42defae1e161632e93b13b8194af1a30a09f2492
[linux-3.10.git] / security / keys / process_keys.c
1 /* Manage a process's keyrings
2  *
3  * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/sched.h>
15 #include <linux/keyctl.h>
16 #include <linux/fs.h>
17 #include <linux/err.h>
18 #include <linux/mutex.h>
19 #include <linux/security.h>
20 #include <linux/user_namespace.h>
21 #include <asm/uaccess.h>
22 #include "internal.h"
23
24 /* Session keyring create vs join semaphore */
25 static DEFINE_MUTEX(key_session_mutex);
26
27 /* User keyring creation semaphore */
28 static DEFINE_MUTEX(key_user_keyring_mutex);
29
30 /* The root user's tracking struct */
31 struct key_user root_key_user = {
32         .usage          = ATOMIC_INIT(3),
33         .cons_lock      = __MUTEX_INITIALIZER(root_key_user.cons_lock),
34         .lock           = __SPIN_LOCK_UNLOCKED(root_key_user.lock),
35         .nkeys          = ATOMIC_INIT(2),
36         .nikeys         = ATOMIC_INIT(2),
37         .uid            = GLOBAL_ROOT_UID,
38 };
39
40 /*
41  * Install the user and user session keyrings for the current process's UID.
42  */
43 int install_user_keyrings(void)
44 {
45         struct user_struct *user;
46         const struct cred *cred;
47         struct key *uid_keyring, *session_keyring;
48         key_perm_t user_keyring_perm;
49         char buf[20];
50         int ret;
51         uid_t uid;
52
53         user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL;
54         cred = current_cred();
55         user = cred->user;
56         uid = from_kuid(cred->user_ns, user->uid);
57
58         kenter("%p{%u}", user, uid);
59
60         if (user->uid_keyring && user->session_keyring) {
61                 kleave(" = 0 [exist]");
62                 return 0;
63         }
64
65         mutex_lock(&key_user_keyring_mutex);
66         ret = 0;
67
68         if (!user->uid_keyring) {
69                 /* get the UID-specific keyring
70                  * - there may be one in existence already as it may have been
71                  *   pinned by a session, but the user_struct pointing to it
72                  *   may have been destroyed by setuid */
73                 sprintf(buf, "_uid.%u", uid);
74
75                 uid_keyring = find_keyring_by_name(buf, true);
76                 if (IS_ERR(uid_keyring)) {
77                         uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
78                                                     cred, user_keyring_perm,
79                                                     KEY_ALLOC_IN_QUOTA, NULL);
80                         if (IS_ERR(uid_keyring)) {
81                                 ret = PTR_ERR(uid_keyring);
82                                 goto error;
83                         }
84                 }
85
86                 /* get a default session keyring (which might also exist
87                  * already) */
88                 sprintf(buf, "_uid_ses.%u", uid);
89
90                 session_keyring = find_keyring_by_name(buf, true);
91                 if (IS_ERR(session_keyring)) {
92                         session_keyring =
93                                 keyring_alloc(buf, user->uid, INVALID_GID,
94                                               cred, user_keyring_perm,
95                                               KEY_ALLOC_IN_QUOTA, NULL);
96                         if (IS_ERR(session_keyring)) {
97                                 ret = PTR_ERR(session_keyring);
98                                 goto error_release;
99                         }
100
101                         /* we install a link from the user session keyring to
102                          * the user keyring */
103                         ret = key_link(session_keyring, uid_keyring);
104                         if (ret < 0)
105                                 goto error_release_both;
106                 }
107
108                 /* install the keyrings */
109                 user->uid_keyring = uid_keyring;
110                 user->session_keyring = session_keyring;
111         }
112
113         mutex_unlock(&key_user_keyring_mutex);
114         kleave(" = 0");
115         return 0;
116
117 error_release_both:
118         key_put(session_keyring);
119 error_release:
120         key_put(uid_keyring);
121 error:
122         mutex_unlock(&key_user_keyring_mutex);
123         kleave(" = %d", ret);
124         return ret;
125 }
126
127 /*
128  * Install a fresh thread keyring directly to new credentials.  This keyring is
129  * allowed to overrun the quota.
130  */
131 int install_thread_keyring_to_cred(struct cred *new)
132 {
133         struct key *keyring;
134
135         keyring = keyring_alloc("_tid", new->uid, new->gid, new,
136                                 KEY_POS_ALL | KEY_USR_VIEW,
137                                 KEY_ALLOC_QUOTA_OVERRUN, NULL);
138         if (IS_ERR(keyring))
139                 return PTR_ERR(keyring);
140
141         new->thread_keyring = keyring;
142         return 0;
143 }
144
145 /*
146  * Install a fresh thread keyring, discarding the old one.
