make_key_ref(key, ctx->possessed);
634 kleave(" = 1 [found]");
635 return 1;
636
637 skipped:
638 return ctx->skipped_ret;
639 }
640
641
642
643
644
645
646 static int search_keyring(struct key *keyring, struct keyring_search_context *ctx)
647 {
648 if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_DIRECT) {
649 const void *object;
650
651 object = assoc_array_find(&keyring->keys,
652 &keyring_assoc_array_ops,
653 &ctx->index_key);
654 return object ? ctx->iterator(object, ctx) : 0;
655 }
656 return assoc_array_iterate(&keyring->keys, ctx->iterator, ctx);
657 }
658
659
660
661
662
663 static bool search_nested_keyrings(struct key *keyring,
664 struct keyring_search_context *ctx)
665 {
666 struct {
667 struct key *keyring;
668 struct assoc_array_node *node;
669 int slot;
670 } stack[KEYRING_SEARCH_MAX_DEPTH];
671
672 struct assoc_array_shortcut *shortcut;
673 struct assoc_array_node *node;
674 struct assoc_array_ptr *ptr;
675 struct key *key;
676 int sp = 0, slot;
677
678 kenter("{%d},{%s,%s}",
679 keyring->serial,
680 ctx->index_key.type->name,
681 ctx->index_key.description);
682
683 #define STATE_CHECKS (KEYRING_SEARCH_NO_STATE_CHECK | KEYRING_SEARCH_DO_STATE_CHECK)
684 BUG_ON((ctx->flags & STATE_CHECKS) == 0 ||
685 (ctx->flags & STATE_CHECKS) == STATE_CHECKS);
686
687 if (ctx->index_key.description)
688 key_set_index_key(&ctx->index_key);
689
690
691
692
693 if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_ITERATE ||
694 keyring_compare_object(keyring, &ctx->index_key)) {
695 ctx->skipped_ret = 2;
696 switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) {
697 case 1:
698 goto found;
699 case 2:
700 return false;
701 default:
702 break;
703 }
704 }
705
706 ctx->skipped_ret = 0;
707
708
709 descend_to_keyring:
710 kdebug("descend to %d", keyring->serial);
711 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
712 (1 << KEY_FLAG_REVOKED)))
713 goto not_this_keyring;
714
715
716
717
718 if (search_keyring(keyring, ctx))
719 goto found;
720
721
722
723
724
725
726
727
728
729 if (!(ctx->flags & KEYRING_SEARCH_RECURSE))
730 goto not_this_keyring;
731
732 ptr = READ_ONCE(keyring->keys.root);
733 if (!ptr)
734 goto not_this_keyring;
735
736 if (assoc_array_ptr_is_shortcut(ptr)) {
737
738
739
740
741 shortcut = assoc_array_ptr_to_shortcut(ptr);
742 if ((shortcut->index_key[0] & ASSOC_ARRAY_FAN_MASK) != 0)
743 goto not_this_keyring;
744
745 ptr = READ_ONCE(shortcut->next_node);
746 node = assoc_array_ptr_to_node(ptr);
747 goto begin_node;
748 }
749
750 node = assoc_array_ptr_to_node(ptr);
751 ptr = node->slots[0];
752 if (!assoc_array_ptr_is_meta(ptr))
753 goto begin_node;
754
755 descend_to_node:
756
757
758
759 kdebug("descend");
760 if (assoc_array_ptr_is_shortcut(ptr)) {
761 shortcut = assoc_array_ptr_to_shortcut(ptr);
762 ptr = READ_ONCE(shortcut->next_node);
763 BUG_ON(!assoc_array_ptr_is_node(ptr));
764 }
765 node = assoc_array_ptr_to_node(ptr);
766
767 begin_node:
768 kdebug("begin_node");
769 slot = 0;
770 ascend_to_node:
771
772 for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) {
773 ptr = READ_ONCE(node->slots[slot]);
774
775 if (assoc_array_ptr_is_meta(ptr) && node->back_pointer)
776 goto descend_to_node;
777
778 if (!keyring_ptr_is_keyring(ptr))
779 continue;
780
781 key = keyring_ptr_to_key(ptr);
