root/security/keys/keyctl.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. key_get_type_from_user
  2. SYSCALL_DEFINE5
  3. SYSCALL_DEFINE4
  4. keyctl_get_keyring_ID
  5. keyctl_join_session_keyring
  6. keyctl_update_key
  7. keyctl_revoke_key
  8. keyctl_invalidate_key
  9. keyctl_keyring_clear
  10. keyctl_keyring_link
  11. keyctl_keyring_unlink
  12. keyctl_keyring_move
  13. keyctl_describe_key
  14. keyctl_keyring_search
  15. __keyctl_read_key
  16. keyctl_read_key
  17. keyctl_chown_key
  18. keyctl_setperm_key
  19. get_instantiation_keyring
  20. keyctl_change_reqkey_auth
  21. keyctl_instantiate_key_common
  22. keyctl_instantiate_key
  23. keyctl_instantiate_key_iov
  24. keyctl_negate_key
  25. keyctl_reject_key
  26. keyctl_set_reqkey_keyring
  27. keyctl_set_timeout
  28. keyctl_assume_authority
  29. keyctl_get_security
  30. keyctl_session_to_parent
  31. keyctl_restrict_keyring
  32. keyctl_capabilities
  33. SYSCALL_DEFINE5
   1 // SPDX-License-Identifier: GPL-2.0-or-later
   2 /* Userspace key control operations
   3  *
   4  * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
   5  * Written by David Howells (dhowells@redhat.com)
   6  */
   7 
   8 #include <linux/init.h>
   9 #include <linux/sched.h>
  10 #include <linux/sched/task.h>
  11 #include <linux/slab.h>
  12 #include <linux/syscalls.h>
  13 #include <linux/key.h>
  14 #include <linux/keyctl.h>
  15 #include <linux/fs.h>
  16 #include <linux/capability.h>
  17 #include <linux/cred.h>
  18 #include <linux/string.h>
  19 #include <linux/err.h>
  20 #include <linux/vmalloc.h>
  21 #include <linux/security.h>
  22 #include <linux/uio.h>
  23 #include <linux/uaccess.h>
  24 #include <keys/request_key_auth-type.h>
  25 #include "internal.h"
  26 
  27 #define KEY_MAX_DESC_SIZE 4096
  28 
  29 static const unsigned char keyrings_capabilities[2] = {
  30         [0] = (KEYCTL_CAPS0_CAPABILITIES |
  31                (IS_ENABLED(CONFIG_PERSISTENT_KEYRINGS)  ? KEYCTL_CAPS0_PERSISTENT_KEYRINGS : 0) |
  32                (IS_ENABLED(CONFIG_KEY_DH_OPERATIONS)    ? KEYCTL_CAPS0_DIFFIE_HELLMAN : 0) |
  33                (IS_ENABLED(CONFIG_ASYMMETRIC_KEY_TYPE)  ? KEYCTL_CAPS0_PUBLIC_KEY : 0) |
  34                (IS_ENABLED(CONFIG_BIG_KEYS)             ? KEYCTL_CAPS0_BIG_KEY : 0) |
  35                KEYCTL_CAPS0_INVALIDATE |
  36                KEYCTL_CAPS0_RESTRICT_KEYRING |
  37                KEYCTL_CAPS0_MOVE
  38                ),
  39         [1] = (KEYCTL_CAPS1_NS_KEYRING_NAME |
  40                KEYCTL_CAPS1_NS_KEY_TAG),
  41 };
  42 
  43 static int key_get_type_from_user(char *type,
  44                                   const char __user *_type,
  45                                   unsigned len)
  46 {
  47         int ret;
  48 
  49         ret = strncpy_from_user(type, _type, len);
  50         if (ret < 0)
  51                 return ret;
  52         if (ret == 0 || ret >= len)
  53                 return -EINVAL;
  54         if (type[0] == '.')
  55                 return -EPERM;
  56         type[len - 1] = '\0';
  57         return 0;
  58 }
  59 
  60 /*
  61  * Extract the description of a new key from userspace and either add it as a
  62  * new key to the specified keyring or update a matching key in that keyring.
  63  *
  64  * If the description is NULL or an empty string, the key type is asked to
  65  * generate one from the payload.
  66  *
  67  * The keyring must be writable so that we can attach the key to it.
  68  *
  69  * If successful, the new key's serial number is returned, otherwise an error
  70  * code is returned.
  71  */
  72 SYSCALL_DEFINE5(add_key, const char __user *, _type,
  73                 const char __user *, _description,
  74                 const void __user *, _payload,
  75                 size_t, plen,
  76                 key_serial_t, ringid)
  77 {
  78         key_ref_t keyring_ref, key_ref;
  79         char type[32], *description;
  80         void *payload;
  81         long ret;
  82 
  83         ret = -EINVAL;
  84         if (plen > 1024 * 1024 - 1)
  85                 goto error;
  86 
  87         /* draw all the data into kernel space */
  88         ret = key_get_type_from_user(type, _type, sizeof(type));
  89         if (ret < 0)
  90                 goto error;
  91 
  92         description = NULL;
  93         if (_description) {
  94                 description = strndup_user(_description, KEY_MAX_DESC_SIZE);
  95                 if (IS_ERR(description)) {
  96                         ret = PTR_ERR(description);
  97                         goto error;
  98                 }
  99                 if (!*description) {
 100                         kfree(description);
 101                         description = NULL;
 102                 } else if ((description[0] == '.') &&
 103                            (strncmp(type, "keyring", 7) == 0)) {
 104                         ret = -EPERM;
 105                         goto error2;
 106                 }
 107         }
 108 
 109         /* pull the payload in if one was supplied */
 110         payload = NULL;
 111 
 112         if (plen) {
 113                 ret = -ENOMEM;
 114                 payload = kvmalloc(plen, GFP_KERNEL);
 115                 if (!payload)
 116                         goto error2;
 117 
 118                 ret = -EFAULT;
 119                 if (copy_from_user(payload, _payload, plen) != 0)
 120                         goto error3;
 121         }
 122 
 123         /* find the target keyring (which must be writable) */
 124         keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
 125         if (IS_ERR(keyring_ref)) {
 126                 ret = PTR_ERR(keyring_ref);
 127                 goto error3;
 128         }
 129 
 130         /* create or update the requested key and add it to the target
 131          * keyring */
 132         key_ref = key_create_or_update(keyring_ref, type, description,
 133                                        payload, plen, KEY_PERM_UNDEF,
 134                                        KEY_ALLOC_IN_QUOTA);
 135         if (!IS_ERR(key_ref)) {
 136                 ret = key_ref_to_ptr(key_ref)->serial;
 137                 key_ref_put(key_ref);
 138         }
 139         else {
 140                 ret = PTR_ERR(key_ref);
 141         }
 142 
 143         key_ref_put(keyring_ref);
 144  error3:
 145         kvfree_sensitive(payload, plen);
 146  error2:
 147         kfree(description);
 148  error:
 149         return ret;
 150 }
 151 
 152 /*
 153  * Search the process keyrings and keyring trees linked from those for a
 154  * matching key.  Keyrings must have appropriate Search permission to be
 155  * searched.
 156  *
 157  * If a key is found, it will be attached to the destination keyring if there's
 158  * one specified and the serial number of the key will be returned.
 159  *
 160  * If no key is found, /sbin/request-key will be invoked if _callout_info is
 161  * non-NULL in an attempt to create a key.  The _callout_info string will be
 162  * passed to /sbin/request-key to aid with completing the request.  If the
 163  * _callout_info string is "" then it will be changed to "-".
