keys: don't generate user and user session keyrings unless they're accessed
[linux-2.6.git] / security / keys / process_keys.c
1 /* Management of a process's keyrings
2  *
3  * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/sched.h>
15 #include <linux/slab.h>
16 #include <linux/keyctl.h>
17 #include <linux/fs.h>
18 #include <linux/err.h>
19 #include <linux/mutex.h>
20 #include <asm/uaccess.h>
21 #include "internal.h"
22
23 /* session keyring create vs join semaphore */
24 static DEFINE_MUTEX(key_session_mutex);
25
26 /* user keyring creation semaphore */
27 static DEFINE_MUTEX(key_user_keyring_mutex);
28
29 /* the root user's tracking struct */
30 struct key_user root_key_user = {
31         .usage          = ATOMIC_INIT(3),
32         .cons_lock      = __MUTEX_INITIALIZER(root_key_user.cons_lock),
33         .lock           = __SPIN_LOCK_UNLOCKED(root_key_user.lock),
34         .nkeys          = ATOMIC_INIT(2),
35         .nikeys         = ATOMIC_INIT(2),
36         .uid            = 0,
37 };
38
39 /*****************************************************************************/
40 /*
41  * install user and user session keyrings for a particular UID
42  */
43 static int install_user_keyrings(struct task_struct *tsk)
44 {
45         struct user_struct *user = tsk->user;
46         struct key *uid_keyring, *session_keyring;
47         char buf[20];
48         int ret;
49
50         kenter("%p{%u}", user, user->uid);
51
52         if (user->uid_keyring) {
53                 kleave(" = 0 [exist]");
54                 return 0;
55         }
56
57         mutex_lock(&key_user_keyring_mutex);
58         ret = 0;
59
60         if (!user->uid_keyring) {
61                 /* get the UID-specific keyring
62                  * - there may be one in existence already as it may have been
63                  *   pinned by a session, but the user_struct pointing to it
64                  *   may have been destroyed by setuid */
65                 sprintf(buf, "_uid.%u", user->uid);
66
67                 uid_keyring = find_keyring_by_name(buf, true);
68                 if (IS_ERR(uid_keyring)) {
69                         uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
70                                                     tsk, KEY_ALLOC_IN_QUOTA,
71                                                     NULL);
72                         if (IS_ERR(uid_keyring)) {
73                                 ret = PTR_ERR(uid_keyring);
74                                 goto error;
75                         }
76                 }
77
78                 /* get a default session keyring (which might also exist
79                  * already) */
80                 sprintf(buf, "_uid_ses.%u", user->uid);
81
82                 session_keyring = find_keyring_by_name(buf, true);
83                 if (IS_ERR(session_keyring)) {
84                         session_keyring =
85                                 keyring_alloc(buf, user->uid, (gid_t) -1,
86                                               tsk, KEY_ALLOC_IN_QUOTA, NULL);
87                         if (IS_ERR(session_keyring)) {
88                                 ret = PTR_ERR(session_keyring);
89                                 goto error_release;
90                         }
91
92                         /* we install a link from the user session keyring to
93                          * the user keyring */
94                         ret = key_link(session_keyring, uid_keyring);
95                         if (ret < 0)
96                                 goto error_release_both;
97                 }
98
99                 /* install the keyrings */
100                 user->uid_keyring = uid_keyring;
101                 user->session_keyring = session_keyring;
102         }
103
104         mutex_unlock(&key_user_keyring_mutex);
105         kleave(" = 0");
106         return 0;
107
108 error_release_both:
109         key_put(session_keyring);
110 error_release:
111         key_put(uid_keyring);
112 error:
113         mutex_unlock(&key_user_keyring_mutex);
114         kleave(" = %d", ret);
115         return ret;
116 }
117
118 /*****************************************************************************/
119 /*
120  * deal with the UID changing
121  */
122 void switch_uid_keyring(struct user_struct *new_user)
123 {
124 #if 0 /* do nothing for now */
125         struct key *old;
126
127         /* switch to the new user's session keyring if we were running under
128          * root's default session keyring */
129         if (new_user->uid != 0 &&
130             current->session_keyring == &root_session_keyring
131             ) {
132                 atomic_inc(&new_user->session_keyring->usage);
133
134                 task_lock(current);
