1 /* keyctl.c: userspace keyctl operations
3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/sched.h>
15 #include <linux/slab.h>
16 #include <linux/syscalls.h>
17 #include <linux/keyctl.h>
19 #include <linux/err.h>
20 #include <asm/uaccess.h>
23 /*****************************************************************************/
25 * extract the description of a new key from userspace and either add it as a
26 * new key to the specified keyring or update a matching key in that keyring
27 * - the keyring must be writable
28 * - returns the new key's serial number
29 * - implements add_key()
31 asmlinkage
long sys_add_key(const char __user
*_type
,
32 const char __user
*_description
,
33 const void __user
*_payload
,
37 struct key
*keyring
, *key
;
38 char type
[32], *description
;
46 /* draw all the data into kernel space */
47 ret
= strncpy_from_user(type
, _type
, sizeof(type
) - 1);
60 dlen
= strnlen_user(_description
, PAGE_SIZE
- 1);
65 if (dlen
> PAGE_SIZE
- 1)
69 description
= kmalloc(dlen
+ 1, GFP_KERNEL
);
74 if (copy_from_user(description
, _description
, dlen
+ 1) != 0)
77 /* pull the payload in if one was supplied */
82 payload
= kmalloc(plen
, GFP_KERNEL
);
87 if (copy_from_user(payload
, _payload
, plen
) != 0)
91 /* find the target keyring (which must be writable) */
92 keyring
= lookup_user_key(NULL
, ringid
, 1, 0, KEY_WRITE
);
93 if (IS_ERR(keyring
)) {
94 ret
= PTR_ERR(keyring
);
98 /* create or update the requested key and add it to the target
100 key
= key_create_or_update(keyring
, type
, description
,
118 } /* end sys_add_key() */
120 /*****************************************************************************/
122 * search the process keyrings for a matching key
123 * - nested keyrings may also be searched if they have Search permission
124 * - if a key is found, it will be attached to the destination keyring if
125 * there's one specified
126 * - /sbin/request-key will be invoked if _callout_info is non-NULL
127 * - the _callout_info string will be passed to /sbin/request-key
128 * - if the _callout_info string is empty, it will be rendered as "-"
129 * - implements request_key()
131 asmlinkage
long sys_request_key(const char __user
*_type
,
132 const char __user
*_description
,
133 const char __user
*_callout_info
,
134 key_serial_t destringid
)
136 struct key_type
*ktype
;
137 struct key
*key
, *dest
;
138 char type
[32], *description
, *callout_info
;
141 /* pull the type into kernel space */
142 ret
= strncpy_from_user(type
, _type
, sizeof(type
) - 1);
147 /* pull the description into kernel space */
149 dlen
= strnlen_user(_description
, PAGE_SIZE
- 1);
154 if (dlen
> PAGE_SIZE
- 1)
158 description
= kmalloc(dlen
+ 1, GFP_KERNEL
);
163 if (copy_from_user(description
, _description
, dlen
+ 1) != 0)
166 /* pull the callout info into kernel space */
170 dlen
= strnlen_user(_callout_info
, PAGE_SIZE
- 1);
175 if (dlen
> PAGE_SIZE
- 1)
179 callout_info
= kmalloc(dlen
+ 1, GFP_KERNEL
);
184 if (copy_from_user(callout_info
, _callout_info
, dlen
+ 1) != 0)
188 /* get the destination keyring if specified */
191 dest
= lookup_user_key(NULL
, destringid
, 1, 0, KEY_WRITE
);
198 /* find the key type */
199 ktype
= key_type_lookup(type
);
201 ret
= PTR_ERR(ktype
);
206 key
= request_key_and_link(ktype
, description
, callout_info
, dest
);
226 } /* end sys_request_key() */
228 /*****************************************************************************/
230 * get the ID of the specified process keyring
231 * - the keyring must have search permission to be found