 164  */
 165 SYSCALL_DEFINE4(request_key, const char __user *, _type,
 166                 const char __user *, _description,
 167                 const char __user *, _callout_info,
 168                 key_serial_t, destringid)
 169 {
 170         struct key_type *ktype;
 171         struct key *key;
 172         key_ref_t dest_ref;
 173         size_t callout_len;
 174         char type[32], *description, *callout_info;
 175         long ret;
 176 
 177         /* pull the type into kernel space */
 178         ret = key_get_type_from_user(type, _type, sizeof(type));
 179         if (ret < 0)
 180                 goto error;
 181 
 182         /* pull the description into kernel space */
 183         description = strndup_user(_description, KEY_MAX_DESC_SIZE);
 184         if (IS_ERR(description)) {
 185                 ret = PTR_ERR(description);
 186                 goto error;
 187         }
 188 
 189         /* pull the callout info into kernel space */
 190         callout_info = NULL;
 191         callout_len = 0;
 192         if (_callout_info) {
 193                 callout_info = strndup_user(_callout_info, PAGE_SIZE);
 194                 if (IS_ERR(callout_info)) {
 195                         ret = PTR_ERR(callout_info);
 196                         goto error2;
 197                 }
 198                 callout_len = strlen(callout_info);
 199         }
 200 
 201         /* get the destination keyring if specified */
 202         dest_ref = NULL;
 203         if (destringid) {
 204                 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE,
 205                                            KEY_NEED_WRITE);
 206                 if (IS_ERR(dest_ref)) {
 207                         ret = PTR_ERR(dest_ref);
 208                         goto error3;
 209                 }
 210         }
 211 
 212         /* find the key type */
 213         ktype = key_type_lookup(type);
 214         if (IS_ERR(ktype)) {
 215                 ret = PTR_ERR(ktype);
 216                 goto error4;
 217         }
 218 
 219         /* do the search */
 220         key = request_key_and_link(ktype, description, NULL, callout_info,
 221                                    callout_len, NULL, key_ref_to_ptr(dest_ref),
 222                                    KEY_ALLOC_IN_QUOTA);
 223         if (IS_ERR(key)) {
 224                 ret = PTR_ERR(key);
 225                 goto error5;
 226         }
 227 
 228         /* wait for the key to finish being constructed */
 229         ret = wait_for_key_construction(key, 1);
 230         if (ret < 0)
 231                 goto error6;
 232 
 233         ret = key->serial;
 234 
 235 error6:
 236         key_put(key);
 237 error5:
 238         key_type_put(ktype);
 239 error4:
 240         key_ref_put(dest_ref);
 241 error3:
 242         kfree(callout_info);
 243 error2:
 244         kfree(description);
 245 error:
 246         return ret;
 247 }
 248 
 249 /*
 250  * Get the ID of the specified process keyring.
 251  *
 252  * The requested keyring must have search permission to be found.
 253  *
 254  * If successful, the ID of the requested keyring will be returned.
 255  */
 256 long keyctl_get_keyring_ID(key_serial_t id, int create)
 257 {
 258         key_ref_t key_ref;
 259         unsigned long lflags;
 260         long ret;
 261 
 262         lflags = create ? KEY_LOOKUP_CREATE : 0;
 263         key_ref = lookup_user_key(id, lflags, KEY_NEED_SEARCH);
 264         if (IS_ERR(key_ref)) {
 265                 ret = PTR_ERR(key_ref);
 266                 goto error;
 267         }
 268 
 269         ret = key_ref_to_ptr(key_ref)->serial;
 270         key_ref_put(key_ref);
 271 error:
 272         return ret;
 273 }
 274 
 275 /*
 276  * Join a (named) session keyring.
 277  *
 278  * Create and join an anonymous session keyring or join a named session
 279  * keyring, creating it if necessary.  A named session keyring must have Search
 280  * permission for it to be joined.  Session keyrings without this permit will
 281  * be skipped over.  It is not permitted for userspace to create or join
 282  * keyrings whose name begin with a dot.
 283  *
 284  * If successful, the ID of the joined session keyring will be returned.
 285  */
 286 long keyctl_join_session_keyring(const char __user *_name)
 287 {
 288         char *name;
 289         long ret;
 290 
 291         /* fetch the name from userspace */
 292         name = NULL;
 293         if (_name) {
 294                 name = strndup_user(_name, KEY_MAX_DESC_SIZE);
 295                 if (IS_ERR(name)) {
 296                         ret = PTR_ERR(name);
 297                         goto error;
 298                 }
 299 
 300                 ret = -EPERM;
 301                 if (name[0] == '.')
 302                         goto error_name;
 303         }
 304 
 305         /* join the session */
 306         ret = join_session_keyring(name);
 307 error_name:
 308         kfree(name);
 309 error:
 310         return ret;
 311 }
 312 
 313 /*
 314  * Update a key's data payload from the given data.
 315  *
 316  * The key must grant the caller Write permission and the key type must support
 317  * updating for this to work.  A negative key can be positively instantiated
 318  * with this call.
 319  *
 320  * If successful, 0 will be returned.  If the key type does not support
 321  * updating, then -EOPNOTSUPP will be returned.
 322  */
 323 long keyctl_update_key(key_serial_t id,
 324                        const void __user *_payload,
 325                        size_t plen)
 326 {
 327         key_ref_t key_ref;
 328         void *payload;
 329         long ret;
 330 
 331         ret = -EINVAL;
 332         if (plen > PAGE_SIZE)
 333                 goto error;
 334 
 335         /* pull the payload in if one was supplied */
 336         payload = NULL;
 337         if (plen) {
 338                 ret = -ENOMEM;
 339                 payload = kvmalloc(plen, GFP_KERNEL);
 340                 if (!payload)
 341                         goto error;
 342 
 343                 ret = -EFAULT;
 344                 if (copy_from_user(payload, _payload, plen) != 0)
 345                         goto error2;
 346         }
 347 
 348         /* find the target key (which must be writable) */
 349         key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE);
 350         if (IS_ERR(key_ref)) {
 351                 ret = PTR_ERR(key_ref);
 352                 goto error2;
 353         }
 354 
 355         /* update the key */
 356         ret = key_update(key_ref, payload, plen);
 357 
 358         key_ref_put(key_ref);
 359 error2:
 360         kvfree_sensitive(payload, plen);
 361 error:
 362         return ret;
 363 }
 364 
 365 /*
 366  * Revoke a key.
 367  *
 368  * The key must be grant the caller Write or Setattr permission for this to
 369  * work.  The key type should give up its quota claim when revoked.  The key
 370  * and any links to the key will be automatically garbage collected after a
 371  * certain amount of time (/proc/sys/kernel/keys/gc_delay).
 372  *
 373  * Keys with KEY_FLAG_KEEP set should not be revoked.
 374  *
 375  * If successful, 0 is returned.
 376  */
 377 long keyctl_revoke_key(key_serial_t id)
 378 {
 379         key_ref_t key_ref;
 380         struct key *key;
 381         long ret;
 382 
 383         key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE);
 384         if (IS_ERR(key_ref)) {
 385                 ret = PTR_ERR(key_ref);
 386                 if (ret != -EACCES)
 387                         goto error;
 388                 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR);
 389                 if (IS_ERR(key_ref)) {
 390                         ret = PTR_ERR(key_ref);
 391                         goto error;
 392                 }
 393         }
 394 
 395         key = key_ref_to_ptr(key_ref);
 396         ret = 0;
 397         if (test_bit(KEY_FLAG_KEEP, &key->flags))
 398                 ret = -EPERM;
 399         else
 400                 key_revoke(key);
 401 
 402         key_ref_put(key_ref);
 403 error:
 404         return ret;
 405 }
 406 
 407 /*
 408  * Invalidate a key.
 409  *
 410  * The key must be grant the caller Invalidate permission for this to work.
 411  * The key and any links to the key will be automatically garbage collected
 412  * immediately.
 413  *
 414  * Keys with KEY_FLAG_KEEP set should not be invalidated.
 415  *
 416  * If successful, 0 is returned.
 417  */
 418 long keyctl_invalidate_key(key_serial_t id)
 419 {
 420         key_ref_t key_ref;
 421         struct key *key;
 422         long ret;
 423 
 424         kenter("%d", id);
 425 
 426         key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH);
 427         if (IS_ERR(key_ref)) {
 428                 ret = PTR_ERR(key_ref);
 429 
 430                 /* Root is permitted to invalidate certain special keys */
 431                 if (capable(CAP_SYS_ADMIN)) {
 432                         key_ref = lookup_user_key(id, 0, 0);
 433                         if (IS_ERR(key_ref))
 434                                 goto error;
 435                         if (test_bit(KEY_FLAG_ROOT_CAN_INVAL,
 436                                      &key_ref_to_ptr(key_ref)->flags))
 437                                 goto invalidate;
 438                         goto error_put;
 439                 }
 440 
 441                 goto error;
 442         }
 443 
 444 invalidate:
 445         key = key_ref_to_ptr(key_ref);
 446         ret = 0;
 447         if (test_bit(KEY_FLAG_KEEP, &key->flags))
 448                 ret = -EPERM;
 449         else
 450                 key_invalidate(key);
 451 error_put:
 452         key_ref_put(key_ref);
 453 error:
 454         kleave(" = %ld", ret);
 455         return ret;
 456 }
 457 
 458 /*
 459  * Clear the specified keyring, creating an empty process keyring if one of the
 460  * special keyring IDs is used.