147  */
148 static int install_thread_keyring(void)
149 {
150         struct cred *new;
151         int ret;
152
153         new = prepare_creds();
154         if (!new)
155                 return -ENOMEM;
156
157         BUG_ON(new->thread_keyring);
158
159         ret = install_thread_keyring_to_cred(new);
160         if (ret < 0) {
161                 abort_creds(new);
162                 return ret;
163         }
164
165         return commit_creds(new);
166 }
167
168 /*
169  * Install a process keyring directly to a credentials struct.
170  *
171  * Returns -EEXIST if there was already a process keyring, 0 if one installed,
172  * and other value on any other error
173  */
174 int install_process_keyring_to_cred(struct cred *new)
175 {
176         struct key *keyring;
177
178         if (new->process_keyring)
179                 return -EEXIST;
180
181         keyring = keyring_alloc("_pid", new->uid, new->gid, new,
182                                 KEY_POS_ALL | KEY_USR_VIEW,
183                                 KEY_ALLOC_QUOTA_OVERRUN, NULL);
184         if (IS_ERR(keyring))
185                 return PTR_ERR(keyring);
186
187         new->process_keyring = keyring;
188         return 0;
189 }
190
191 /*
192  * Make sure a process keyring is installed for the current process.  The
193  * existing process keyring is not replaced.
194  *
195  * Returns 0 if there is a process keyring by the end of this function, some
196  * error otherwise.
197  */
198 static int install_process_keyring(void)
199 {
200         struct cred *new;
201         int ret;
202
203         new = prepare_creds();
204         if (!new)
205                 return -ENOMEM;
206
207         ret = install_process_keyring_to_cred(new);
208         if (ret < 0) {
209                 abort_creds(new);
210                 return ret != -EEXIST ? ret : 0;
211         }
212
213         return commit_creds(new);
214 }
215
216 /*
217  * Install a session keyring directly to a credentials struct.
218  */
219 int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
220 {
221         unsigned long flags;
222         struct key *old;
223
224         might_sleep();
225
226         /* create an empty session keyring */
227         if (!keyring) {
228                 flags = KEY_ALLOC_QUOTA_OVERRUN;
229                 if (cred->session_keyring)
230                         flags = KEY_ALLOC_IN_QUOTA;
231
232                 keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred,
233                                         KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
234                                         flags, NULL);
235                 if (IS_ERR(keyring))
236                         return PTR_ERR(keyring);
237         } else {
238                 atomic_inc(&keyring->usage);
239         }
240
241         /* install the keyring */
242         old = cred->session_keyring;
243         rcu_assign_pointer(cred->session_keyring, keyring);
244
245         if (old)
246                 key_put(old);
247
248         return 0;
249 }
250
251 /*
252  * Install a session keyring, discarding the old one.  If a keyring is not
253  * supplied, an empty one is invented.
254  */
255 static int install_session_keyring(struct key *keyring)
256 {
257         struct cred *new;
258         int ret;
259
260         new = prepare_creds();
261         if (!new)
262                 return -ENOMEM;
263
264         ret = install_session_keyring_to_cred(new, keyring);
265         if (ret < 0) {
266                 abort_creds(new);
267                 return ret;
268         }
269
270         return commit_creds(new);
271 }
272
273 /*
274  * Handle the fsuid changing.
275  */
276 void key_fsuid_changed(struct task_struct *tsk)
277 {
278         /* update the ownership of the thread keyring */
279         BUG_ON(!tsk->cred);
280         if (tsk->cred->thread_keyring) {
281                 down_write(&tsk->cred->thread_keyring->sem);
282                 tsk->cred->thread_keyring->uid = tsk->cred->fsuid;
283                 up_write(&tsk->cred->thread_keyring->sem);
284         }
285 }
286
287 /*
288  * Handle the fsgid changing.
289  */
290 void key_fsgid_changed(struct task_struct *tsk)
291 {
292         /* update the ownership of the thread keyring */
293         BUG_ON(!tsk->cred);
294         if (tsk->cred->thread_keyring) {
295                 down_write(&tsk->cred->thread_keyring->sem);
296                 tsk->cred->thread_keyring->gid = tsk->cred->fsgid;
297                 up_write(&tsk->cred->thread_keyring->sem);
298         }
299 }
300
301 /*
302  * Search the process keyrings attached to the supplied cred for the first
303  * matching key.