782
783 if (sp >= KEYRING_SEARCH_MAX_DEPTH) {
784 if (ctx->flags & KEYRING_SEARCH_DETECT_TOO_DEEP) {
785 ctx->result = ERR_PTR(-ELOOP);
786 return false;
787 }
788 goto not_this_keyring;
789 }
790
791
792 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
793 key_task_permission(make_key_ref(key, ctx->possessed),
794 ctx->cred, KEY_NEED_SEARCH) < 0)
795 continue;
796
797
798 stack[sp].keyring = keyring;
799 stack[sp].node = node;
800 stack[sp].slot = slot;
801 sp++;
802
803
804 keyring = key;
805 goto descend_to_keyring;
806 }
807
808
809
810
811 ptr = READ_ONCE(node->back_pointer);
812 slot = node->parent_slot;
813
814 if (ptr && assoc_array_ptr_is_shortcut(ptr)) {
815 shortcut = assoc_array_ptr_to_shortcut(ptr);
816 ptr = READ_ONCE(shortcut->back_pointer);
817 slot = shortcut->parent_slot;
818 }
819 if (!ptr)
820 goto not_this_keyring;
821 node = assoc_array_ptr_to_node(ptr);
822 slot++;
823
824
825
826
827
828 if (node->back_pointer) {
829 kdebug("ascend %d", slot);
830 goto ascend_to_node;
831 }
832
833
834
835
836 not_this_keyring:
837 kdebug("not_this_keyring %d", sp);
838 if (sp <= 0) {
839 kleave(" = false");
840 return false;
841 }
842
843
844 sp--;
845 keyring = stack[sp].keyring;
846 node = stack[sp].node;
847 slot = stack[sp].slot + 1;
848 kdebug("ascend to %d [%d]", keyring->serial, slot);
849 goto ascend_to_node;
850
851
852 found:
853 key = key_ref_to_ptr(ctx->result);
854 key_check(key);
855 if (!(ctx->flags & KEYRING_SEARCH_NO_UPDATE_TIME)) {
856 key->last_used_at = ctx->now;
857 keyring->last_used_at = ctx->now;
858 while (sp > 0)
859 stack[--sp].keyring->last_used_at = ctx->now;
860 }
861 kleave(" = true");
862 return true;
863 }
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899 key_ref_t keyring_search_rcu(key_ref_t keyring_ref,
900 struct keyring_search_context *ctx)
901 {
902 struct key *keyring;
903 long err;
904
905 ctx->iterator = keyring_search_iterator;
906 ctx->possessed = is_key_possessed(keyring_ref);
907 ctx->result = ERR_PTR(-EAGAIN);
908
909 keyring = key_ref_to_ptr(keyring_ref);
910 key_check(keyring);
911
912 if (keyring->type != &key_type_keyring)
913 return ERR_PTR(-ENOTDIR);
914
915 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM)) {
916 err = key_task_permission(keyring_ref, ctx->cred, KEY_NEED_SEARCH);
917 if (err < 0)
918 return ERR_PTR(err);
919 }
920
921 ctx->now = ktime_get_real_seconds();
922 if (search_nested_keyrings(keyring, ctx))
923 __key_get(key_ref_to_ptr(ctx->result));
924 return ctx->result;
925 }
926
927
928
929
930
931
932
933
934
935
936
937 key_ref_t keyring_search(key_ref_t keyring,
938 struct key_type *type,
939 const char *description,
940 bool recurse)
941 {
942 struct keyring_search_context ctx = {
943 .index_key.type = type,
944 .index_key.description = description,
945 .index_key.desc_len = strlen(description),
946 .cred = current_cred(),
947 .match_data.cmp = key_default_cmp,
948 .match_data.raw_data = description,
949 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
950 .flags = KEYRING_SEARCH_DO_STATE_CHECK,
951 };
952 key_ref_t key;
953 int ret;
954
955 if (recurse)
956 ctx.flags |= KEYRING_SEARCH_RECURSE;
957 if (type->match_preparse) {
958 ret = type->match_preparse(&ctx.match_data);
959 if (ret < 0)
960 return ERR_PTR(ret);
961 }