 461  *
 462  * The keyring must grant the caller Write permission and not have
 463  * KEY_FLAG_KEEP set for this to work.  If successful, 0 will be returned.
 464  */
 465 long keyctl_keyring_clear(key_serial_t ringid)
 466 {
 467         key_ref_t keyring_ref;
 468         struct key *keyring;
 469         long ret;
 470 
 471         keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
 472         if (IS_ERR(keyring_ref)) {
 473                 ret = PTR_ERR(keyring_ref);
 474 
 475                 /* Root is permitted to invalidate certain special keyrings */
 476                 if (capable(CAP_SYS_ADMIN)) {
 477                         keyring_ref = lookup_user_key(ringid, 0, 0);
 478                         if (IS_ERR(keyring_ref))
 479                                 goto error;
 480                         if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR,
 481                                      &key_ref_to_ptr(keyring_ref)->flags))
 482                                 goto clear;
 483                         goto error_put;
 484                 }
 485 
 486                 goto error;
 487         }
 488 
 489 clear:
 490         keyring = key_ref_to_ptr(keyring_ref);
 491         if (test_bit(KEY_FLAG_KEEP, &keyring->flags))
 492                 ret = -EPERM;
 493         else
 494                 ret = keyring_clear(keyring);
 495 error_put:
 496         key_ref_put(keyring_ref);
 497 error:
 498         return ret;
 499 }
 500 
 501 /*
 502  * Create a link from a keyring to a key if there's no matching key in the
 503  * keyring, otherwise replace the link to the matching key with a link to the
 504  * new key.
 505  *
 506  * The key must grant the caller Link permission and the the keyring must grant
 507  * the caller Write permission.  Furthermore, if an additional link is created,
 508  * the keyring's quota will be extended.
 509  *
 510  * If successful, 0 will be returned.
 511  */
 512 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
 513 {
 514         key_ref_t keyring_ref, key_ref;
 515         long ret;
 516 
 517         keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
 518         if (IS_ERR(keyring_ref)) {
 519                 ret = PTR_ERR(keyring_ref);
 520                 goto error;
 521         }
 522 
 523         key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK);
 524         if (IS_ERR(key_ref)) {
 525                 ret = PTR_ERR(key_ref);
 526                 goto error2;
 527         }
 528 
 529         ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref));
 530 
 531         key_ref_put(key_ref);
 532 error2:
 533         key_ref_put(keyring_ref);
 534 error:
 535         return ret;
 536 }
 537 
 538 /*
 539  * Unlink a key from a keyring.
 540  *
 541  * The keyring must grant the caller Write permission for this to work; the key
 542  * itself need not grant the caller anything.  If the last link to a key is
 543  * removed then that key will be scheduled for destruction.
 544  *
 545  * Keys or keyrings with KEY_FLAG_KEEP set should not be unlinked.
 546  *
 547  * If successful, 0 will be returned.
 548  */
 549 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
 550 {
 551         key_ref_t keyring_ref, key_ref;
 552         struct key *keyring, *key;
 553         long ret;
 554 
 555         keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE);
 556         if (IS_ERR(keyring_ref)) {
 557                 ret = PTR_ERR(keyring_ref);
 558                 goto error;
 559         }
 560 
 561         key_ref = lookup_user_key(id, KEY_LOOKUP_FOR_UNLINK, 0);
 562         if (IS_ERR(key_ref)) {
 563                 ret = PTR_ERR(key_ref);
 564                 goto error2;
 565         }
 566 
 567         keyring = key_ref_to_ptr(keyring_ref);
 568         key = key_ref_to_ptr(key_ref);
 569         if (test_bit(KEY_FLAG_KEEP, &keyring->flags) &&
 570             test_bit(KEY_FLAG_KEEP, &key->flags))
 571                 ret = -EPERM;
 572         else
 573                 ret = key_unlink(keyring, key);
 574 
 575         key_ref_put(key_ref);
 576 error2:
 577         key_ref_put(keyring_ref);
 578 error:
 579         return ret;
 580 }
 581 
 582 /*
 583  * Move a link to a key from one keyring to another, displacing any matching
 584  * key from the destination keyring.
 585  *
 586  * The key must grant the caller Link permission and both keyrings must grant
 587  * the caller Write permission.  There must also be a link in the from keyring
 588  * to the key.  If both keyrings are the same, nothing is done.
 589  *
 590  * If successful, 0 will be returned.
 591  */
 592 long keyctl_keyring_move(key_serial_t id, key_serial_t from_ringid,
 593                          key_serial_t to_ringid, unsigned int flags)
 594 {
 595         key_ref_t key_ref, from_ref, to_ref;
 596         long ret;
 597 
 598         if (flags & ~KEYCTL_MOVE_EXCL)
 599                 return -EINVAL;
 600 
 601         key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK);
 602         if (IS_ERR(key_ref))
 603                 return PTR_ERR(key_ref);
 604 
 605         from_ref = lookup_user_key(from_ringid, 0, KEY_NEED_WRITE);
 606         if (IS_ERR(from_ref)) {
 607                 ret = PTR_ERR(from_ref);
 608                 goto error2;
 609         }
 610 
 611         to_ref = lookup_user_key(to_ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
 612         if (IS_ERR(to_ref)) {
 613                 ret = PTR_ERR(to_ref);
 614                 goto error3;
 615         }
 616 
 617         ret = key_move(key_ref_to_ptr(key_ref), key_ref_to_ptr(from_ref),
 618                        key_ref_to_ptr(to_ref), flags);
 619 
 620         key_ref_put(to_ref);
 621 error3:
 622         key_ref_put(from_ref);
 623 error2:
 624         key_ref_put(key_ref);
 625         return ret;
 626 }
 627 
 628 /*
 629  * Return a description of a key to userspace.
 630  *
 631  * The key must grant the caller View permission for this to work.
 632  *
 633  * If there's a buffer, we place up to buflen bytes of data into it formatted
 634  * in the following way:
 635  *
 636  *      type;uid;gid;perm;description<NUL>
 637  *
 638  * If successful, we return the amount of description available, irrespective
 639  * of how much we may have copied into the buffer.
 640  */
 641 long keyctl_describe_key(key_serial_t keyid,
 642                          char __user *buffer,
 643                          size_t buflen)
 644 {
 645         struct key *key, *instkey;
 646         key_ref_t key_ref;
 647         char *infobuf;
 648         long ret;
 649         int desclen, infolen;
 650 
 651         key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW);
 652         if (IS_ERR(key_ref)) {
 653                 /* viewing a key under construction is permitted if we have the
 654                  * authorisation token handy */
 655                 if (PTR_ERR(key_ref) == -EACCES) {
 656                         instkey = key_get_instantiation_authkey(keyid);
 657                         if (!IS_ERR(instkey)) {
 658                                 key_put(instkey);
 659                                 key_ref = lookup_user_key(keyid,
 660                                                           KEY_LOOKUP_PARTIAL,
 661                                                           0);
 662                                 if (!IS_ERR(key_ref))
 663                                         goto okay;
 664                         }
 665                 }
 666 
 667                 ret = PTR_ERR(key_ref);
 668                 goto error;
 669         }
 670 
 671 okay:
 672         key = key_ref_to_ptr(key_ref);
 673         desclen = strlen(key->description);
 674 
 675         /* calculate how much information we're going to return */
 676         ret = -ENOMEM;
 677         infobuf = kasprintf(GFP_KERNEL,
 678                             "%s;%d;%d;%08x;",
 679                             key->type->name,
 680                             from_kuid_munged(current_user_ns(), key->uid),
 681                             from_kgid_munged(current_user_ns(), key->gid),
 682                             key->perm);
 683         if (!infobuf)
 684                 goto error2;
 685         infolen = strlen(infobuf);
 686         ret = infolen + desclen + 1;
 687 
 688         /* consider returning the data */
 689         if (buffer && buflen >= ret) {
 690                 if (copy_to_user(buffer, infobuf, infolen) != 0 ||
 691                     copy_to_user(buffer + infolen, key->description,
 692                                  desclen + 1) != 0)
 693                         ret = -EFAULT;
 694         }
 695 
 696         kfree(infobuf);
 697 error2:
 698         key_ref_put(key_ref);
 699 error:
 700         return ret;
 701 }
 702 
 703 /*
 704  * Search the specified keyring and any keyrings it links to for a matching
 705  * key.  Only keyrings that grant the caller Search permission will be searched
 706  * (this includes the starting keyring).  Only keys with Search permission can
 707  * be found.