304  *
305  * The search criteria are the type and the match function.  The description is
306  * given to the match function as a parameter, but doesn't otherwise influence
307  * the search.  Typically the match function will compare the description
308  * parameter to the key's description.
309  *
310  * This can only search keyrings that grant Search permission to the supplied
311  * credentials.  Keyrings linked to searched keyrings will also be searched if
312  * they grant Search permission too.  Keys can only be found if they grant
313  * Search permission to the credentials.
314  *
315  * Returns a pointer to the key with the key usage count incremented if
316  * successful, -EAGAIN if we didn't find any matching key or -ENOKEY if we only
317  * matched negative keys.
318  *
319  * In the case of a successful return, the possession attribute is set on the
320  * returned key reference.
321  */
322 key_ref_t search_my_process_keyrings(struct key_type *type,
323                                      const void *description,
324                                      key_match_func_t match,
325                                      bool no_state_check,
326                                      const struct cred *cred)
327 {
328         key_ref_t key_ref, ret, err;
329
330         /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
331          * searchable, but we failed to find a key or we found a negative key;
332          * otherwise we want to return a sample error (probably -EACCES) if
333          * none of the keyrings were searchable
334          *
335          * in terms of priority: success > -ENOKEY > -EAGAIN > other error
336          */
337         key_ref = NULL;
338         ret = NULL;
339         err = ERR_PTR(-EAGAIN);
340
341         /* search the thread keyring first */
342         if (cred->thread_keyring) {
343                 key_ref = keyring_search_aux(
344                         make_key_ref(cred->thread_keyring, 1),
345                         cred, type, description, match, no_state_check);
346                 if (!IS_ERR(key_ref))
347                         goto found;
348
349                 switch (PTR_ERR(key_ref)) {
350                 case -EAGAIN: /* no key */
351                 case -ENOKEY: /* negative key */
352                         ret = key_ref;
353                         break;
354                 default:
355                         err = key_ref;
356                         break;
357                 }
358         }
359
360         /* search the process keyring second */
361         if (cred->process_keyring) {
362                 key_ref = keyring_search_aux(
363                         make_key_ref(cred->process_keyring, 1),
364                         cred, type, description, match, no_state_check);
365                 if (!IS_ERR(key_ref))
366                         goto found;
367
368                 switch (PTR_ERR(key_ref)) {
369                 case -EAGAIN: /* no key */
370                         if (ret)
371                                 break;
372                 case -ENOKEY: /* negative key */
373                         ret = key_ref;
374                         break;
375                 default:
376                         err = key_ref;
377                         break;
378                 }
379         }
380
381         /* search the session keyring */
382         if (cred->session_keyring) {
383                 rcu_read_lock();
384                 key_ref = keyring_search_aux(
385                         make_key_ref(rcu_dereference(cred->session_keyring), 1),
386                         cred, type, description, match, no_state_check);
387                 rcu_read_unlock();
388
389                 if (!IS_ERR(key_ref))
390                         goto found;
391
392                 switch (PTR_ERR(key_ref)) {
393                 case -EAGAIN: /* no key */
394                         if (ret)
395                                 break;
396                 case -ENOKEY: /* negative key */
397                         ret = key_ref;
398                         break;
399                 default:
400                         err = key_ref;
401                         break;
402                 }
403         }
404         /* or search the user-session keyring */
405         else if (cred->user->session_keyring) {
406                 key_ref = keyring_search_aux(
407                         make_key_ref(cred->user->session_keyring, 1),
408                         cred, type, description, match, no_state_check);
409                 if (!IS_ERR(key_ref))
410                         goto found;
411
412                 switch (PTR_ERR(key_ref)) {
413                 case -EAGAIN: /* no key */
414                         if (ret)
415                                 break;
416                 case -ENOKEY: /* negative key */
417                         ret = key_ref;
418                         break;
419                 default:
420                         err = key_ref;
421                         break;
422                 }
423         }
424
425         /* no key - decide on the error we're going to go for */
426         key_ref = ret ? ret : err;
427
428 found:
429         return key_ref;
430 }
431
432 /*
433  * Search the process keyrings attached to the supplied cred for the first
434  * matching key in the manner of search_my_process_keyrings(), but also search
435  * the keys attached to the assumed authorisation key using its credentials if
436  * one is available.
437  *
438  * Return same as search_my_process_keyrings().