232 * - implements keyctl(KEYCTL_GET_KEYRING_ID)
234 long keyctl_get_keyring_ID(key_serial_t id
, int create
)
239 key
= lookup_user_key(NULL
, id
, create
, 0, KEY_SEARCH
);
250 } /* end keyctl_get_keyring_ID() */
252 /*****************************************************************************/
254 * join the session keyring
255 * - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING)
257 long keyctl_join_session_keyring(const char __user
*_name
)
262 /* fetch the name from userspace */
266 nlen
= strnlen_user(_name
, PAGE_SIZE
- 1);
271 if (nlen
> PAGE_SIZE
- 1)
275 name
= kmalloc(nlen
+ 1, GFP_KERNEL
);
280 if (copy_from_user(name
, _name
, nlen
+ 1) != 0)
284 /* join the session */
285 ret
= join_session_keyring(name
);
292 } /* end keyctl_join_session_keyring() */
294 /*****************************************************************************/
296 * update a key's data payload
297 * - the key must be writable
298 * - implements keyctl(KEYCTL_UPDATE)
300 long keyctl_update_key(key_serial_t id
,
301 const void __user
*_payload
,
309 if (plen
> PAGE_SIZE
)
312 /* pull the payload in if one was supplied */
316 payload
= kmalloc(plen
, GFP_KERNEL
);
321 if (copy_from_user(payload
, _payload
, plen
) != 0)
325 /* find the target key (which must be writable) */
326 key
= lookup_user_key(NULL
, id
, 0, 0, KEY_WRITE
);
333 ret
= key_update(key
, payload
, plen
);
341 } /* end keyctl_update_key() */
343 /*****************************************************************************/
346 * - the key must be writable
347 * - implements keyctl(KEYCTL_REVOKE)
349 long keyctl_revoke_key(key_serial_t id
)
354 key
= lookup_user_key(NULL
, id
, 0, 0, KEY_WRITE
);
367 } /* end keyctl_revoke_key() */
369 /*****************************************************************************/
371 * clear the specified process keyring
372 * - the keyring must be writable
373 * - implements keyctl(KEYCTL_CLEAR)
375 long keyctl_keyring_clear(key_serial_t ringid
)
380 keyring
= lookup_user_key(NULL
, ringid
, 1, 0, KEY_WRITE
);
381 if (IS_ERR(keyring
)) {
382 ret
= PTR_ERR(keyring
);
386 ret
= keyring_clear(keyring
);
392 } /* end keyctl_keyring_clear() */
394 /*****************************************************************************/
396 * link a key into a keyring
397 * - the keyring must be writable
398 * - the key must be linkable
399 * - implements keyctl(KEYCTL_LINK)
401 long keyctl_keyring_link(key_serial_t id
, key_serial_t ringid
)
403 struct key
*keyring
, *key
;
406 keyring
= lookup_user_key(NULL
, ringid
, 1, 0, KEY_WRITE
);
407 if (IS_ERR(keyring
)) {
408 ret
= PTR_ERR(keyring
);
412 key
= lookup_user_key(NULL
, id
, 1, 0, KEY_LINK
);
418 ret
= key_link(keyring
, key
);
426 } /* end keyctl_keyring_link() */
428 /*****************************************************************************/
430 * unlink the first attachment of a key from a keyring
431 * - the keyring must be writable
432 * - we don't need any permissions on the key
433 * - implements keyctl(KEYCTL_UNLINK)
435 long keyctl_keyring_unlink(key_serial_t id
, key_serial_t ringid
)
437 struct key
*keyring
, *key
;
440 keyring
= lookup_user_key(NULL
, ringid
, 0, 0, KEY_WRITE
);
441 if (IS_ERR(keyring
)) {
442 ret
= PTR_ERR(keyring
);
446 key
= lookup_user_key(NULL
, id
, 0, 0, 0);
452 ret
= key_unlink(keyring
, key
);
460 } /* end keyctl_keyring_unlink() */
462 /*****************************************************************************/
464 * describe a user key
465 * - the key must have view permission