 708  *
 709  * If successful, the found key will be linked to the destination keyring if
 710  * supplied and the key has Link permission, and the found key ID will be
 711  * returned.
 712  */
 713 long keyctl_keyring_search(key_serial_t ringid,
 714                            const char __user *_type,
 715                            const char __user *_description,
 716                            key_serial_t destringid)
 717 {
 718         struct key_type *ktype;
 719         key_ref_t keyring_ref, key_ref, dest_ref;
 720         char type[32], *description;
 721         long ret;
 722 
 723         /* pull the type and description into kernel space */
 724         ret = key_get_type_from_user(type, _type, sizeof(type));
 725         if (ret < 0)
 726                 goto error;
 727 
 728         description = strndup_user(_description, KEY_MAX_DESC_SIZE);
 729         if (IS_ERR(description)) {
 730                 ret = PTR_ERR(description);
 731                 goto error;
 732         }
 733 
 734         /* get the keyring at which to begin the search */
 735         keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_SEARCH);
 736         if (IS_ERR(keyring_ref)) {
 737                 ret = PTR_ERR(keyring_ref);
 738                 goto error2;
 739         }
 740 
 741         /* get the destination keyring if specified */
 742         dest_ref = NULL;
 743         if (destringid) {
 744                 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE,
 745                                            KEY_NEED_WRITE);
 746                 if (IS_ERR(dest_ref)) {
 747                         ret = PTR_ERR(dest_ref);
 748                         goto error3;
 749                 }
 750         }
 751 
 752         /* find the key type */
 753         ktype = key_type_lookup(type);
 754         if (IS_ERR(ktype)) {
 755                 ret = PTR_ERR(ktype);
 756                 goto error4;
 757         }
 758 
 759         /* do the search */
 760         key_ref = keyring_search(keyring_ref, ktype, description, true);
 761         if (IS_ERR(key_ref)) {
 762                 ret = PTR_ERR(key_ref);
 763 
 764                 /* treat lack or presence of a negative key the same */
 765                 if (ret == -EAGAIN)
 766                         ret = -ENOKEY;
 767                 goto error5;
 768         }
 769 
 770         /* link the resulting key to the destination keyring if we can */
 771         if (dest_ref) {
 772                 ret = key_permission(key_ref, KEY_NEED_LINK);
 773                 if (ret < 0)
 774                         goto error6;
 775 
 776                 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref));
 777                 if (ret < 0)
 778                         goto error6;
 779         }
 780 
 781         ret = key_ref_to_ptr(key_ref)->serial;
 782 
 783 error6:
 784         key_ref_put(key_ref);
 785 error5:
 786         key_type_put(ktype);
 787 error4:
 788         key_ref_put(dest_ref);
 789 error3:
 790         key_ref_put(keyring_ref);
 791 error2:
 792         kfree(description);
 793 error:
 794         return ret;
 795 }
 796 
 797 /*
 798  * Call the read method
 799  */
 800 static long __keyctl_read_key(struct key *key, char *buffer, size_t buflen)
 801 {
 802         long ret;
 803 
 804         down_read(&key->sem);
 805         ret = key_validate(key);
 806         if (ret == 0)
 807                 ret = key->type->read(key, buffer, buflen);
 808         up_read(&key->sem);
 809         return ret;
 810 }
 811 
 812 /*
 813  * Read a key's payload.
 814  *
 815  * The key must either grant the caller Read permission, or it must grant the
 816  * caller Search permission when searched for from the process keyrings.
 817  *
 818  * If successful, we place up to buflen bytes of data into the buffer, if one
 819  * is provided, and return the amount of data that is available in the key,
 820  * irrespective of how much we copied into the buffer.
 821  */
 822 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
 823 {
 824         struct key *key;
 825         key_ref_t key_ref;
 826         long ret;
 827         char *key_data = NULL;
 828         size_t key_data_len;
 829 
 830         /* find the key first */
 831         key_ref = lookup_user_key(keyid, 0, 0);
 832         if (IS_ERR(key_ref)) {
 833                 ret = -ENOKEY;
 834                 goto out;
 835         }
 836 
 837         key = key_ref_to_ptr(key_ref);
 838 
 839         ret = key_read_state(key);
 840         if (ret < 0)
 841                 goto key_put_out; /* Negatively instantiated */
 842 
 843         /* see if we can read it directly */
 844         ret = key_permission(key_ref, KEY_NEED_READ);
 845         if (ret == 0)
 846                 goto can_read_key;
 847         if (ret != -EACCES)
 848                 goto key_put_out;
 849 
 850         /* we can't; see if it's searchable from this process's keyrings
 851          * - we automatically take account of the fact that it may be
 852          *   dangling off an instantiation key
 853          */
 854         if (!is_key_possessed(key_ref)) {
 855                 ret = -EACCES;
 856                 goto key_put_out;
 857         }
 858 
 859         /* the key is probably readable - now try to read it */
 860 can_read_key:
 861         if (!key->type->read) {
 862                 ret = -EOPNOTSUPP;
 863                 goto key_put_out;
 864         }
 865 
 866         if (!buffer || !buflen) {
 867                 /* Get the key length from the read method */
 868                 ret = __keyctl_read_key(key, NULL, 0);
 869                 goto key_put_out;
 870         }
 871 
 872         /*
 873          * Read the data with the semaphore held (since we might sleep)
 874          * to protect against the key being updated or revoked.
 875          *
 876          * Allocating a temporary buffer to hold the keys before
 877          * transferring them to user buffer to avoid potential
 878          * deadlock involving page fault and mmap_sem.
 879          *
 880          * key_data_len = (buflen <= PAGE_SIZE)
 881          *              ? buflen : actual length of key data
 882          *
 883          * This prevents allocating arbitrary large buffer which can
 884          * be much larger than the actual key length. In the latter case,
 885          * at least 2 passes of this loop is required.
 886          */
 887         key_data_len = (buflen <= PAGE_SIZE) ? buflen : 0;
 888         for (;;) {
 889                 if (key_data_len) {
 890                         key_data = kvmalloc(key_data_len, GFP_KERNEL);
 891                         if (!key_data) {
 892                                 ret = -ENOMEM;
 893                                 goto key_put_out;
 894                         }
 895                 }
 896 
 897                 ret = __keyctl_read_key(key, key_data, key_data_len);
 898 
 899                 /*
 900                  * Read methods will just return the required length without
 901                  * any copying if the provided length isn't large enough.
 902                  */
 903                 if (ret <= 0 || ret > buflen)
 904                         break;
 905 
 906                 /*
 907                  * The key may change (unlikely) in between 2 consecutive
 908                  * __keyctl_read_key() calls. In this case, we reallocate
 909                  * a larger buffer and redo the key read when
 910                  * key_data_len < ret <= buflen.
 911                  */
 912                 if (ret > key_data_len) {
 913                         if (unlikely(key_data))
 914                                 kvfree_sensitive(key_data, key_data_len);
 915                         key_data_len = ret;
 916                         continue;       /* Allocate buffer */
 917                 }
 918 
 919                 if (copy_to_user(buffer, key_data, ret))
 920                         ret = -EFAULT;
 921                 break;
 922         }
 923         kvfree_sensitive(key_data, key_data_len);
 924 
 925 key_put_out:
 926         key_put(key);
 927 out:
 928         return ret;
 929 }
 930 
 931 /*
 932  * Change the ownership of a key
 933  *
 934  * The key must grant the caller Setattr permission for this to work, though
 935  * the key need not be fully instantiated yet.  For the UID to be changed, or
 936  * for the GID to be changed to a group the caller is not a member of, the
 937  * caller must have sysadmin capability.  If either uid or gid is -1 then that
 938  * attribute is not changed.
 939  *
 940  * If the UID is to be changed, the new user must have sufficient quota to
 941  * accept the key.  The quota deduction will be removed from the old user to
 942  * the new user should the attribute be changed.
 943  *
 944  * If successful, 0 will be returned.