962
963 rcu_read_lock();
964 key = keyring_search_rcu(keyring, &ctx);
965 rcu_read_unlock();
966
967 if (type->match_free)
968 type->match_free(&ctx.match_data);
969 return key;
970 }
971 EXPORT_SYMBOL(keyring_search);
972
973 static struct key_restriction *keyring_restriction_alloc(
974 key_restrict_link_func_t check)
975 {
976 struct key_restriction *keyres =
977 kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
978
979 if (!keyres)
980 return ERR_PTR(-ENOMEM);
981
982 keyres->check = check;
983
984 return keyres;
985 }
986
987
988
989
990
991 static DECLARE_RWSEM(keyring_serialise_restrict_sem);
992
993
994
995
996
997 static bool keyring_detect_restriction_cycle(const struct key *dest_keyring,
998 struct key_restriction *keyres)
999 {
1000 while (keyres && keyres->key &&
1001 keyres->key->type == &key_type_keyring) {
1002 if (keyres->key == dest_keyring)
1003 return true;
1004
1005 keyres = keyres->key->restrict_link;
1006 }
1007
1008 return false;
1009 }
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021 int keyring_restrict(key_ref_t keyring_ref, const char *type,
1022 const char *restriction)
1023 {
1024 struct key *keyring;
1025 struct key_type *restrict_type = NULL;
1026 struct key_restriction *restrict_link;
1027 int ret = 0;
1028
1029 keyring = key_ref_to_ptr(keyring_ref);
1030 key_check(keyring);
1031
1032 if (keyring->type != &key_type_keyring)
1033 return -ENOTDIR;
1034
1035 if (!type) {
1036 restrict_link = keyring_restriction_alloc(restrict_link_reject);
1037 } else {
1038 restrict_type = key_type_lookup(type);
1039
1040 if (IS_ERR(restrict_type))
1041 return PTR_ERR(restrict_type);
1042
1043 if (!restrict_type->lookup_restriction) {
1044 ret = -ENOENT;
1045 goto error;
1046 }
1047
1048 restrict_link = restrict_type->lookup_restriction(restriction);
1049 }
1050
1051 if (IS_ERR(restrict_link)) {
1052 ret = PTR_ERR(restrict_link);
1053 goto error;
1054 }
1055
1056 down_write(&keyring->sem);
1057 down_write(&keyring_serialise_restrict_sem);
1058
1059 if (keyring->restrict_link)
1060 ret = -EEXIST;
1061 else if (keyring_detect_restriction_cycle(keyring, restrict_link))
1062 ret = -EDEADLK;
1063 else
1064 keyring->restrict_link = restrict_link;
1065
1066 up_write(&keyring_serialise_restrict_sem);
1067 up_write(&keyring->sem);
1068
1069 if (ret < 0) {
1070 key_put(restrict_link->key);
1071 kfree(restrict_link);
1072 }
1073
1074 error:
1075 if (restrict_type)
1076 key_type_put(restrict_type);
1077
1078 return ret;
1079 }
1080 EXPORT_SYMBOL(keyring_restrict);
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096 key_ref_t find_key_to_update(key_ref_t keyring_ref,
1097 const struct keyring_index_key *index_key)
1098 {
1099 struct key *keyring, *key;
1100 const void *object;
1101
1102 keyring = key_ref_to_ptr(keyring_ref);
1103
1104 kenter("{%d},{%s,%s}",
1105 keyring->serial, index_key->type->name, index_key->description);
1106
1107 object = assoc_array_find(&keyring->keys, &keyring_assoc_array_ops,
1108 index_key);
1109
1110 if (object)
1111 goto found;
1112
1113 kleave(" = NULL");
1114 return NULL;
1115
1116 found:
1117 key = keyring_ptr_to_key(object);
1118 if (key->flags & ((1 << KEY_FLAG_INVALIDATED) |
1119 (1 << KEY_FLAG_REVOKED))) {
1120 kleave(" = NULL [x]");
1121 return NULL;
1122 }
1123 __key_get(key);
