| blob | 42defae1e161632e93b13b8194af1a30a09f2492 |
1 /* Manage a process's keyrings
2 *
3 * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 */
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/sched.h>
15 #include <linux/keyctl.h>
16 #include <linux/fs.h>
17 #include <linux/err.h>
18 #include <linux/mutex.h>
19 #include <linux/security.h>
20 #include <linux/user_namespace.h>
21 #include <asm/uaccess.h>
24 /* Session keyring create vs join semaphore */
27 /* User keyring creation semaphore */
30 /* The root user's tracking struct */
38 };
40 /*
41 * Install the user and user session keyrings for the current process's UID.
42 */
44 {
48 key_perm_t user_keyring_perm;
51 uid_t uid;
63 }
69 /* get the UID-specific keyring
70 * - there may be one in existence already as it may have been
71 * pinned by a session, but the user_struct pointing to it
72 * may have been destroyed by setuid */
83 }
84 }
86 /* get a default session keyring (which might also exist
87 * already) */
92 session_keyring =
99 }
101 /* we install a link from the user session keyring to
102 * the user keyring */
106 }
108 /* install the keyrings */
111 }
117 error_release_both:
119 error_release:
121 error:
125 }
127 /*
128 * Install a fresh thread keyring directly to new credentials. This keyring is
129 * allowed to overrun the quota.
130 */
132 {
143 }
145 /*
146 * Install a fresh thread keyring, discarding the old one.
147 */
149 {
163 }
166 }
168 /*
169 * Install a process keyring directly to a credentials struct.
170 *
171 * Returns -EEXIST if there was already a process keyring, 0 if one installed,
172 * and other value on any other error
173 */
175 {
189 }
191 /*
192 * Make sure a process keyring is installed for the current process. The
193 * existing process keyring is not replaced.
194 *
195 * Returns 0 if there is a process keyring by the end of this function, some
196 * error otherwise.
197 */
199 {
211 }
214 }
216 /*
217 * Install a session keyring directly to a credentials struct.
218 */
220 {
226 /* create an empty session keyring */
239 }
241 /* install the keyring */
249 }
251 /*
252 * Install a session keyring, discarding the old one. If a keyring is not
253 * supplied, an empty one is invented.
254 */
256 {
268 }
271 }
273 /*
274 * Handle the fsuid changing.
275 */
277 {
278 /* update the ownership of the thread keyring */
284 }
285 }
287 /*
288 * Handle the fsgid changing.
289 */
291 {
292 /* update the ownership of the thread keyring */
298 }
299 }
301 /*
302 * Search the process keyrings attached to the supplied cred for the first
303 * matching key.
304 *
305 * The search criteria are the type and the match function. The description is
306 * given to the match function as a parameter, but doesn't otherwise influence
307 * the search. Typically the match function will compare the description
308 * parameter to the key's description.
309 *
310 * This can only search keyrings that grant Search permission to the supplied
311 * credentials. Keyrings linked to searched keyrings will also be searched if
312 * they grant Search permission too. Keys can only be found if they grant
313 * Search permission to the credentials.
314 *
315 * Returns a pointer to the key with the key usage count incremented if
316 * successful, -EAGAIN if we didn't find any matching key or -ENOKEY if we only
317 * matched negative keys.
318 *
319 * In the case of a successful return, the possession attribute is set on the
320 * returned key reference.
321 */
324 key_match_func_t match,
327 {
330 /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
331 * searchable, but we failed to find a key or we found a negative key;
332 * otherwise we want to return a sample error (probably -EACCES) if
333 * none of the keyrings were searchable
334 *
335 * in terms of priority: success > -ENOKEY > -EAGAIN > other error
336 */
341 /* search the thread keyring first */
357 }
358 }
360 /* search the process keyring second */
378 }
379 }
381 /* search the session keyring */
402 }
403 }
404 /* or search the user-session keyring */
422 }
423 }
425 /* no key - decide on the error we're going to go for */
428 found:
430 }
432 /*
433 * Search the process keyrings attached to the supplied cred for the first
434 * matching key in the manner of search_my_process_keyrings(), but also search
435 * the keys attached to the assumed authorisation key using its credentials if
436 * one is available.
437 *
438 * Return same as search_my_process_keyrings().
439 */
442 key_match_func_t match,
444 {
456 /* if this process has an instantiation authorisation key, then we also
457 * search the keyrings of the process mentioned there
458 * - we don't permit access to request_key auth keys via this method
459 */
462 type != &key_type_request_key_auth
463 ) {
464 /* defend against the auth key being revoked */
481 }
482 }
484 /* no key - decide on the error we're going to go for */
489 else
492 found:
494 }
496 /*
497 * See if the key we're looking at is the target key.
498 */
500 {
502 }
504 /*
505 * Look up a key ID given us by userspace with a given permissions mask to get
506 * the key it refers to.
507 *
508 * Flags can be passed to request that special keyrings be created if referred
509 * to directly, to permit partially constructed keys to be found and to skip
510 * validity and permission checks on the found key.
511 *
512 * Returns a pointer to the key with an incremented usage count if successful;
513 * -EINVAL if the key ID is invalid; -ENOKEY if the key ID does not correspond
514 * to a key or the best found key was a negative key; -EKEYREVOKED or
515 * -EKEYEXPIRED if the best found key was revoked or expired; -EACCES if the
516 * found key doesn't grant the requested permit or the LSM denied access to it;
517 * or -ENOMEM if a special keyring couldn't be created.
518 *
519 * In the case of a successful return, the possession attribute is set on the
520 * returned key reference.
521 */
523 key_perm_t perm)
524 {
531 try_again:
545 }
547 }
563 }
565 }
574 /* always install a session keyring upon access if one
575 * doesn't exist yet */
581 else
595 }
609 }
621 }
629 /* group keyrings are not yet supported */
655 }
671 }
675 /* check to see if we possess the key */
677 lookup_user_key_possessed,
678 cred);
683 }
686 }
688 /* unlink does not use the nominated key in any way, so can skip all
689 * the permission checks as it is only concerned with the keyring */
693 }
705 }
710 }
717 /* check the permissions */
724 error:
728 invalid_key:
733 /* if we attempted to install a keyring, then it may have caused new
734 * creds to be installed */
735 reget_creds:
738 }
740 /*
741 * Join the named keyring as the session keyring if possible else attempt to
742 * create a new one of that name and join that.
743 *
744 * If the name is NULL, an empty anonymous keyring will be installed as the
745 * session keyring.
746 *
747 * Named session keyrings are joined with a semaphore held to prevent the
748 * keyrings from going away whilst the attempt is made to going them and also
749 * to prevent a race in creating compatible session keyrings.
750 */
752 {
763 /* if no name is provided, install an anonymous keyring */
774 }
776 /* allow the user to join or create a named keyring */
779 /* look for an existing keyring of this name */
782 /* not found - try and create a new one */
790 }
797 }
799 /* we've got a keyring - now to install it */
809 okay:
812 error2:
814 error:
817 }
819 /*
820 * Replace a process's session keyring on behalf of one of its children when
821 * the target process is about to resume userspace execution.
822 */
824 {
831 }
858 }