 945  */
 946 long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group)
 947 {
 948         struct key_user *newowner, *zapowner = NULL;
 949         struct key *key;
 950         key_ref_t key_ref;
 951         long ret;
 952         kuid_t uid;
 953         kgid_t gid;
 954 
 955         uid = make_kuid(current_user_ns(), user);
 956         gid = make_kgid(current_user_ns(), group);
 957         ret = -EINVAL;
 958         if ((user != (uid_t) -1) && !uid_valid(uid))
 959                 goto error;
 960         if ((group != (gid_t) -1) && !gid_valid(gid))
 961                 goto error;
 962 
 963         ret = 0;
 964         if (user == (uid_t) -1 && group == (gid_t) -1)
 965                 goto error;
 966 
 967         key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
 968                                   KEY_NEED_SETATTR);
 969         if (IS_ERR(key_ref)) {
 970                 ret = PTR_ERR(key_ref);
 971                 goto error;
 972         }
 973 
 974         key = key_ref_to_ptr(key_ref);
 975 
 976         /* make the changes with the locks held to prevent chown/chown races */
 977         ret = -EACCES;
 978         down_write(&key->sem);
 979 
 980         if (!capable(CAP_SYS_ADMIN)) {
 981                 /* only the sysadmin can chown a key to some other UID */
 982                 if (user != (uid_t) -1 && !uid_eq(key->uid, uid))
 983                         goto error_put;
 984 
 985                 /* only the sysadmin can set the key's GID to a group other
 986                  * than one of those that the current process subscribes to */
 987                 if (group != (gid_t) -1 && !gid_eq(gid, key->gid) && !in_group_p(gid))
 988                         goto error_put;
 989         }
 990 
 991         /* change the UID */
 992         if (user != (uid_t) -1 && !uid_eq(uid, key->uid)) {
 993                 ret = -ENOMEM;
 994                 newowner = key_user_lookup(uid);
 995                 if (!newowner)
 996                         goto error_put;
 997 
 998                 /* transfer the quota burden to the new user */
 999                 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
1000                         unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ?
1001                                 key_quota_root_maxkeys : key_quota_maxkeys;
1002                         unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ?
1003                                 key_quota_root_maxbytes : key_quota_maxbytes;
1004 
1005                         spin_lock(&newowner->lock);
1006                         if (newowner->qnkeys + 1 > maxkeys ||
1007                             newowner->qnbytes + key->quotalen > maxbytes ||
1008                             newowner->qnbytes + key->quotalen <
1009                             newowner->qnbytes)
1010                                 goto quota_overrun;
1011 
1012                         newowner->qnkeys++;
1013                         newowner->qnbytes += key->quotalen;
1014                         spin_unlock(&newowner->lock);
1015 
1016                         spin_lock(&key->user->lock);
1017                         key->user->qnkeys--;
1018                         key->user->qnbytes -= key->quotalen;
1019                         spin_unlock(&key->user->lock);
1020                 }
1021 
1022                 atomic_dec(&key->user->nkeys);
1023                 atomic_inc(&newowner->nkeys);
1024 
1025                 if (key->state != KEY_IS_UNINSTANTIATED) {
1026                         atomic_dec(&key->user->nikeys);
1027                         atomic_inc(&newowner->nikeys);
1028                 }
1029 
1030                 zapowner = key->user;
1031                 key->user = newowner;
1032                 key->uid = uid;
1033         }
1034 
1035         /* change the GID */
1036         if (group != (gid_t) -1)
1037                 key->gid = gid;
1038 
1039         ret = 0;
1040 
1041 error_put:
1042         up_write(&key->sem);
1043         key_put(key);
1044         if (zapowner)
1045                 key_user_put(zapowner);
1046 error:
1047         return ret;
1048 
1049 quota_overrun:
1050         spin_unlock(&newowner->lock);
1051         zapowner = newowner;
1052         ret = -EDQUOT;
1053         goto error_put;
1054 }
1055 
1056 /*
1057  * Change the permission mask on a key.
1058  *
1059  * The key must grant the caller Setattr permission for this to work, though
1060  * the key need not be fully instantiated yet.  If the caller does not have
1061  * sysadmin capability, it may only change the permission on keys that it owns.
1062  */
1063 long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
1064 {
1065         struct key *key;
1066         key_ref_t key_ref;
1067         long ret;
1068 
1069         ret = -EINVAL;
1070         if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL))
1071                 goto error;
1072 
1073         key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
1074                                   KEY_NEED_SETATTR);
1075         if (IS_ERR(key_ref)) {
1076                 ret = PTR_ERR(key_ref);
1077                 goto error;
1078         }
1079 
1080         key = key_ref_to_ptr(key_ref);
1081 
1082         /* make the changes with the locks held to prevent chown/chmod races */
1083         ret = -EACCES;
1084         down_write(&key->sem);
1085 
1086         /* if we're not the sysadmin, we can only change a key that we own */
1087         if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid())) {
1088                 key->perm = perm;
1089                 ret = 0;
1090         }
1091 
1092         up_write(&key->sem);
1093         key_put(key);
1094 error:
1095         return ret;
1096 }
1097 
1098 /*
1099  * Get the destination keyring for instantiation and check that the caller has
1100  * Write permission on it.
1101  */
1102 static long get_instantiation_keyring(key_serial_t ringid,
1103                                       struct request_key_auth *rka,
1104                                       struct key **_dest_keyring)
1105 {
1106         key_ref_t dkref;
1107 
1108         *_dest_keyring = NULL;
1109 
1110         /* just return a NULL pointer if we weren't asked to make a link */
1111         if (ringid == 0)
1112                 return 0;
1113 
1114         /* if a specific keyring is nominated by ID, then use that */
1115         if (ringid > 0) {
1116                 dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
1117                 if (IS_ERR(dkref))
1118                         return PTR_ERR(dkref);
1119                 *_dest_keyring = key_ref_to_ptr(dkref);
1120                 return 0;
1121         }
1122 
1123         if (ringid == KEY_SPEC_REQKEY_AUTH_KEY)
1124                 return -EINVAL;
1125 
1126         /* otherwise specify the destination keyring recorded in the
1127          * authorisation key (any KEY_SPEC_*_KEYRING) */
1128         if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) {
1129                 *_dest_keyring = key_get(rka->dest_keyring);
1130                 return 0;
1131         }
1132 
1133         return -ENOKEY;
1134 }
1135 
1136 /*
1137  * Change the request_key authorisation key on the current process.
1138  */
1139 static int keyctl_change_reqkey_auth(struct key *key)
1140 {
1141         struct cred *new;
1142 
1143         new = prepare_creds();
1144         if (!new)
1145                 return -ENOMEM;
1146 
1147         key_put(new->request_key_auth);
1148         new->request_key_auth = key_get(key);
1149 
1150         return commit_creds(new);
1151 }
1152 
1153 /*
1154  * Instantiate a key with the specified payload and link the key into the
1155  * destination keyring if one is given.
1156  *
1157  * The caller must have the appropriate instantiation permit set for this to
1158  * work (see keyctl_assume_authority).  No other permissions are required.
1159  *
1160  * If successful, 0 will be returned.
1161  */
1162 long keyctl_instantiate_key_common(key_serial_t id,
1163                                    struct iov_iter *from,
1164                                    key_serial_t ringid)
1165 {
1166         const struct cred *cred = current_cred();
1167         struct request_key_auth *rka;
1168         struct key *instkey, *dest_keyring;
1169         size_t plen = from ? iov_iter_count(from) : 0;
1170         void *payload;
1171         long ret;
1172 
1173         kenter("%d,,%zu,%d", id, plen, ringid);
1174 
1175         if (!plen)
1176                 from = NULL;
1177 
1178         ret = -EINVAL;
1179         if (plen > 1024 * 1024 - 1)
1180                 goto error;
1181 
1182         /* the appropriate instantiation authorisation key must have been
1183          * assumed before calling this */
1184         ret = -EPERM;
1185         instkey = cred->request_key_auth;
1186         if (!instkey)
1187                 goto error;
1188 
1189         rka = instkey->payload.data[0];
1190         if (rka->target_key->serial != id)
1191                 goto error;
1192 
1193         /* pull the payload in if one was supplied */
1194         payload = NULL;
1195 
1196         if (from) {
1197                 ret = -ENOMEM;
1198                 payload = kvmalloc(plen, GFP_KERNEL);
1199                 if (!payload)
1200                         goto error;
1201 
1202                 ret = -EFAULT;
1203                 if (!copy_from_iter_full(payload, plen, from))
1204                         goto error2;
1205         }
1206 
1207         /* find the destination keyring amongst those belonging to the
1208          * requesting task */
1209         ret = get_instantiation_keyring(ringid, rka, &dest_keyring);
1210         if (ret < 0)
1211                 goto error2;
1212 
1213         /* instantiate the key and link it into a keyring */
1214         ret = key_instantiate_and_link(rka->target_key, payload, plen,
1215                                        dest_keyring, instkey);
1216 
1217         key_put(dest_keyring);
1218 
1219         /* discard the assumed authority if it's just been disabled by
1220          * instantiation of the key */
1221         if (ret == 0)
1222                 keyctl_change_reqkey_auth(NULL);
1223 
1224 error2:
1225         kvfree_sensitive(payload, plen);
1226 error:
1227         return ret;
1228 }
1229 
1230 /*
1231  * Instantiate a key with the specified payload and link the key into the
1232  * destination keyring if one is given.