1124 kleave(" = {%d}", key->serial);
1125 return make_key_ref(key, is_key_possessed(keyring_ref));
1126 }
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139 struct key *find_keyring_by_name(const char *name, bool uid_keyring)
1140 {
1141 struct user_namespace *ns = current_user_ns();
1142 struct key *keyring;
1143
1144 if (!name)
1145 return ERR_PTR(-EINVAL);
1146
1147 read_lock(&keyring_name_lock);
1148
1149
1150
1151
1152 list_for_each_entry(keyring, &ns->keyring_name_list, name_link) {
1153 if (!kuid_has_mapping(ns, keyring->user->uid))
1154 continue;
1155
1156 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
1157 continue;
1158
1159 if (strcmp(keyring->description, name) != 0)
1160 continue;
1161
1162 if (uid_keyring) {
1163 if (!test_bit(KEY_FLAG_UID_KEYRING,
1164 &keyring->flags))
1165 continue;
1166 } else {
1167 if (key_permission(make_key_ref(keyring, 0),
1168 KEY_NEED_SEARCH) < 0)
1169 continue;
1170 }
1171
1172
1173
1174
1175 if (!refcount_inc_not_zero(&keyring->usage))
1176 continue;
1177 keyring->last_used_at = ktime_get_real_seconds();
1178 goto out;
1179 }
1180
1181 keyring = ERR_PTR(-ENOKEY);
1182 out:
1183 read_unlock(&keyring_name_lock);
1184 return keyring;
1185 }
1186
1187 static int keyring_detect_cycle_iterator(const void *object,
1188 void *iterator_data)
1189 {
1190 struct keyring_search_context *ctx = iterator_data;
1191 const struct key *key = keyring_ptr_to_key(object);
1192
1193 kenter("{%d}", key->serial);
1194
1195
1196
1197 if (key != ctx->match_data.raw_data)
1198 return 0;
1199
1200 ctx->result = ERR_PTR(-EDEADLK);
1201 return 1;
1202 }
1203
1204
1205
1206
1207
1208
1209
1210
1211 static int keyring_detect_cycle(struct key *A, struct key *B)
1212 {
1213 struct keyring_search_context ctx = {
1214 .index_key = A->index_key,
1215 .match_data.raw_data = A,
1216 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
1217 .iterator = keyring_detect_cycle_iterator,
1218 .flags = (KEYRING_SEARCH_NO_STATE_CHECK |
1219 KEYRING_SEARCH_NO_UPDATE_TIME |
1220 KEYRING_SEARCH_NO_CHECK_PERM |
1221 KEYRING_SEARCH_DETECT_TOO_DEEP |
1222 KEYRING_SEARCH_RECURSE),
1223 };
1224
1225 rcu_read_lock();
1226 search_nested_keyrings(B, &ctx);
1227 rcu_read_unlock();
1228 return PTR_ERR(ctx.result) == -EAGAIN ? 0 : PTR_ERR(ctx.result);
1229 }
1230
1231
1232
1233
1234 int __key_link_lock(struct key *keyring,
1235 const struct keyring_index_key *index_key)
1236 __acquires(&keyring->sem)
1237 __acquires(&keyring_serialise_link_lock)
1238 {
1239 if (keyring->type != &key_type_keyring)
1240 return -ENOTDIR;
1241
1242 down_write(&keyring->sem);
1243
1244
1245
1246
1247 if (index_key->type == &key_type_keyring)
1248 mutex_lock(&keyring_serialise_link_lock);
1249
1250 return 0;
1251 }
1252
1253
1254
1255
1256 int __key_move_lock(struct key *l_keyring, struct key *u_keyring,
1257 const struct keyring_index_key *index_key)
1258 __acquires(&l_keyring->sem)
1259 __acquires(&u_keyring->sem)
1260 __acquires(&keyring_serialise_link_lock)
1261 {
1262 if (l_keyring->type != &key_type_keyring ||
1263 u_keyring->type != &key_type_keyring)
1264 return -ENOTDIR;
1265
1266
1267
1268
1269
1270 if (l_keyring < u_keyring) {
1271 down_write(&l_keyring->sem);
1272 down_write_nested(&u_keyring->sem, 1);
1273 } else {
1274 down_write(&u_keyring->sem);