135                 old = current->session_keyring;
136                 current->session_keyring = new_user->session_keyring;
137                 task_unlock(current);
138
139                 key_put(old);
140         }
141 #endif
142
143 } /* end switch_uid_keyring() */
144
145 /*****************************************************************************/
146 /*
147  * install a fresh thread keyring, discarding the old one
148  */
149 int install_thread_keyring(struct task_struct *tsk)
150 {
151         struct key *keyring, *old;
152         char buf[20];
153         int ret;
154
155         sprintf(buf, "_tid.%u", tsk->pid);
156
157         keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk,
158                                 KEY_ALLOC_QUOTA_OVERRUN, NULL);
159         if (IS_ERR(keyring)) {
160                 ret = PTR_ERR(keyring);
161                 goto error;
162         }
163
164         task_lock(tsk);
165         old = tsk->thread_keyring;
166         tsk->thread_keyring = keyring;
167         task_unlock(tsk);
168
169         ret = 0;
170
171         key_put(old);
172 error:
173         return ret;
174
175 } /* end install_thread_keyring() */
176
177 /*****************************************************************************/
178 /*
179  * make sure a process keyring is installed
180  */
181 int install_process_keyring(struct task_struct *tsk)
182 {
183         struct key *keyring;
184         char buf[20];
185         int ret;
186
187         might_sleep();
188
189         if (!tsk->signal->process_keyring) {
190                 sprintf(buf, "_pid.%u", tsk->tgid);
191
192                 keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk,
193                                         KEY_ALLOC_QUOTA_OVERRUN, NULL);
194                 if (IS_ERR(keyring)) {
195                         ret = PTR_ERR(keyring);
196                         goto error;
197                 }
198
199                 /* attach keyring */
200                 spin_lock_irq(&tsk->sighand->siglock);
201                 if (!tsk->signal->process_keyring) {
202                         tsk->signal->process_keyring = keyring;
203                         keyring = NULL;
204                 }
205                 spin_unlock_irq(&tsk->sighand->siglock);
206
207                 key_put(keyring);
208         }
209
210         ret = 0;
211 error:
212         return ret;
213
214 } /* end install_process_keyring() */
215
216 /*****************************************************************************/
217 /*
218  * install a session keyring, discarding the old one
219  * - if a keyring is not supplied, an empty one is invented
220  */
221 static int install_session_keyring(struct task_struct *tsk,
222                                    struct key *keyring)
223 {
224         unsigned long flags;
225         struct key *old;
226         char buf[20];
227
228         might_sleep();
229
230         /* create an empty session keyring */
231         if (!keyring) {
232                 sprintf(buf, "_ses.%u", tsk->tgid);
233
234                 flags = KEY_ALLOC_QUOTA_OVERRUN;
235                 if (tsk->signal->session_keyring)
236                         flags = KEY_ALLOC_IN_QUOTA;
237
238                 keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk,
239                                         flags, NULL);
240                 if (IS_ERR(keyring))
241                         return PTR_ERR(keyring);
242         }
243         else {
244                 atomic_inc(&keyring->usage);
245         }
246
247         /* install the keyring */
248         spin_lock_irq(&tsk->sighand->siglock);
249         old = tsk->signal->session_keyring;
250         rcu_assign_pointer(tsk->signal->session_keyring, keyring);
251         spin_unlock_irq(&tsk->sighand->siglock);
252
253         /* we're using RCU on the pointer, but there's no point synchronising
254          * on it if it didn't previously point to anything */
255         if (old) {
256                 synchronize_rcu();
257                 key_put(old);
258         }
259
260         return 0;
261
262 } /* end install_session_keyring() */
263
264 /*****************************************************************************/
265 /*
266  * copy the keys in a thread group for fork without CLONE_THREAD
267  */
268 int copy_thread_group_keys(struct task_struct *tsk)
269 {
270         key_check(current->thread_group->session_keyring);
271         key_check(current->thread_group->process_keyring);
272
273         /* no process keyring yet */
274         tsk->signal->process_keyring = NULL;
275
276         /* same session keyring */
277         rcu_read_lock();
278         tsk->signal->session_keyring =