1233  *
1234  * The caller must have the appropriate instantiation permit set for this to
1235  * work (see keyctl_assume_authority).  No other permissions are required.
1236  *
1237  * If successful, 0 will be returned.
1238  */
1239 long keyctl_instantiate_key(key_serial_t id,
1240                             const void __user *_payload,
1241                             size_t plen,
1242                             key_serial_t ringid)
1243 {
1244         if (_payload && plen) {
1245                 struct iovec iov;
1246                 struct iov_iter from;
1247                 int ret;
1248 
1249                 ret = import_single_range(WRITE, (void __user *)_payload, plen,
1250                                           &iov, &from);
1251                 if (unlikely(ret))
1252                         return ret;
1253 
1254                 return keyctl_instantiate_key_common(id, &from, ringid);
1255         }
1256 
1257         return keyctl_instantiate_key_common(id, NULL, ringid);
1258 }
1259 
1260 /*
1261  * Instantiate a key with the specified multipart payload and link the key into
1262  * the destination keyring if one is given.
1263  *
1264  * The caller must have the appropriate instantiation permit set for this to
1265  * work (see keyctl_assume_authority).  No other permissions are required.
1266  *
1267  * If successful, 0 will be returned.
1268  */
1269 long keyctl_instantiate_key_iov(key_serial_t id,
1270                                 const struct iovec __user *_payload_iov,
1271                                 unsigned ioc,
1272                                 key_serial_t ringid)
1273 {
1274         struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
1275         struct iov_iter from;
1276         long ret;
1277 
1278         if (!_payload_iov)
1279                 ioc = 0;
1280 
1281         ret = import_iovec(WRITE, _payload_iov, ioc,
1282                                     ARRAY_SIZE(iovstack), &iov, &from);
1283         if (ret < 0)
1284                 return ret;
1285         ret = keyctl_instantiate_key_common(id, &from, ringid);
1286         kfree(iov);
1287         return ret;
1288 }
1289 
1290 /*
1291  * Negatively instantiate the key with the given timeout (in seconds) and link
1292  * the key into the destination keyring if one is given.
1293  *
1294  * The caller must have the appropriate instantiation permit set for this to
1295  * work (see keyctl_assume_authority).  No other permissions are required.
1296  *
1297  * The key and any links to the key will be automatically garbage collected
1298  * after the timeout expires.
1299  *
1300  * Negative keys are used to rate limit repeated request_key() calls by causing
1301  * them to return -ENOKEY until the negative key expires.
1302  *
1303  * If successful, 0 will be returned.
1304  */
1305 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
1306 {
1307         return keyctl_reject_key(id, timeout, ENOKEY, ringid);
1308 }
1309 
1310 /*
1311  * Negatively instantiate the key with the given timeout (in seconds) and error
1312  * code and link the key into the destination keyring if one is given.
1313  *
1314  * The caller must have the appropriate instantiation permit set for this to
1315  * work (see keyctl_assume_authority).  No other permissions are required.
1316  *
1317  * The key and any links to the key will be automatically garbage collected
1318  * after the timeout expires.
1319  *
1320  * Negative keys are used to rate limit repeated request_key() calls by causing
1321  * them to return the specified error code until the negative key expires.
1322  *
1323  * If successful, 0 will be returned.
1324  */
1325 long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error,
1326                        key_serial_t ringid)
1327 {
1328         const struct cred *cred = current_cred();
1329         struct request_key_auth *rka;
1330         struct key *instkey, *dest_keyring;
1331         long ret;
1332 
1333         kenter("%d,%u,%u,%d", id, timeout, error, ringid);
1334 
1335         /* must be a valid error code and mustn't be a kernel special */
1336         if (error <= 0 ||
1337             error >= MAX_ERRNO ||
1338             error == ERESTARTSYS ||
1339             error == ERESTARTNOINTR ||
1340             error == ERESTARTNOHAND ||
1341             error == ERESTART_RESTARTBLOCK)
1342                 return -EINVAL;
1343 
1344         /* the appropriate instantiation authorisation key must have been
1345          * assumed before calling this */
1346         ret = -EPERM;
1347         instkey = cred->request_key_auth;
1348         if (!instkey)
1349                 goto error;
1350 
1351         rka = instkey->payload.data[0];
1352         if (rka->target_key->serial != id)
1353                 goto error;
1354 
1355         /* find the destination keyring if present (which must also be
1356          * writable) */
1357         ret = get_instantiation_keyring(ringid, rka, &dest_keyring);
1358         if (ret < 0)
1359                 goto error;
1360 
1361         /* instantiate the key and link it into a keyring */
1362         ret = key_reject_and_link(rka->target_key, timeout, error,
1363                                   dest_keyring, instkey);
1364 
1365         key_put(dest_keyring);
1366 
1367         /* discard the assumed authority if it's just been disabled by
1368          * instantiation of the key */
1369         if (ret == 0)
1370                 keyctl_change_reqkey_auth(NULL);
1371 
1372 error:
1373         return ret;
1374 }
1375 
1376 /*
1377  * Read or set the default keyring in which request_key() will cache keys and
1378  * return the old setting.
1379  *
1380  * If a thread or process keyring is specified then it will be created if it
1381  * doesn't yet exist.  The old setting will be returned if successful.
1382  */
1383 long keyctl_set_reqkey_keyring(int reqkey_defl)
1384 {
1385         struct cred *new;
1386         int ret, old_setting;
1387 
1388         old_setting = current_cred_xxx(jit_keyring);
1389 
1390         if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE)
1391                 return old_setting;
1392 
1393         new = prepare_creds();
1394         if (!new)
1395                 return -ENOMEM;
1396 
1397         switch (reqkey_defl) {
1398         case KEY_REQKEY_DEFL_THREAD_KEYRING:
1399                 ret = install_thread_keyring_to_cred(new);
1400                 if (ret < 0)
1401                         goto error;
1402                 goto set;
1403 
1404         case KEY_REQKEY_DEFL_PROCESS_KEYRING:
1405                 ret = install_process_keyring_to_cred(new);
1406                 if (ret < 0)
1407                         goto error;
1408                 goto set;
1409 
1410         case KEY_REQKEY_DEFL_DEFAULT:
1411         case KEY_REQKEY_DEFL_SESSION_KEYRING:
1412         case KEY_REQKEY_DEFL_USER_KEYRING:
1413         case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
1414         case KEY_REQKEY_DEFL_REQUESTOR_KEYRING:
1415                 goto set;
1416 
1417         case KEY_REQKEY_DEFL_NO_CHANGE:
1418         case KEY_REQKEY_DEFL_GROUP_KEYRING:
1419         default:
1420                 ret = -EINVAL;
1421                 goto error;
1422         }
1423 
1424 set:
1425         new->jit_keyring = reqkey_defl;
1426         commit_creds(new);
1427         return old_setting;
1428 error:
1429         abort_creds(new);
1430         return ret;
1431 }
1432 
1433 /*
1434  * Set or clear the timeout on a key.
1435  *
1436  * Either the key must grant the caller Setattr permission or else the caller
1437  * must hold an instantiation authorisation token for the key.
1438  *
1439  * The timeout is either 0 to clear the timeout, or a number of seconds from
1440  * the current time.  The key and any links to the key will be automatically
1441  * garbage collected after the timeout expires.
1442  *
1443  * Keys with KEY_FLAG_KEEP set should not be timed out.
1444  *
1445  * If successful, 0 is returned.
1446  */
1447 long keyctl_set_timeout(key_serial_t id, unsigned timeout)
1448 {
1449         struct key *key, *instkey;
1450         key_ref_t key_ref;
1451         long ret;
1452 
1453         key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
1454                                   KEY_NEED_SETATTR);
1455         if (IS_ERR(key_ref)) {
1456                 /* setting the timeout on a key under construction is permitted
1457                  * if we have the authorisation token handy */
1458                 if (PTR_ERR(key_ref) == -EACCES) {
1459                         instkey = key_get_instantiation_authkey(id);
1460                         if (!IS_ERR(instkey)) {
1461                                 key_put(instkey);
1462                                 key_ref = lookup_user_key(id,
1463                                                           KEY_LOOKUP_PARTIAL,
1464                                                           0);
1465                                 if (!IS_ERR(key_ref))
1466                                         goto okay;
1467                         }
1468                 }
1469 
1470                 ret = PTR_ERR(key_ref);
1471                 goto error;
1472         }
1473 
1474 okay:
1475         key = key_ref_to_ptr(key_ref);
1476         ret = 0;
1477         if (test_bit(KEY_FLAG_KEEP, &key->flags))
1478                 ret = -EPERM;
1479         else
1480                 key_set_timeout(key, timeout);
1481         key_put(key);
1482 
1483 error:
1484         return ret;
1485 }
1486 
1487 /*
1488  * Assume (or clear) the authority to instantiate the specified key.