439  */
440 key_ref_t search_process_keyrings(struct key_type *type,
441                                   const void *description,
442                                   key_match_func_t match,
443                                   const struct cred *cred)
444 {
445         struct request_key_auth *rka;
446         key_ref_t key_ref, ret = ERR_PTR(-EACCES), err;
447
448         might_sleep();
449
450         key_ref = search_my_process_keyrings(type, description, match,
451                                              false, cred);
452         if (!IS_ERR(key_ref))
453                 goto found;
454         err = key_ref;
455
456         /* if this process has an instantiation authorisation key, then we also
457          * search the keyrings of the process mentioned there
458          * - we don't permit access to request_key auth keys via this method
459          */
460         if (cred->request_key_auth &&
461             cred == current_cred() &&
462             type != &key_type_request_key_auth
463             ) {
464                 /* defend against the auth key being revoked */
465                 down_read(&cred->request_key_auth->sem);
466
467                 if (key_validate(cred->request_key_auth) == 0) {
468                         rka = cred->request_key_auth->payload.data;
469
470                         key_ref = search_process_keyrings(type, description,
471                                                           match, rka->cred);
472
473                         up_read(&cred->request_key_auth->sem);
474
475                         if (!IS_ERR(key_ref))
476                                 goto found;
477
478                         ret = key_ref;
479                 } else {
480                         up_read(&cred->request_key_auth->sem);
481                 }
482         }
483
484         /* no key - decide on the error we're going to go for */
485         if (err == ERR_PTR(-ENOKEY) || ret == ERR_PTR(-ENOKEY))
486                 key_ref = ERR_PTR(-ENOKEY);
487         else if (err == ERR_PTR(-EACCES))
488                 key_ref = ret;
489         else
490                 key_ref = err;
491
492 found:
493         return key_ref;
494 }
495
496 /*
497  * See if the key we're looking at is the target key.
498  */
499 int lookup_user_key_possessed(const struct key *key, const void *target)
500 {
501         return key == target;
502 }
503
504 /*
505  * Look up a key ID given us by userspace with a given permissions mask to get
506  * the key it refers to.
507  *
508  * Flags can be passed to request that special keyrings be created if referred
509  * to directly, to permit partially constructed keys to be found and to skip
510  * validity and permission checks on the found key.
511  *
512  * Returns a pointer to the key with an incremented usage count if successful;
513  * -EINVAL if the key ID is invalid; -ENOKEY if the key ID does not correspond
514  * to a key or the best found key was a negative key; -EKEYREVOKED or
515  * -EKEYEXPIRED if the best found key was revoked or expired; -EACCES if the
516  * found key doesn't grant the requested permit or the LSM denied access to it;
517  * or -ENOMEM if a special keyring couldn't be created.
518  *
519  * In the case of a successful return, the possession attribute is set on the
520  * returned key reference.
521  */
522 key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
523                           key_perm_t perm)
524 {
525         struct request_key_auth *rka;
526         const struct cred *cred;
527         struct key *key;
528         key_ref_t key_ref, skey_ref;
529         int ret;
530
531 try_again:
532         cred = get_current_cred();
533         key_ref = ERR_PTR(-ENOKEY);
534
535         switch (id) {
536         case KEY_SPEC_THREAD_KEYRING:
537                 if (!cred->thread_keyring) {
538                         if (!(lflags & KEY_LOOKUP_CREATE))
539                                 goto error;
540
541                         ret = install_thread_keyring();
542                         if (ret < 0) {
543                                 key_ref = ERR_PTR(ret);
544                                 goto error;
545                         }
546                         goto reget_creds;
547                 }
548
549                 key = cred->thread_keyring;
550                 atomic_inc(&key->usage);
551                 key_ref = make_key_ref(key, 1);
552                 break;
553
554         case KEY_SPEC_PROCESS_KEYRING:
555                 if (!cred->process_keyring) {
556                         if (!(lflags & KEY_LOOKUP_CREATE))
557                                 goto error;
558
559                         ret = install_process_keyring();
560                         if (ret < 0) {
561                                 key_ref = ERR_PTR(ret);
562                                 goto error;
563                         }
564                         goto reget_creds;
565                 }
566
567                 key = cred->process_keyring;
568                 atomic_inc(&key->usage);
569                 key_ref = make_key_ref(key, 1);
570                 break;
571
572         case KEY_SPEC_SESSION_KEYRING:
573                 if (!cred->session_keyring) {
574                         /* always install a session keyring upon access if one
575                          * doesn't exist yet */
576                         ret = install_user_keyrings();
577                         if (ret < 0)
578                                 goto error;
579                         if (lflags & KEY_LOOKUP_CREATE)
580                                 ret = join_session_keyring(NULL);
581                         else
582                                 ret = install_session_keyring(
583                                         cred->user->session_keyring);