279                 key_get(rcu_dereference(current->signal->session_keyring));
280         rcu_read_unlock();
281
282         return 0;
283
284 } /* end copy_thread_group_keys() */
285
286 /*****************************************************************************/
287 /*
288  * copy the keys for fork
289  */
290 int copy_keys(unsigned long clone_flags, struct task_struct *tsk)
291 {
292         key_check(tsk->thread_keyring);
293         key_check(tsk->request_key_auth);
294
295         /* no thread keyring yet */
296         tsk->thread_keyring = NULL;
297
298         /* copy the request_key() authorisation for this thread */
299         key_get(tsk->request_key_auth);
300
301         return 0;
302
303 } /* end copy_keys() */
304
305 /*****************************************************************************/
306 /*
307  * dispose of thread group keys upon thread group destruction
308  */
309 void exit_thread_group_keys(struct signal_struct *tg)
310 {
311         key_put(tg->session_keyring);
312         key_put(tg->process_keyring);
313
314 } /* end exit_thread_group_keys() */
315
316 /*****************************************************************************/
317 /*
318  * dispose of per-thread keys upon thread exit
319  */
320 void exit_keys(struct task_struct *tsk)
321 {
322         key_put(tsk->thread_keyring);
323         key_put(tsk->request_key_auth);
324
325 } /* end exit_keys() */
326
327 /*****************************************************************************/
328 /*
329  * deal with execve()
330  */
331 int exec_keys(struct task_struct *tsk)
332 {
333         struct key *old;
334
335         /* newly exec'd tasks don't get a thread keyring */
336         task_lock(tsk);
337         old = tsk->thread_keyring;
338         tsk->thread_keyring = NULL;
339         task_unlock(tsk);
340
341         key_put(old);
342
343         /* discard the process keyring from a newly exec'd task */
344         spin_lock_irq(&tsk->sighand->siglock);
345         old = tsk->signal->process_keyring;
346         tsk->signal->process_keyring = NULL;
347         spin_unlock_irq(&tsk->sighand->siglock);
348
349         key_put(old);
350
351         return 0;
352
353 } /* end exec_keys() */
354
355 /*****************************************************************************/
356 /*
357  * deal with SUID programs
358  * - we might want to make this invent a new session keyring
359  */
360 int suid_keys(struct task_struct *tsk)
361 {
362         return 0;
363
364 } /* end suid_keys() */
365
366 /*****************************************************************************/
367 /*
368  * the filesystem user ID changed
369  */
370 void key_fsuid_changed(struct task_struct *tsk)
371 {
372         /* update the ownership of the thread keyring */
373         if (tsk->thread_keyring) {
374                 down_write(&tsk->thread_keyring->sem);
375                 tsk->thread_keyring->uid = tsk->fsuid;
376                 up_write(&tsk->thread_keyring->sem);
377         }
378
379 } /* end key_fsuid_changed() */
380
381 /*****************************************************************************/
382 /*
383  * the filesystem group ID changed
384  */
385 void key_fsgid_changed(struct task_struct *tsk)
386 {
387         /* update the ownership of the thread keyring */
388         if (tsk->thread_keyring) {
389                 down_write(&tsk->thread_keyring->sem);
390                 tsk->thread_keyring->gid = tsk->fsgid;
391                 up_write(&tsk->thread_keyring->sem);
392         }
393
394 } /* end key_fsgid_changed() */
395
396 /*****************************************************************************/
397 /*
398  * search the process keyrings for the first matching key
399  * - we use the supplied match function to see if the description (or other
400  *   feature of interest) matches
401  * - we return -EAGAIN if we didn't find any matching key
402  * - we return -ENOKEY if we found only negative matching keys
403  */
404 key_ref_t search_process_keyrings(struct key_type *type,
405                                   const void *description,
406                                   key_match_func_t match,
407                                   struct task_struct *context)
408 {
409         struct request_key_auth *rka;
410         key_ref_t key_ref, ret, err;
411
412         might_sleep();
413
414         /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
415          * searchable, but we failed to find a key or we found a negative key;
416          * otherwise we want to return a sample error (probably -EACCES) if
417          * none of the keyrings were searchable
418          *
419          * in terms of priority: success > -ENOKEY > -EAGAIN > other error
420          */
421         key_ref = NULL;