1489  *
1490  * This sets the authoritative token currently in force for key instantiation.
1491  * This must be done for a key to be instantiated.  It has the effect of making
1492  * available all the keys from the caller of the request_key() that created a
1493  * key to request_key() calls made by the caller of this function.
1494  *
1495  * The caller must have the instantiation key in their process keyrings with a
1496  * Search permission grant available to the caller.
1497  *
1498  * If the ID given is 0, then the setting will be cleared and 0 returned.
1499  *
1500  * If the ID given has a matching an authorisation key, then that key will be
1501  * set and its ID will be returned.  The authorisation key can be read to get
1502  * the callout information passed to request_key().
1503  */
1504 long keyctl_assume_authority(key_serial_t id)
1505 {
1506         struct key *authkey;
1507         long ret;
1508 
1509         /* special key IDs aren't permitted */
1510         ret = -EINVAL;
1511         if (id < 0)
1512                 goto error;
1513 
1514         /* we divest ourselves of authority if given an ID of 0 */
1515         if (id == 0) {
1516                 ret = keyctl_change_reqkey_auth(NULL);
1517                 goto error;
1518         }
1519 
1520         /* attempt to assume the authority temporarily granted to us whilst we
1521          * instantiate the specified key
1522          * - the authorisation key must be in the current task's keyrings
1523          *   somewhere
1524          */
1525         authkey = key_get_instantiation_authkey(id);
1526         if (IS_ERR(authkey)) {
1527                 ret = PTR_ERR(authkey);
1528                 goto error;
1529         }
1530 
1531         ret = keyctl_change_reqkey_auth(authkey);
1532         if (ret == 0)
1533                 ret = authkey->serial;
1534         key_put(authkey);
1535 error:
1536         return ret;
1537 }
1538 
1539 /*
1540  * Get a key's the LSM security label.
1541  *
1542  * The key must grant the caller View permission for this to work.
1543  *
1544  * If there's a buffer, then up to buflen bytes of data will be placed into it.
1545  *
1546  * If successful, the amount of information available will be returned,
1547  * irrespective of how much was copied (including the terminal NUL).
1548  */
1549 long keyctl_get_security(key_serial_t keyid,
1550                          char __user *buffer,
1551                          size_t buflen)
1552 {
1553         struct key *key, *instkey;
1554         key_ref_t key_ref;
1555         char *context;
1556         long ret;
1557 
1558         key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW);
1559         if (IS_ERR(key_ref)) {
1560                 if (PTR_ERR(key_ref) != -EACCES)
1561                         return PTR_ERR(key_ref);
1562 
1563                 /* viewing a key under construction is also permitted if we
1564                  * have the authorisation token handy */
1565                 instkey = key_get_instantiation_authkey(keyid);
1566                 if (IS_ERR(instkey))
1567                         return PTR_ERR(instkey);
1568                 key_put(instkey);
1569 
1570                 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 0);
1571                 if (IS_ERR(key_ref))
1572                         return PTR_ERR(key_ref);
1573         }
1574 
1575         key = key_ref_to_ptr(key_ref);
1576         ret = security_key_getsecurity(key, &context);
1577         if (ret == 0) {
1578                 /* if no information was returned, give userspace an empty
1579                  * string */
1580                 ret = 1;
1581                 if (buffer && buflen > 0 &&
1582                     copy_to_user(buffer, "", 1) != 0)
1583                         ret = -EFAULT;
1584         } else if (ret > 0) {
1585                 /* return as much data as there's room for */
1586                 if (buffer && buflen > 0) {
1587                         if (buflen > ret)
1588                                 buflen = ret;
1589 
1590                         if (copy_to_user(buffer, context, buflen) != 0)
1591                                 ret = -EFAULT;
1592                 }
1593 
1594                 kfree(context);
1595         }
1596 
1597         key_ref_put(key_ref);
1598         return ret;
1599 }
1600 
1601 /*
1602  * Attempt to install the calling process's session keyring on the process's
1603  * parent process.
1604  *
1605  * The keyring must exist and must grant the caller LINK permission, and the
1606  * parent process must be single-threaded and must have the same effective
1607  * ownership as this process and mustn't be SUID/SGID.
1608  *
1609  * The keyring will be emplaced on the parent when it next resumes userspace.
1610  *
1611  * If successful, 0 will be returned.
1612  */
1613 long keyctl_session_to_parent(void)
1614 {
1615         struct task_struct *me, *parent;
1616         const struct cred *mycred, *pcred;
1617         struct callback_head *newwork, *oldwork;
1618         key_ref_t keyring_r;
1619         struct cred *cred;
1620         int ret;
1621 
1622         keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_LINK);
1623         if (IS_ERR(keyring_r))
1624                 return PTR_ERR(keyring_r);
1625 
1626         ret = -ENOMEM;
1627 
1628         /* our parent is going to need a new cred struct, a new tgcred struct
1629          * and new security data, so we allocate them here to prevent ENOMEM in
1630          * our parent */
1631         cred = cred_alloc_blank();
1632         if (!cred)
1633                 goto error_keyring;
1634         newwork = &cred->rcu;
1635 
1636         cred->session_keyring = key_ref_to_ptr(keyring_r);
1637         keyring_r = NULL;
1638         init_task_work(newwork, key_change_session_keyring);
1639 
1640         me = current;
1641         rcu_read_lock();
1642         write_lock_irq(&tasklist_lock);
1643 
1644         ret = -EPERM;
1645         oldwork = NULL;
1646         parent = rcu_dereference_protected(me->real_parent,
1647                                            lockdep_is_held(&tasklist_lock));
1648 
1649         /* the parent mustn't be init and mustn't be a kernel thread */
1650         if (parent->pid <= 1 || !parent->mm)
1651                 goto unlock;
1652 
1653         /* the parent must be single threaded */
1654         if (!thread_group_empty(parent))
1655                 goto unlock;
1656 
1657         /* the parent and the child must have different session keyrings or
1658          * there's no point */
1659         mycred = current_cred();
1660         pcred = __task_cred(parent);
1661         if (mycred == pcred ||
1662             mycred->session_keyring == pcred->session_keyring) {
1663                 ret = 0;
1664                 goto unlock;
1665         }
1666 
1667         /* the parent must have the same effective ownership and mustn't be
1668          * SUID/SGID */
1669         if (!uid_eq(pcred->uid,  mycred->euid) ||
1670             !uid_eq(pcred->euid, mycred->euid) ||
1671             !uid_eq(pcred->suid, mycred->euid) ||
1672             !gid_eq(pcred->gid,  mycred->egid) ||
1673             !gid_eq(pcred->egid, mycred->egid) ||
1674             !gid_eq(pcred->sgid, mycred->egid))
1675                 goto unlock;
1676 
1677         /* the keyrings must have the same UID */
1678         if ((pcred->session_keyring &&
1679              !uid_eq(pcred->session_keyring->uid, mycred->euid)) ||
1680             !uid_eq(mycred->session_keyring->uid, mycred->euid))
1681                 goto unlock;
1682 
1683         /* cancel an already pending keyring replacement */
1684         oldwork = task_work_cancel(parent, key_change_session_keyring);
1685 
1686         /* the replacement session keyring is applied just prior to userspace
1687          * restarting */
1688         ret = task_work_add(parent, newwork, true);
1689         if (!ret)
1690                 newwork = NULL;
1691 unlock:
1692         write_unlock_irq(&tasklist_lock);
1693         rcu_read_unlock();
1694         if (oldwork)
1695                 put_cred(container_of(oldwork, struct cred, rcu));
1696         if (newwork)
1697                 put_cred(cred);
1698         return ret;
1699 
1700 error_keyring:
1701         key_ref_put(keyring_r);
1702         return ret;
1703 }
1704 
1705 /*
1706  * Apply a restriction to a given keyring.
1707  *
1708  * The caller must have Setattr permission to change keyring restrictions.