1275 down_write_nested(&l_keyring->sem, 1);
1276 }
1277
1278
1279
1280
1281 if (index_key->type == &key_type_keyring)
1282 mutex_lock(&keyring_serialise_link_lock);
1283
1284 return 0;
1285 }
1286
1287
1288
1289
1290 int __key_link_begin(struct key *keyring,
1291 const struct keyring_index_key *index_key,
1292 struct assoc_array_edit **_edit)
1293 {
1294 struct assoc_array_edit *edit;
1295 int ret;
1296
1297 kenter("%d,%s,%s,",
1298 keyring->serial, index_key->type->name, index_key->description);
1299
1300 BUG_ON(index_key->desc_len == 0);
1301 BUG_ON(*_edit != NULL);
1302
1303 *_edit = NULL;
1304
1305 ret = -EKEYREVOKED;
1306 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
1307 goto error;
1308
1309
1310
1311
1312 edit = assoc_array_insert(&keyring->keys,
1313 &keyring_assoc_array_ops,
1314 index_key,
1315 NULL);
1316 if (IS_ERR(edit)) {
1317 ret = PTR_ERR(edit);
1318 goto error;
1319 }
1320
1321
1322
1323
1324 if (!edit->dead_leaf) {
1325 ret = key_payload_reserve(keyring,
1326 keyring->datalen + KEYQUOTA_LINK_BYTES);
1327 if (ret < 0)
1328 goto error_cancel;
1329 }
1330
1331 *_edit = edit;
1332 kleave(" = 0");
1333 return 0;
1334
1335 error_cancel:
1336 assoc_array_cancel_edit(edit);
1337 error:
1338 kleave(" = %d", ret);
1339 return ret;
1340 }
1341
1342
1343
1344
1345
1346
1347
1348 int __key_link_check_live_key(struct key *keyring, struct key *key)
1349 {
1350 if (key->type == &key_type_keyring)
1351
1352
1353 return keyring_detect_cycle(keyring, key);
1354 return 0;
1355 }
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365 void __key_link(struct key *key, struct assoc_array_edit **_edit)
1366 {
1367 __key_get(key);
1368 assoc_array_insert_set_object(*_edit, keyring_key_to_ptr(key));
1369 assoc_array_apply_edit(*_edit);
1370 *_edit = NULL;
1371 }
1372
1373
1374
1375
1376
1377
1378 void __key_link_end(struct key *keyring,
1379 const struct keyring_index_key *index_key,
1380 struct assoc_array_edit *edit)
1381 __releases(&keyring->sem)
1382 __releases(&keyring_serialise_link_lock)
1383 {
1384 BUG_ON(index_key->type == NULL);
1385 kenter("%d,%s,", keyring->serial, index_key->type->name);
1386
1387 if (edit) {
1388 if (!edit->dead_leaf) {
1389 key_payload_reserve(keyring,
1390 keyring->datalen - KEYQUOTA_LINK_BYTES);
1391 }
1392 assoc_array_cancel_edit(edit);
1393 }
1394 up_write(&keyring->sem);
1395
1396 if (index_key->type == &key_type_keyring)
1397 mutex_unlock(&keyring_serialise_link_lock);
1398 }
1399
1400
1401
1402
1403 static int __key_link_check_restriction(struct key *keyring, struct key *key)
1404 {
1405 if (!keyring->restrict_link || !keyring->restrict_link->check)
1406 return 0;
1407 return keyring->restrict_link->check(keyring, key->type, &key->payload,
1408 keyring->restrict_link->key);
1409 }
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431 int key_link(struct key *keyring, struct key *key)
1432 {
1433 struct assoc_array_edit *edit = NULL;
1434 int ret;
1435
1436 kenter("{%d,%d}", keyring->serial, refcount_read(&keyring->usage));
1437
1438 key_check(keyring);
1439 key_check(key);
1440
1441 ret = __key_link_lock(keyring, &key->index_key);
1442 if (ret < 0)
1443 goto error;
1444
1445 ret = __key_link_begin(keyring, &key->index_key, &edit);
1446 if (ret < 0)
1447 goto error_end;
1448