422         ret = NULL;
423         err = ERR_PTR(-EAGAIN);
424
425         /* search the thread keyring first */
426         if (context->thread_keyring) {
427                 key_ref = keyring_search_aux(
428                         make_key_ref(context->thread_keyring, 1),
429                         context, type, description, match);
430                 if (!IS_ERR(key_ref))
431                         goto found;
432
433                 switch (PTR_ERR(key_ref)) {
434                 case -EAGAIN: /* no key */
435                         if (ret)
436                                 break;
437                 case -ENOKEY: /* negative key */
438                         ret = key_ref;
439                         break;
440                 default:
441                         err = key_ref;
442                         break;
443                 }
444         }
445
446         /* search the process keyring second */
447         if (context->signal->process_keyring) {
448                 key_ref = keyring_search_aux(
449                         make_key_ref(context->signal->process_keyring, 1),
450                         context, type, description, match);
451                 if (!IS_ERR(key_ref))
452                         goto found;
453
454                 switch (PTR_ERR(key_ref)) {
455                 case -EAGAIN: /* no key */
456                         if (ret)
457                                 break;
458                 case -ENOKEY: /* negative key */
459                         ret = key_ref;
460                         break;
461                 default:
462                         err = key_ref;
463                         break;
464                 }
465         }
466
467         /* search the session keyring */
468         if (context->signal->session_keyring) {
469                 rcu_read_lock();
470                 key_ref = keyring_search_aux(
471                         make_key_ref(rcu_dereference(
472                                              context->signal->session_keyring),
473                                      1),
474                         context, type, description, match);
475                 rcu_read_unlock();
476
477                 if (!IS_ERR(key_ref))
478                         goto found;
479
480                 switch (PTR_ERR(key_ref)) {
481                 case -EAGAIN: /* no key */
482                         if (ret)
483                                 break;
484                 case -ENOKEY: /* negative key */
485                         ret = key_ref;
486                         break;
487                 default:
488                         err = key_ref;
489                         break;
490                 }
491         }
492         /* or search the user-session keyring */
493         else if (context->user->session_keyring) {
494                 key_ref = keyring_search_aux(
495                         make_key_ref(context->user->session_keyring, 1),
496                         context, type, description, match);
497                 if (!IS_ERR(key_ref))
498                         goto found;
499
500                 switch (PTR_ERR(key_ref)) {
501                 case -EAGAIN: /* no key */
502                         if (ret)
503                                 break;
504                 case -ENOKEY: /* negative key */
505                         ret = key_ref;
506                         break;
507                 default:
508                         err = key_ref;
509                         break;
510                 }
511         }
512
513         /* if this process has an instantiation authorisation key, then we also
514          * search the keyrings of the process mentioned there
515          * - we don't permit access to request_key auth keys via this method
516          */
517         if (context->request_key_auth &&
518             context == current &&
519             type != &key_type_request_key_auth
520             ) {
521                 /* defend against the auth key being revoked */
522                 down_read(&context->request_key_auth->sem);
523
524                 if (key_validate(context->request_key_auth) == 0) {
525                         rka = context->request_key_auth->payload.data;
526
527                         key_ref = search_process_keyrings(type, description,
528                                                           match, rka->context);
529
530                         up_read(&context->request_key_auth->sem);
531
532                         if (!IS_ERR(key_ref))
533                                 goto found;
534
535                         switch (PTR_ERR(key_ref)) {
536                         case -EAGAIN: /* no key */
537                                 if (ret)