466 * - if there's a buffer, we place up to buflen bytes of data into it
467 * - unless there's an error, we return the amount of description available,
468 * irrespective of how much we may have copied
469 * - the description is formatted thus:
470 * type;uid;gid;perm;description<NUL>
471 * - implements keyctl(KEYCTL_DESCRIBE)
473 long keyctl_describe_key(key_serial_t keyid
,
477 struct key
*key
, *instkey
;
481 key
= lookup_user_key(NULL
, keyid
, 0, 1, KEY_VIEW
);
483 /* viewing a key under construction is permitted if we have the
484 * authorisation token handy */
485 if (PTR_ERR(key
) == -EACCES
) {
486 instkey
= key_get_instantiation_authkey(keyid
);
487 if (!IS_ERR(instkey
)) {
489 key
= lookup_user_key(NULL
, keyid
, 0, 1, 0);
500 /* calculate how much description we're going to return */
502 tmpbuf
= kmalloc(PAGE_SIZE
, GFP_KERNEL
);
506 ret
= snprintf(tmpbuf
, PAGE_SIZE
- 1,
512 key
->description
? key
->description
:""
515 /* include a NUL char at the end of the data */
516 if (ret
> PAGE_SIZE
- 1)
521 /* consider returning the data */
522 if (buffer
&& buflen
> 0) {
526 if (copy_to_user(buffer
, tmpbuf
, buflen
) != 0)
536 } /* end keyctl_describe_key() */
538 /*****************************************************************************/
540 * search the specified keyring for a matching key
541 * - the start keyring must be searchable
542 * - nested keyrings may also be searched if they are searchable
543 * - only keys with search permission may be found
544 * - if a key is found, it will be attached to the destination keyring if
545 * there's one specified
546 * - implements keyctl(KEYCTL_SEARCH)
548 long keyctl_keyring_search(key_serial_t ringid
,
549 const char __user
*_type
,
550 const char __user
*_description
,
551 key_serial_t destringid
)
553 struct key_type
*ktype
;
554 struct key
*keyring
, *key
, *dest
;
555 char type
[32], *description
;
558 /* pull the type and description into kernel space */
559 ret
= strncpy_from_user(type
, _type
, sizeof(type
) - 1);
565 dlen
= strnlen_user(_description
, PAGE_SIZE
- 1);
570 if (dlen
> PAGE_SIZE
- 1)
574 description
= kmalloc(dlen
+ 1, GFP_KERNEL
);
579 if (copy_from_user(description
, _description
, dlen
+ 1) != 0)
582 /* get the keyring at which to begin the search */
583 keyring
= lookup_user_key(NULL
, ringid
, 0, 0, KEY_SEARCH
);
584 if (IS_ERR(keyring
)) {
585 ret
= PTR_ERR(keyring
);
589 /* get the destination keyring if specified */
592 dest
= lookup_user_key(NULL
, destringid
, 1, 0, KEY_WRITE
);
599 /* find the key type */
600 ktype
= key_type_lookup(type
);
602 ret
= PTR_ERR(ktype
);
607 key
= keyring_search(keyring
, ktype
, description
);
611 /* treat lack or presence of a negative key the same */
617 /* link the resulting key to the destination keyring if we can */
620 if (!key_permission(key
, KEY_LINK
))
623 ret
= key_link(dest
, key
);
643 } /* end keyctl_keyring_search() */
645 /*****************************************************************************/
647 * see if the key we're looking at is the target key
649 static int keyctl_read_key_same(const struct key
*key
, const void *target
)
651 return key
== target
;
653 } /* end keyctl_read_key_same() */
655 /*****************************************************************************/
657 * read a user key's payload
658 * - the keyring must be readable or the key must be searchable from the
660 * - if there's a buffer, we place up to buflen bytes of data into it
661 * - unless there's an error, we return the amount of data in the key,