1449 kdebug("begun {%d,%d}", keyring->serial, refcount_read(&keyring->usage));
1450 ret = __key_link_check_restriction(keyring, key);
1451 if (ret == 0)
1452 ret = __key_link_check_live_key(keyring, key);
1453 if (ret == 0)
1454 __key_link(key, &edit);
1455
1456 error_end:
1457 __key_link_end(keyring, &key->index_key, edit);
1458 error:
1459 kleave(" = %d {%d,%d}", ret, keyring->serial, refcount_read(&keyring->usage));
1460 return ret;
1461 }
1462 EXPORT_SYMBOL(key_link);
1463
1464
1465
1466
1467 static int __key_unlink_lock(struct key *keyring)
1468 __acquires(&keyring->sem)
1469 {
1470 if (keyring->type != &key_type_keyring)
1471 return -ENOTDIR;
1472
1473 down_write(&keyring->sem);
1474 return 0;
1475 }
1476
1477
1478
1479
1480 static int __key_unlink_begin(struct key *keyring, struct key *key,
1481 struct assoc_array_edit **_edit)
1482 {
1483 struct assoc_array_edit *edit;
1484
1485 BUG_ON(*_edit != NULL);
1486
1487 edit = assoc_array_delete(&keyring->keys, &keyring_assoc_array_ops,
1488 &key->index_key);
1489 if (IS_ERR(edit))
1490 return PTR_ERR(edit);
1491
1492 if (!edit)
1493 return -ENOENT;
1494
1495 *_edit = edit;
1496 return 0;
1497 }
1498
1499
1500
1501
1502 static void __key_unlink(struct key *keyring, struct key *key,
1503 struct assoc_array_edit **_edit)
1504 {
1505 assoc_array_apply_edit(*_edit);
1506 *_edit = NULL;
1507 key_payload_reserve(keyring, keyring->datalen - KEYQUOTA_LINK_BYTES);
1508 }
1509
1510
1511
1512
1513 static void __key_unlink_end(struct key *keyring,
1514 struct key *key,
1515 struct assoc_array_edit *edit)
1516 __releases(&keyring->sem)
1517 {
1518 if (edit)
1519 assoc_array_cancel_edit(edit);
1520 up_write(&keyring->sem);
1521 }
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540 int key_unlink(struct key *keyring, struct key *key)
1541 {
1542 struct assoc_array_edit *edit = NULL;
1543 int ret;
1544
1545 key_check(keyring);
1546 key_check(key);
1547
1548 ret = __key_unlink_lock(keyring);
1549 if (ret < 0)
1550 return ret;
1551
1552 ret = __key_unlink_begin(keyring, key, &edit);
1553 if (ret == 0)
1554 __key_unlink(keyring, key, &edit);
1555 __key_unlink_end(keyring, key, edit);
1556 return ret;
1557 }
1558 EXPORT_SYMBOL(key_unlink);
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585 int key_move(struct key *key,
1586 struct key *from_keyring,
1587 struct key *to_keyring,
1588 unsigned int flags)
1589 {
1590 struct assoc_array_edit *from_edit = NULL, *to_edit = NULL;
1591 int ret;
1592
1593 kenter("%d,%d,%d", key->serial, from_keyring->serial, to_keyring->serial);
1594
1595 if (from_keyring == to_keyring)
1596 return 0;
1597
1598 key_check(key);
1599 key_check(from_keyring);
1600 key_check(to_keyring);
1601
1602 ret = __key_move_lock(from_keyring, to_keyring, &key->index_key);
1603 if (ret < 0)
1604 goto out;
1605 ret = __key_unlink_begin(from_keyring, key, &from_edit);
1606 if (ret < 0)
1607 goto error;
1608 ret = __key_link_begin(to_keyring, &key->index_key, &to_edit);
1609 if (ret < 0)
1610 goto error;
1611
1612 ret = -EEXIST;
1613 if (to_edit->dead_leaf && (flags & KEYCTL_MOVE_EXCL))
1614 goto error;
1615
1616 ret = __key_link_check_restriction(to_keyring, key);
1617 if (ret < 0)
1618 goto error;
1619 ret = __key_link_check_live_key(to_keyring, key);
1620 if (ret < 0)
1621 goto error;