1709  *
1710  * The requested type name may be a NULL pointer to reject all attempts
1711  * to link to the keyring.  In this case, _restriction must also be NULL.
1712  * Otherwise, both _type and _restriction must be non-NULL.
1713  *
1714  * Returns 0 if successful.
1715  */
1716 long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
1717                              const char __user *_restriction)
1718 {
1719         key_ref_t key_ref;
1720         char type[32];
1721         char *restriction = NULL;
1722         long ret;
1723 
1724         key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR);
1725         if (IS_ERR(key_ref))
1726                 return PTR_ERR(key_ref);
1727 
1728         ret = -EINVAL;
1729         if (_type) {
1730                 if (!_restriction)
1731                         goto error;
1732 
1733                 ret = key_get_type_from_user(type, _type, sizeof(type));
1734                 if (ret < 0)
1735                         goto error;
1736 
1737                 restriction = strndup_user(_restriction, PAGE_SIZE);
1738                 if (IS_ERR(restriction)) {
1739                         ret = PTR_ERR(restriction);
1740                         goto error;
1741                 }
1742         } else {
1743                 if (_restriction)
1744                         goto error;
1745         }
1746 
1747         ret = keyring_restrict(key_ref, _type ? type : NULL, restriction);
1748         kfree(restriction);
1749 error:
1750         key_ref_put(key_ref);
1751         return ret;
1752 }
1753 
1754 /*
1755  * Get keyrings subsystem capabilities.
1756  */
1757 long keyctl_capabilities(unsigned char __user *_buffer, size_t buflen)
1758 {
1759         size_t size = buflen;
1760 
1761         if (size > 0) {
1762                 if (size > sizeof(keyrings_capabilities))
1763                         size = sizeof(keyrings_capabilities);
1764                 if (copy_to_user(_buffer, keyrings_capabilities, size) != 0)
1765                         return -EFAULT;
1766                 if (size < buflen &&
1767                     clear_user(_buffer + size, buflen - size) != 0)
1768                         return -EFAULT;
1769         }
1770 
1771         return sizeof(keyrings_capabilities);
1772 }
1773 
1774 /*
1775  * The key control system call
1776  */
1777 SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
1778                 unsigned long, arg4, unsigned long, arg5)
1779 {
1780         switch (option) {
1781         case KEYCTL_GET_KEYRING_ID:
1782                 return keyctl_get_keyring_ID((key_serial_t) arg2,
1783                                              (int) arg3);
1784 
1785         case KEYCTL_JOIN_SESSION_KEYRING:
1786                 return keyctl_join_session_keyring((const char __user *) arg2);
1787 
1788         case KEYCTL_UPDATE:
1789                 return keyctl_update_key((key_serial_t) arg2,
1790                                          (const void __user *) arg3,
1791                                          (size_t) arg4);
1792 
1793         case KEYCTL_REVOKE:
1794                 return keyctl_revoke_key((key_serial_t) arg2);
1795 
1796         case KEYCTL_DESCRIBE:
1797                 return keyctl_describe_key((key_serial_t) arg2,
1798                                            (char __user *) arg3,
1799                                            (unsigned) arg4);
1800 
1801         case KEYCTL_CLEAR:
1802                 return keyctl_keyring_clear((key_serial_t) arg2);
1803 
1804         case KEYCTL_LINK:
1805                 return keyctl_keyring_link((key_serial_t) arg2,
1806                                            (key_serial_t) arg3);
1807 
1808         case KEYCTL_UNLINK:
1809                 return keyctl_keyring_unlink((key_serial_t) arg2,
1810                                              (key_serial_t) arg3);
1811 
1812         case KEYCTL_SEARCH:
1813                 return keyctl_keyring_search((key_serial_t) arg2,
1814                                              (const char __user *) arg3,
1815                                              (const char __user *) arg4,
1816                                              (key_serial_t) arg5);
1817 
1818         case KEYCTL_READ:
1819                 return keyctl_read_key((key_serial_t) arg2,
1820                                        (char __user *) arg3,
1821                                        (size_t) arg4);
1822 
1823         case KEYCTL_CHOWN:
1824                 return keyctl_chown_key((key_serial_t) arg2,
1825                                         (uid_t) arg3,
1826                                         (gid_t) arg4);
1827 
1828         case KEYCTL_SETPERM:
1829                 return keyctl_setperm_key((key_serial_t) arg2,
1830                                           (key_perm_t) arg3);
1831 
1832         case KEYCTL_INSTANTIATE:
1833                 return keyctl_instantiate_key((key_serial_t) arg2,
1834                                               (const void __user *) arg3,
1835                                               (size_t) arg4,
1836                                               (key_serial_t) arg5);
1837 
1838         case KEYCTL_NEGATE:
1839                 return keyctl_negate_key((key_serial_t) arg2,
1840                                          (unsigned) arg3,
1841                                          (key_serial_t) arg4);
1842 
1843         case KEYCTL_SET_REQKEY_KEYRING:
1844                 return keyctl_set_reqkey_keyring(arg2);
1845 
1846         case KEYCTL_SET_TIMEOUT:
1847                 return keyctl_set_timeout((key_serial_t) arg2,
1848                                           (unsigned) arg3);
1849 
1850         case KEYCTL_ASSUME_AUTHORITY:
1851                 return keyctl_assume_authority((key_serial_t) arg2);
1852 
1853         case KEYCTL_GET_SECURITY:
1854                 return keyctl_get_security((key_serial_t) arg2,
1855                                            (char __user *) arg3,
1856                                            (size_t) arg4);
1857 
1858         case KEYCTL_SESSION_TO_PARENT:
1859                 return keyctl_session_to_parent();
1860 
1861         case KEYCTL_REJECT:
1862                 return keyctl_reject_key((key_serial_t) arg2,
1863                                          (unsigned) arg3,
1864                                          (unsigned) arg4,
1865                                          (key_serial_t) arg5);
1866 
1867         case KEYCTL_INSTANTIATE_IOV:
1868                 return keyctl_instantiate_key_iov(
1869                         (key_serial_t) arg2,
1870                         (const struct iovec __user *) arg3,
1871                         (unsigned) arg4,
1872                         (key_serial_t) arg5);
1873 
1874         case KEYCTL_INVALIDATE:
1875                 return keyctl_invalidate_key((key_serial_t) arg2);
1876 
1877         case KEYCTL_GET_PERSISTENT:
1878                 return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3);
1879 
1880         case KEYCTL_DH_COMPUTE:
1881                 return keyctl_dh_compute((struct keyctl_dh_params __user *) arg2,
1882                                          (char __user *) arg3, (size_t) arg4,
1883                                          (struct keyctl_kdf_params __user *) arg5);
1884 
1885         case KEYCTL_RESTRICT_KEYRING:
1886                 return keyctl_restrict_keyring((key_serial_t) arg2,
1887                                                (const char __user *) arg3,
1888                                                (const char __user *) arg4);
1889 
1890         case KEYCTL_PKEY_QUERY:
1891                 if (arg3 != 0)
1892                         return -EINVAL;
1893                 return keyctl_pkey_query((key_serial_t)arg2,
1894                                          (const char __user *)arg4,
1895                                          (struct keyctl_pkey_query __user *)arg5);
1896 
1897         case KEYCTL_PKEY_ENCRYPT:
1898         case KEYCTL_PKEY_DECRYPT:
1899         case KEYCTL_PKEY_SIGN:
1900                 return keyctl_pkey_e_d_s(
1901                         option,
1902                         (const struct keyctl_pkey_params __user *)arg2,
1903                         (const char __user *)arg3,
1904                         (const void __user *)arg4,
1905                         (void __user *)arg5);
1906 
1907         case KEYCTL_PKEY_VERIFY:
1908                 return keyctl_pkey_verify(
1909                         (const struct keyctl_pkey_params __user *)arg2,
1910                         (const char __user *)arg3,
1911                         (const void __user *)arg4,
1912                         (const void __user *)arg5);
1913 
1914         case KEYCTL_MOVE:
1915                 return keyctl_keyring_move((key_serial_t)arg2,
1916                                            (key_serial_t)arg3,
1917                                            (key_serial_t)arg4,
1918                                            (unsigned int)arg5);
1919 
1920         case KEYCTL_CAPABILITIES:
1921                 return keyctl_capabilities((unsigned char __user *)arg2, (size_t)arg3);
1922 
1923         default:
1924                 return -EOPNOTSUPP;
1925         }
1926 }
/* [<][>][^][v][top][bottom][index][help] */