662 * irrespective of how much we may have copied
663 * - implements keyctl(KEYCTL_READ)
665 long keyctl_read_key(key_serial_t keyid
, char __user
*buffer
, size_t buflen
)
667 struct key
*key
, *skey
;
670 /* find the key first */
671 key
= lookup_user_key(NULL
, keyid
, 0, 0, 0);
673 /* see if we can read it directly */
674 if (key_permission(key
, KEY_READ
))
677 /* we can't; see if it's searchable from this process's
679 * - we automatically take account of the fact that it may be
680 * dangling off an instantiation key
682 skey
= search_process_keyrings(key
->type
, key
,
683 keyctl_read_key_same
, current
);
694 /* the key is probably readable - now try to read it */
698 ret
= key_validate(key
);
701 if (key
->type
->read
) {
702 /* read the data with the semaphore held (since we
704 down_read(&key
->sem
);
705 ret
= key
->type
->read(key
, buffer
, buflen
);
715 } /* end keyctl_read_key() */
717 /*****************************************************************************/
719 * change the ownership of a key
720 * - the keyring owned by the changer
721 * - if the uid or gid is -1, then that parameter is not changed
722 * - implements keyctl(KEYCTL_CHOWN)
724 long keyctl_chown_key(key_serial_t id
, uid_t uid
, gid_t gid
)
730 if (uid
== (uid_t
) -1 && gid
== (gid_t
) -1)
733 key
= lookup_user_key(NULL
, id
, 1, 1, 0);
739 /* make the changes with the locks held to prevent chown/chown races */
741 down_write(&key
->sem
);
743 if (!capable(CAP_SYS_ADMIN
)) {
744 /* only the sysadmin can chown a key to some other UID */
745 if (uid
!= (uid_t
) -1 && key
->uid
!= uid
)
748 /* only the sysadmin can set the key's GID to a group other
749 * than one of those that the current process subscribes to */
750 if (gid
!= (gid_t
) -1 && gid
!= key
->gid
&& !in_group_p(gid
))
754 /* change the UID (have to update the quotas) */
755 if (uid
!= (uid_t
) -1 && uid
!= key
->uid
) {
756 /* don't support UID changing yet */
762 if (gid
!= (gid_t
) -1)
773 } /* end keyctl_chown_key() */
775 /*****************************************************************************/
777 * change the permission mask on a key
778 * - the keyring owned by the changer
779 * - implements keyctl(KEYCTL_SETPERM)
781 long keyctl_setperm_key(key_serial_t id
, key_perm_t perm
)
787 if (perm
& ~(KEY_USR_ALL
| KEY_GRP_ALL
| KEY_OTH_ALL
))
790 key
= lookup_user_key(NULL
, id
, 1, 1, 0);
796 /* make the changes with the locks held to prevent chown/chmod races */
798 down_write(&key
->sem
);
800 /* if we're not the sysadmin, we can only change a key that we own */
801 if (capable(CAP_SYS_ADMIN
) || key
->uid
== current
->fsuid
) {
811 } /* end keyctl_setperm_key() */
813 /*****************************************************************************/
815 * instantiate the key with the specified payload, and, if one is given, link
816 * the key into the keyring
818 long keyctl_instantiate_key(key_serial_t id
,
819 const void __user
*_payload
,
823 struct request_key_auth
*rka
;
824 struct key
*instkey
, *keyring
;
832 /* pull the payload in if one was supplied */
837 payload
= kmalloc(plen
, GFP_KERNEL
);
842 if (copy_from_user(payload
, _payload
, plen
) != 0)
846 /* find the instantiation authorisation key */
847 instkey
= key_get_instantiation_authkey(id
);
848 if (IS_ERR(instkey
)) {
849 ret
= PTR_ERR(instkey
);
853 rka
= instkey
->payload
.data
;
855 /* find the destination keyring amongst those belonging to the
859 keyring
= lookup_user_key(rka
->context
, ringid
, 1, 0,
861 if (IS_ERR(keyring
)) {
862 ret
= PTR_ERR(keyring
);