584
585                         if (ret < 0)
586                                 goto error;
587                         goto reget_creds;
588                 } else if (cred->session_keyring ==
589                            cred->user->session_keyring &&
590                            lflags & KEY_LOOKUP_CREATE) {
591                         ret = join_session_keyring(NULL);
592                         if (ret < 0)
593                                 goto error;
594                         goto reget_creds;
595                 }
596
597                 rcu_read_lock();
598                 key = rcu_dereference(cred->session_keyring);
599                 atomic_inc(&key->usage);
600                 rcu_read_unlock();
601                 key_ref = make_key_ref(key, 1);
602                 break;
603
604         case KEY_SPEC_USER_KEYRING:
605                 if (!cred->user->uid_keyring) {
606                         ret = install_user_keyrings();
607                         if (ret < 0)
608                                 goto error;
609                 }
610
611                 key = cred->user->uid_keyring;
612                 atomic_inc(&key->usage);
613                 key_ref = make_key_ref(key, 1);
614                 break;
615
616         case KEY_SPEC_USER_SESSION_KEYRING:
617                 if (!cred->user->session_keyring) {
618                         ret = install_user_keyrings();
619                         if (ret < 0)
620                                 goto error;
621                 }
622
623                 key = cred->user->session_keyring;
624                 atomic_inc(&key->usage);
625                 key_ref = make_key_ref(key, 1);
626                 break;
627
628         case KEY_SPEC_GROUP_KEYRING:
629                 /* group keyrings are not yet supported */
630                 key_ref = ERR_PTR(-EINVAL);
631                 goto error;
632
633         case KEY_SPEC_REQKEY_AUTH_KEY:
634                 key = cred->request_key_auth;
635                 if (!key)
636                         goto error;
637
638                 atomic_inc(&key->usage);
639                 key_ref = make_key_ref(key, 1);
640                 break;
641
642         case KEY_SPEC_REQUESTOR_KEYRING:
643                 if (!cred->request_key_auth)
644                         goto error;
645
646                 down_read(&cred->request_key_auth->sem);
647                 if (test_bit(KEY_FLAG_REVOKED,
648                              &cred->request_key_auth->flags)) {
649                         key_ref = ERR_PTR(-EKEYREVOKED);
650                         key = NULL;
651                 } else {
652                         rka = cred->request_key_auth->payload.data;
653                         key = rka->dest_keyring;
654                         atomic_inc(&key->usage);
655                 }
656                 up_read(&cred->request_key_auth->sem);
657                 if (!key)
658                         goto error;
659                 key_ref = make_key_ref(key, 1);
660                 break;
661
662         default:
663                 key_ref = ERR_PTR(-EINVAL);
664                 if (id < 1)
665                         goto error;
666
667                 key = key_lookup(id);
668                 if (IS_ERR(key)) {
669                         key_ref = ERR_CAST(key);
670                         goto error;
671                 }
672
673                 key_ref = make_key_ref(key, 0);
674
675                 /* check to see if we possess the key */
676                 skey_ref = search_process_keyrings(key->type, key,
677                                                    lookup_user_key_possessed,
678                                                    cred);
679
680                 if (!IS_ERR(skey_ref)) {
681                         key_put(key);
682                         key_ref = skey_ref;
683                 }
684
685                 break;
686         }
687
688         /* unlink does not use the nominated key in any way, so can skip all
689          * the permission checks as it is only concerned with the keyring */
690         if (lflags & KEY_LOOKUP_FOR_UNLINK) {
691                 ret = 0;
692                 goto error;
693         }
694
695         if (!(lflags & KEY_LOOKUP_PARTIAL)) {
696                 ret = wait_for_key_construction(key, true);
697                 switch (ret) {
698                 case -ERESTARTSYS:
699                         goto invalid_key;
700                 default:
701                         if (perm)
702                                 goto invalid_key;
703                 case 0:
704                         break;
705                 }
706         } else if (perm) {
707                 ret = key_validate(key);
708                 if (ret < 0)
709                         goto invalid_key;
710         }
711
712         ret = -EIO;
713         if (!(lflags & KEY_LOOKUP_PARTIAL) &&
714             !test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
715                 goto invalid_key;
716
717         /* check the permissions */
718         ret = key_task_permission(key_ref, cred, perm);
719         if (ret < 0)
720                 goto invalid_key;
721
722         key->last_used_at = current_kernel_time().tv_sec;
723
724 error:
725         put_cred(cred);
726         return key_ref;
727
728 invalid_key:
729         key_ref_put(key_ref);
730         key_ref = ERR_PTR(ret);
731         goto error;
732
733         /* if we attempted to install a keyring, then it may have caused new
734          * creds to be installed */
735 reget_creds:
736         put_cred(cred);
737         goto try_again;
738 }
739
740 /*
741  * Join the named keyring as the session keyring if possible else attempt to
742  * create a new one of that name and join that.