1622
1623 __key_unlink(from_keyring, key, &from_edit);
1624 __key_link(key, &to_edit);
1625 error:
1626 __key_link_end(to_keyring, &key->index_key, to_edit);
1627 __key_unlink_end(from_keyring, key, from_edit);
1628 out:
1629 kleave(" = %d", ret);
1630 return ret;
1631 }
1632 EXPORT_SYMBOL(key_move);
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642 int keyring_clear(struct key *keyring)
1643 {
1644 struct assoc_array_edit *edit;
1645 int ret;
1646
1647 if (keyring->type != &key_type_keyring)
1648 return -ENOTDIR;
1649
1650 down_write(&keyring->sem);
1651
1652 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops);
1653 if (IS_ERR(edit)) {
1654 ret = PTR_ERR(edit);
1655 } else {
1656 if (edit)
1657 assoc_array_apply_edit(edit);
1658 key_payload_reserve(keyring, 0);
1659 ret = 0;
1660 }
1661
1662 up_write(&keyring->sem);
1663 return ret;
1664 }
1665 EXPORT_SYMBOL(keyring_clear);
1666
1667
1668
1669
1670
1671
1672 static void keyring_revoke(struct key *keyring)
1673 {
1674 struct assoc_array_edit *edit;
1675
1676 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops);
1677 if (!IS_ERR(edit)) {
1678 if (edit)
1679 assoc_array_apply_edit(edit);
1680 key_payload_reserve(keyring, 0);
1681 }
1682 }
1683
1684 static bool keyring_gc_select_iterator(void *object, void *iterator_data)
1685 {
1686 struct key *key = keyring_ptr_to_key(object);
1687 time64_t *limit = iterator_data;
1688
1689 if (key_is_dead(key, *limit))
1690 return false;
1691 key_get(key);
1692 return true;
1693 }
1694
1695 static int keyring_gc_check_iterator(const void *object, void *iterator_data)
1696 {
1697 const struct key *key = keyring_ptr_to_key(object);
1698 time64_t *limit = iterator_data;
1699
1700 key_check(key);
1701 return key_is_dead(key, *limit);
1702 }
1703
1704
1705
1706
1707
1708
1709
1710 void keyring_gc(struct key *keyring, time64_t limit)
1711 {
1712 int result;
1713
1714 kenter("%x{%s}", keyring->serial, keyring->description ?: "");
1715
1716 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
1717 (1 << KEY_FLAG_REVOKED)))
1718 goto dont_gc;
1719
1720
1721 rcu_read_lock();
1722 result = assoc_array_iterate(&keyring->keys,
1723 keyring_gc_check_iterator, &limit);
1724 rcu_read_unlock();
1725 if (result == true)
1726 goto do_gc;
1727
1728 dont_gc:
1729 kleave(" [no gc]");
1730 return;
1731
1732 do_gc:
1733 down_write(&keyring->sem);
1734 assoc_array_gc(&keyring->keys, &keyring_assoc_array_ops,
1735 keyring_gc_select_iterator, &limit);
1736 up_write(&keyring->sem);
1737 kleave(" [gc]");
1738 }
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755 void keyring_restriction_gc(struct key *keyring, struct key_type *dead_type)
1756 {
1757 struct key_restriction *keyres;
1758
1759 kenter("%x{%s}", keyring->serial, keyring->description ?: "");
1760
1761
1762
1763
1764
1765
1766
1767
1768 if (!dead_type || !keyring->restrict_link ||
1769 keyring->restrict_link->keytype != dead_type) {
1770 kleave(" [no restriction gc]");
1771 return;
1772 }
1773
1774
1775 down_write(&keyring->sem);
1776
1777 keyres = keyring->restrict_link;
1778
1779 keyres->check = restrict_link_reject;
1780
1781 key_put(keyres->key);
1782 keyres->key = NULL;
1783 keyres->keytype = NULL;
1784
1785 up_write(&keyring->sem);
1786
1787 kleave(" [restriction gc]");
1788 }