538                                         break;
539                         case -ENOKEY: /* negative key */
540                                 ret = key_ref;
541                                 break;
542                         default:
543                                 err = key_ref;
544                                 break;
545                         }
546                 } else {
547                         up_read(&context->request_key_auth->sem);
548                 }
549         }
550
551         /* no key - decide on the error we're going to go for */
552         key_ref = ret ? ret : err;
553
554 found:
555         return key_ref;
556
557 } /* end search_process_keyrings() */
558
559 /*****************************************************************************/
560 /*
561  * see if the key we're looking at is the target key
562  */
563 static int lookup_user_key_possessed(const struct key *key, const void *target)
564 {
565         return key == target;
566
567 } /* end lookup_user_key_possessed() */
568
569 /*****************************************************************************/
570 /*
571  * lookup a key given a key ID from userspace with a given permissions mask
572  * - don't create special keyrings unless so requested
573  * - partially constructed keys aren't found unless requested
574  */
575 key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id,
576                           int create, int partial, key_perm_t perm)
577 {
578         key_ref_t key_ref, skey_ref;
579         struct key *key;
580         int ret;
581
582         if (!context)
583                 context = current;
584
585         key_ref = ERR_PTR(-ENOKEY);
586
587         switch (id) {
588         case KEY_SPEC_THREAD_KEYRING:
589                 if (!context->thread_keyring) {
590                         if (!create)
591                                 goto error;
592
593                         ret = install_thread_keyring(context);
594                         if (ret < 0) {
595                                 key = ERR_PTR(ret);
596                                 goto error;
597                         }
598                 }
599
600                 key = context->thread_keyring;
601                 atomic_inc(&key->usage);
602                 key_ref = make_key_ref(key, 1);
603                 break;
604
605         case KEY_SPEC_PROCESS_KEYRING:
606                 if (!context->signal->process_keyring) {
607                         if (!create)
608                                 goto error;
609
610                         ret = install_process_keyring(context);
611                         if (ret < 0) {
612                                 key = ERR_PTR(ret);
613                                 goto error;
614                         }
615                 }
616
617                 key = context->signal->process_keyring;
618                 atomic_inc(&key->usage);
619                 key_ref = make_key_ref(key, 1);
620                 break;
621
622         case KEY_SPEC_SESSION_KEYRING:
623                 if (!context->signal->session_keyring) {
624                         /* always install a session keyring upon access if one
625                          * doesn't exist yet */
626                         ret = install_user_keyrings(context);
627                         if (ret < 0)
628                                 goto error;
629                         ret = install_session_keyring(
630                                 context, context->user->session_keyring);
631                         if (ret < 0)
632                                 goto error;
633                 }
634
635                 rcu_read_lock();
636                 key = rcu_dereference(context->signal->session_keyring);
637                 atomic_inc(&key->usage);
638                 rcu_read_unlock();
639                 key_ref = make_key_ref(key, 1);
640                 break;
641
642         case KEY_SPEC_USER_KEYRING:
643                 if (!context->user->uid_keyring) {
644                         ret = install_user_keyrings(context);
645                         if (ret < 0)
646                                 goto error;
647                 }
648
649                 key = context->user->uid_keyring;
650                 atomic_inc(&key->usage);
651                 key_ref = make_key_ref(key, 1);
652                 break;
653
654         case KEY_SPEC_USER_SESSION_KEYRING:
655                 if (!context->user->session_keyring) {
656                         ret = install_user_keyrings(context);
657                         if (ret < 0)
658                                 goto error;
659                 }
660
661                 key = context->user->session_keyring;