743  *
744  * If the name is NULL, an empty anonymous keyring will be installed as the
745  * session keyring.
746  *
747  * Named session keyrings are joined with a semaphore held to prevent the
748  * keyrings from going away whilst the attempt is made to going them and also
749  * to prevent a race in creating compatible session keyrings.
750  */
751 long join_session_keyring(const char *name)
752 {
753         const struct cred *old;
754         struct cred *new;
755         struct key *keyring;
756         long ret, serial;
757
758         new = prepare_creds();
759         if (!new)
760                 return -ENOMEM;
761         old = current_cred();
762
763         /* if no name is provided, install an anonymous keyring */
764         if (!name) {
765                 ret = install_session_keyring_to_cred(new, NULL);
766                 if (ret < 0)
767                         goto error;
768
769                 serial = new->session_keyring->serial;
770                 ret = commit_creds(new);
771                 if (ret == 0)
772                         ret = serial;
773                 goto okay;
774         }
775
776         /* allow the user to join or create a named keyring */
777         mutex_lock(&key_session_mutex);
778
779         /* look for an existing keyring of this name */
780         keyring = find_keyring_by_name(name, false);
781         if (PTR_ERR(keyring) == -ENOKEY) {
782                 /* not found - try and create a new one */
783                 keyring = keyring_alloc(
784                         name, old->uid, old->gid, old,
785                         KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_LINK,
786                         KEY_ALLOC_IN_QUOTA, NULL);
787                 if (IS_ERR(keyring)) {
788                         ret = PTR_ERR(keyring);
789                         goto error2;
790                 }
791         } else if (IS_ERR(keyring)) {
792                 ret = PTR_ERR(keyring);
793                 goto error2;
794         } else if (keyring == new->session_keyring) {
795                 ret = 0;
796                 goto error2;
797         }
798
799         /* we've got a keyring - now to install it */
800         ret = install_session_keyring_to_cred(new, keyring);
801         if (ret < 0)
802                 goto error2;
803
804         commit_creds(new);
805         mutex_unlock(&key_session_mutex);
806
807         ret = keyring->serial;
808         key_put(keyring);
809 okay:
810         return ret;
811
812 error2:
813         mutex_unlock(&key_session_mutex);
814 error:
815         abort_creds(new);
816         return ret;
817 }
818
819 /*
820  * Replace a process's session keyring on behalf of one of its children when
821  * the target  process is about to resume userspace execution.
822  */
823 void key_change_session_keyring(struct callback_head *twork)
824 {
825         const struct cred *old = current_cred();
826         struct cred *new = container_of(twork, struct cred, rcu);
827
828         if (unlikely(current->flags & PF_EXITING)) {
829                 put_cred(new);
830                 return;
831         }
832
833         new->  uid      = old->  uid;
834         new-> euid      = old-> euid;
835         new-> suid      = old-> suid;
836         new->fsuid      = old->fsuid;
837         new->  gid      = old->  gid;
838         new-> egid      = old-> egid;
839         new-> sgid      = old-> sgid;
840         new->fsgid      = old->fsgid;
841         new->user       = get_uid(old->user);
842         new->user_ns    = get_user_ns(old->user_ns);
843         new->group_info = get_group_info(old->group_info);
844
845         new->securebits = old->securebits;
846         new->cap_inheritable    = old->cap_inheritable;
847         new->cap_permitted      = old->cap_permitted;
848         new->cap_effective      = old->cap_effective;
849         new->cap_bset           = old->cap_bset;
850
851         new->jit_keyring        = old->jit_keyring;
852         new->thread_keyring     = key_get(old->thread_keyring);
853         new->process_keyring    = key_get(old->process_keyring);
854
855         security_transfer_creds(new, old);
856
857         commit_creds(new);
858 }