| blob | 1bb4d7e5d61694a6b8c01ba47f8432dcd37c828e |
1 /* Task credentials management - see Documentation/credentials.txt
2 *
3 * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11 #include <linux/module.h>
12 #include <linux/cred.h>
13 #include <linux/sched.h>
14 #include <linux/key.h>
15 #include <linux/keyctl.h>
16 #include <linux/init_task.h>
17 #include <linux/security.h>
18 #include <linux/cn_proc.h>
23 /*
24 * The common credentials for the initial task's thread group
25 */
26 #ifdef CONFIG_KEYS
31 };
32 #endif
34 /*
35 * The initial credentials for the initial task
36 */
46 #ifdef CONFIG_KEYS
48 #endif
49 };
51 /*
52 * Dispose of the shared task group credentials
53 */
54 #ifdef CONFIG_KEYS
56 {
65 }
66 #endif
68 /*
69 * Release a set of thread group credentials.
70 */
72 {
73 #ifdef CONFIG_KEYS
78 #endif
79 }
81 /*
82 * The RCU callback to actually dispose of a set of credentials
83 */
85 {
99 }
101 /**
102 * __put_cred - Destroy a set of credentials
103 * @cred: The record to release
104 *
105 * Destroy a set of credentials on which no references remain.
106 */
108 {
112 }
115 /**
116 * prepare_creds - Prepare a new set of credentials for modification
117 *
118 * Prepare a new set of task credentials for modification. A task's creds
119 * shouldn't generally be modified directly, therefore this function is used to
120 * prepare a new copy, which the caller then modifies and then commits by
121 * calling commit_creds().
122 *
123 * Preparation involves making a copy of the objective creds for modification.
124 *
125 * Returns a pointer to the new creds-to-be if successful, NULL otherwise.
126 *
127 * Call commit_creds() or abort_creds() to clean up.
128 */
130 {
148 #ifdef CONFIG_KEYS
152 #endif
154 #ifdef CONFIG_SECURITY
156 #endif
162 error:
165 }
168 /*
169 * Prepare credentials for current to perform an execve()
170 * - The caller must hold current->cred_guard_mutex
171 */
173 {
177 #ifdef CONFIG_KEYS
181 #endif
187 }
189 #ifdef CONFIG_KEYS
190 /* newly exec'd tasks don't get a thread keyring */
194 /* create a new per-thread-group creds for all this set of threads to
195 * share */
201 /* inherit the session keyring; new process keyring */
207 #endif
210 }
212 /*
213 * prepare new credentials for the usermode helper dispatcher
214 */
216 {
217 #ifdef CONFIG_KEYS
219 #endif
222 #ifdef CONFIG_KEYS
226 #endif
238 #ifdef CONFIG_KEYS
246 #endif
248 #ifdef CONFIG_SECURITY
250 #endif
257 error:
260 }
262 /*
263 * Copy credentials for the new process created by fork()
264 *
265 * We share if we can, but under some circumstances we have to generate a new
266 * set.
267 *
268 * The new process gets the current process's subjective credentials as its
269 * objective and subjective credentials
270 */
272 {
273 #ifdef CONFIG_KEYS
275 #endif
282 #ifdef CONFIG_KEYS
284 #endif
285 clone_flags & CLONE_THREAD
286 ) {
291 }
301 }
303 #ifdef CONFIG_KEYS
304 /* new threads get their own thread keyrings if their parent already
305 * had one */
311 }
313 /* we share the process and session keyrings between all the threads in
314 * a process - this is slightly icky as we violate COW credentials a
315 * bit */
321 }
329 }
330 #endif
336 error_put:
339 }
341 /**
342 * commit_creds - Install new credentials upon the current task
343 * @new: The credentials to be assigned
344 *
345 * Install a new set of credentials to the current task, using RCU to replace
346 * the old set. Both the objective and the subjective credentials pointers are
347 * updated. This function may not be called if the subjective credentials are
348 * in an overridden state.
349 *
350 * This function eats the caller's reference to the new credentials.
351 *
352 * Always returns 0 thus allowing this function to be tail-called at the end
353 * of, say, sys_setgid().
354 */
356 {
369 /* dumpability changes */
379 }
381 /* alter the thread keyring */
387 /* do it
388 * - What if a process setreuid()'s and this brings the
389 * new uid over his NPROC rlimit? We can check this now
390 * cheaply with the new uid cache, so if it matters
391 * we should be checking for it. -DaveM
392 */
402 /* send notifications */
415 /* release the old obj and subj refs both */
419 }
422 /**
423 * abort_creds - Discard a set of credentials and unlock the current task
424 * @new: The credentials that were going to be applied
425 *
426 * Discard a set of credentials that were under construction and unlock the
427 * current task.
428 */
430 {
433 }
436 /**
437 * override_creds - Override the current process's subjective credentials
438 * @new: The credentials to be assigned
439 *
440 * Install a set of temporary override subjective credentials on the current
441 * process, returning the old set for later reversion.
442 */
444 {
449 }
452 /**
453 * revert_creds - Revert a temporary subjective credentials override
454 * @old: The credentials to be restored
455 *
456 * Revert a temporary set of override subjective credentials to an old set,
457 * discarding the override set.
458 */
460 {
465 }
468 /*
469 * initialise the credentials stuff
470 */
472 {
473 /* allocate a slab in which we can store credentials */
476 }
478 /**
479 * prepare_kernel_cred - Prepare a set of credentials for a kernel service
480 * @daemon: A userspace daemon to be used as a reference
481 *
482 * Prepare a set of credentials for a kernel service. This can then be used to
483 * override a task's own credentials so that work can be done on behalf of that
484 * task that requires a different subjective context.
485 *
486 * @daemon is used to provide a base for the security record, but can be NULL.
487 * If @daemon is supplied, then the security data will be derived from that;
488 * otherwise they'll be set to 0 and no groups, full capabilities and no keys.
489 *
490 * The caller may change these controls afterwards if desired.
491 *
492 * Returns the new credentials or NULL if out of memory.
493 *
494 * Does not take, and does not return holding current->cred_replace_mutex.
495 */
497 {
507 else
514 #ifdef CONFIG_KEYS
520 #endif
522 #ifdef CONFIG_SECURITY
524 #endif
532 error:
536 }
539 /**
540 * set_security_override - Set the security ID in a set of credentials
541 * @new: The credentials to alter
542 * @secid: The LSM security ID to set
543 *
544 * Set the LSM security ID in a set of credentials so that the subjective
545 * security is overridden when an alternative set of credentials is used.
546 */
548 {
550 }
553 /**
554 * set_security_override_from_ctx - Set the security ID in a set of credentials
555 * @new: The credentials to alter
556 * @secctx: The LSM security context to generate the security ID from.
557 *
558 * Set the LSM security ID in a set of credentials so that the subjective
559 * security is overridden when an alternative set of credentials is used. The
560 * security ID is specified in string form as a security context to be
561 * interpreted by the LSM.
562 */
564 {
565 u32 secid;
573 }
576 /**
577 * set_create_files_as - Set the LSM file create context in a set of credentials
578 * @new: The credentials to alter
579 * @inode: The inode to take the context from
580 *
581 * Change the LSM file creation context in a set of credentials to be the same
582 * as the object context of the specified inode, so that the new inodes have
583 * the same MAC context as that inode.
584 */
586 {
590 }