662                 atomic_inc(&key->usage);
663                 key_ref = make_key_ref(key, 1);
664                 break;
665
666         case KEY_SPEC_GROUP_KEYRING:
667                 /* group keyrings are not yet supported */
668                 key = ERR_PTR(-EINVAL);
669                 goto error;
670
671         case KEY_SPEC_REQKEY_AUTH_KEY:
672                 key = context->request_key_auth;
673                 if (!key)
674                         goto error;
675
676                 atomic_inc(&key->usage);
677                 key_ref = make_key_ref(key, 1);
678                 break;
679
680         default:
681                 key_ref = ERR_PTR(-EINVAL);
682                 if (id < 1)
683                         goto error;
684
685                 key = key_lookup(id);
686                 if (IS_ERR(key)) {
687                         key_ref = ERR_CAST(key);
688                         goto error;
689                 }
690
691                 key_ref = make_key_ref(key, 0);
692
693                 /* check to see if we possess the key */
694                 skey_ref = search_process_keyrings(key->type, key,
695                                                    lookup_user_key_possessed,
696                                                    current);
697
698                 if (!IS_ERR(skey_ref)) {
699                         key_put(key);
700                         key_ref = skey_ref;
701                 }
702
703                 break;
704         }
705
706         if (!partial) {
707                 ret = wait_for_key_construction(key, true);
708                 switch (ret) {
709                 case -ERESTARTSYS:
710                         goto invalid_key;
711                 default:
712                         if (perm)
713                                 goto invalid_key;
714                 case 0:
715                         break;
716                 }
717         } else if (perm) {
718                 ret = key_validate(key);
719                 if (ret < 0)
720                         goto invalid_key;
721         }
722
723         ret = -EIO;
724         if (!partial && !test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
725                 goto invalid_key;
726
727         /* check the permissions */
728         ret = key_task_permission(key_ref, context, perm);
729         if (ret < 0)
730                 goto invalid_key;
731
732 error:
733         return key_ref;
734
735 invalid_key:
736         key_ref_put(key_ref);
737         key_ref = ERR_PTR(ret);
738         goto error;
739
740 } /* end lookup_user_key() */
741
742 /*****************************************************************************/
743 /*
744  * join the named keyring as the session keyring if possible, or attempt to
745  * create a new one of that name if not
746  * - if the name is NULL, an empty anonymous keyring is installed instead
747  * - named session keyring joining is done with a semaphore held
748  */
749 long join_session_keyring(const char *name)
750 {
751         struct task_struct *tsk = current;
752         struct key *keyring;
753         long ret;
754
755         /* if no name is provided, install an anonymous keyring */
756         if (!name) {
757                 ret = install_session_keyring(tsk, NULL);
758                 if (ret < 0)
759                         goto error;
760
761                 rcu_read_lock();
762                 ret = rcu_dereference(tsk->signal->session_keyring)->serial;
763                 rcu_read_unlock();
764                 goto error;
765         }
766
767         /* allow the user to join or create a named keyring */
768         mutex_lock(&key_session_mutex);
769
770         /* look for an existing keyring of this name */
771         keyring = find_keyring_by_name(name, false);
772         if (PTR_ERR(keyring) == -ENOKEY) {
773                 /* not found - try and create a new one */
774                 keyring = keyring_alloc(name, tsk->uid, tsk->gid, tsk,
775                                         KEY_ALLOC_IN_QUOTA, NULL);
776                 if (IS_ERR(keyring)) {
777                         ret = PTR_ERR(keyring);
778                         goto error2;
779                 }
780         }
781         else if (IS_ERR(keyring)) {
782                 ret = PTR_ERR(keyring);
783                 goto error2;
784         }
785
786         /* we've got a keyring - now to install it */
787         ret = install_session_keyring(tsk, keyring);
788         if (ret < 0)
789                 goto error2;
790
791         ret = keyring->serial;
792         key_put(keyring);
793
794 error2:
795         mutex_unlock(&key_session_mutex);
796 error:
797         return ret;
798
799 } /* end join_session_keyring() */