867 /* instantiate the key and link it into a keyring */
868 ret
= key_instantiate_and_link(rka
->target_key
, payload
, plen
,
879 } /* end keyctl_instantiate_key() */
881 /*****************************************************************************/
883 * negatively instantiate the key with the given timeout (in seconds), and, if
884 * one is given, link the key into the keyring
886 long keyctl_negate_key(key_serial_t id
, unsigned timeout
, key_serial_t ringid
)
888 struct request_key_auth
*rka
;
889 struct key
*instkey
, *keyring
;
892 /* find the instantiation authorisation key */
893 instkey
= key_get_instantiation_authkey(id
);
894 if (IS_ERR(instkey
)) {
895 ret
= PTR_ERR(instkey
);
899 rka
= instkey
->payload
.data
;
901 /* find the destination keyring if present (which must also be
905 keyring
= lookup_user_key(NULL
, ringid
, 1, 0, KEY_WRITE
);
906 if (IS_ERR(keyring
)) {
907 ret
= PTR_ERR(keyring
);
912 /* instantiate the key and link it into a keyring */
913 ret
= key_negate_and_link(rka
->target_key
, timeout
, keyring
, instkey
);
921 } /* end keyctl_negate_key() */
923 /*****************************************************************************/
925 * set the default keyring in which request_key() will cache keys
926 * - return the old setting
928 long keyctl_set_reqkey_keyring(int reqkey_defl
)
932 switch (reqkey_defl
) {
933 case KEY_REQKEY_DEFL_THREAD_KEYRING
:
934 ret
= install_thread_keyring(current
);
939 case KEY_REQKEY_DEFL_PROCESS_KEYRING
:
940 ret
= install_process_keyring(current
);
944 case KEY_REQKEY_DEFL_DEFAULT
:
945 case KEY_REQKEY_DEFL_SESSION_KEYRING
:
946 case KEY_REQKEY_DEFL_USER_KEYRING
:
947 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING
:
949 current
->jit_keyring
= reqkey_defl
;
951 case KEY_REQKEY_DEFL_NO_CHANGE
:
952 return current
->jit_keyring
;
954 case KEY_REQKEY_DEFL_GROUP_KEYRING
:
959 } /* end keyctl_set_reqkey_keyring() */
961 /*****************************************************************************/
963 * the key control system call
965 asmlinkage
long sys_keyctl(int option
, unsigned long arg2
, unsigned long arg3
,
966 unsigned long arg4
, unsigned long arg5
)
969 case KEYCTL_GET_KEYRING_ID
:
970 return keyctl_get_keyring_ID((key_serial_t
) arg2
,
973 case KEYCTL_JOIN_SESSION_KEYRING
:
974 return keyctl_join_session_keyring((const char __user
*) arg2
);
977 return keyctl_update_key((key_serial_t
) arg2
,
978 (const void __user
*) arg3
,
982 return keyctl_revoke_key((key_serial_t
) arg2
);
984 case KEYCTL_DESCRIBE
:
985 return keyctl_describe_key((key_serial_t
) arg2
,
986 (char __user
*) arg3
,
990 return keyctl_keyring_clear((key_serial_t
) arg2
);
993 return keyctl_keyring_link((key_serial_t
) arg2
,
994 (key_serial_t
) arg3
);
997 return keyctl_keyring_unlink((key_serial_t
) arg2
,
998 (key_serial_t
) arg3
);
1001 return keyctl_keyring_search((key_serial_t
) arg2
,
1002 (const char __user
*) arg3
,
1003 (const char __user
*) arg4
,
1004 (key_serial_t
) arg5
);
1007 return keyctl_read_key((key_serial_t
) arg2
,
1008 (char __user
*) arg3
,
1012 return keyctl_chown_key((key_serial_t
) arg2
,
1016 case KEYCTL_SETPERM
:
1017 return keyctl_setperm_key((key_serial_t
) arg2
,
1020 case KEYCTL_INSTANTIATE
:
1021 return keyctl_instantiate_key((key_serial_t
) arg2
,
1022 (const void __user
*) arg3
,
1024 (key_serial_t
) arg5
);
1027 return keyctl_negate_key((key_serial_t
) arg2
,
1029 (key_serial_t
) arg4
);
1031 case KEYCTL_SET_REQKEY_KEYRING
:
1032 return keyctl_set_reqkey_keyring(arg2
);
1038 } /* end sys_keyctl() */