gianfar: fix signedness issue
[linux-2.6.git] / security / keys / process_keys.c
1 /* Management of a process's keyrings
2  *
3  * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/sched.h>
15 #include <linux/keyctl.h>
16 #include <linux/fs.h>
17 #include <linux/err.h>
18 #include <linux/mutex.h>
19 #include <linux/security.h>
20 #include <linux/user_namespace.h>
21 #include <asm/uaccess.h>
22 #include "internal.h"
23
24 /* session keyring create vs join semaphore */
25 static DEFINE_MUTEX(key_session_mutex);
26
27 /* user keyring creation semaphore */
28 static DEFINE_MUTEX(key_user_keyring_mutex);
29
30 /* the root user's tracking struct */
31 struct key_user root_key_user = {
32         .usage          = ATOMIC_INIT(3),
33         .cons_lock      = __MUTEX_INITIALIZER(root_key_user.cons_lock),
34         .lock           = __SPIN_LOCK_UNLOCKED(root_key_user.lock),
35         .nkeys          = ATOMIC_INIT(2),
36         .nikeys         = ATOMIC_INIT(2),
37         .uid            = 0,
38         .user_ns        = &init_user_ns,
39 };
40
41 /*****************************************************************************/
42 /*
43  * install user and user session keyrings for a particular UID
44  */
45 int install_user_keyrings(void)
46 {
47         struct user_struct *user;
48         const struct cred *cred;
49         struct key *uid_keyring, *session_keyring;
50         char buf[20];
51         int ret;
52
53         cred = current_cred();
54         user = cred->user;
55
56         kenter("%p{%u}", user, user->uid);
57
58         if (user->uid_keyring) {
59                 kleave(" = 0 [exist]");
60                 return 0;
61         }
62
63         mutex_lock(&key_user_keyring_mutex);
64         ret = 0;
65
66         if (!user->uid_keyring) {
67                 /* get the UID-specific keyring
68                  * - there may be one in existence already as it may have been
69                  *   pinned by a session, but the user_struct pointing to it
70                  *   may have been destroyed by setuid */
71                 sprintf(buf, "_uid.%u", user->uid);
72
73                 uid_keyring = find_keyring_by_name(buf, true);
74                 if (IS_ERR(uid_keyring)) {
75                         uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
76                                                     cred, KEY_ALLOC_IN_QUOTA,
77                                                     NULL);
78                         if (IS_ERR(uid_keyring)) {
79                                 ret = PTR_ERR(uid_keyring);
80                                 goto error;
81                         }
82                 }
83
84                 /* get a default session keyring (which might also exist
85                  * already) */
86                 sprintf(buf, "_uid_ses.%u", user->uid);
87
88                 session_keyring = find_keyring_by_name(buf, true);
89                 if (IS_ERR(session_keyring)) {
90                         session_keyring =
91                                 keyring_alloc(buf, user->uid, (gid_t) -1,
92                                               cred, KEY_ALLOC_IN_QUOTA, NULL);
93                         if (IS_ERR(session_keyring)) {
94                                 ret = PTR_ERR(session_keyring);
95                                 goto error_release;
96                         }
97
98                         /* we install a link from the user session keyring to
99                          * the user keyring */
100                         ret = key_link(session_keyring, uid_keyring);
101                         if (ret < 0)
102                                 goto error_release_both;
103                 }
104
105                 /* install the keyrings */
106                 user->uid_keyring = uid_keyring;
107                 user->session_keyring = session_keyring;
108         }
109
110         mutex_unlock(&key_user_keyring_mutex);
111         kleave(" = 0");
112         return 0;
113
114 error_release_both:
115         key_put(session_keyring);
116 error_release:
117         key_put(uid_keyring);
118 error:
119         mutex_unlock(&key_user_keyring_mutex);
120         kleave(" = %d", ret);
121         return ret;
122 }
123
124 /*
125  * install a fresh thread keyring directly to new credentials
126  */
127 int install_thread_keyring_to_cred(struct cred *new)
128 {
129         struct key *keyring;
130
131         keyring = keyring_alloc("_tid", new->uid, new->gid, new,
132                                 KEY_ALLOC_QUOTA_OVERRUN, NULL);
133         if (IS_ERR(keyring))
134                 return PTR_ERR(keyring);
135
136         new->thread_keyring = keyring;
137         return 0;
138 }
139
140 /*
141  * install a fresh thread keyring, discarding the old one
142  */
143 static int install_thread_keyring(void)
144 {
145         struct cred *new;
146         int ret;
147
148         new = prepare_creds();
149         if (!new)
150                 return -ENOMEM;
151
152         BUG_ON(new->thread_keyring);
153
154         ret = install_thread_keyring_to_cred(new);
155         if (ret < 0) {
156                 abort_creds(new);
157                 return ret;
158         }
159
160         return commit_creds(new);
161 }
162
163 /*
164  * install a process keyring directly to a credentials struct
165  * - returns -EEXIST if there was already a process keyring, 0 if one installed,
166  *   and other -ve on any other error
167  */
168 int install_process_keyring_to_cred(struct cred *new)
169 {
170         struct key *keyring;
171         int ret;
172
173         if (new->tgcred->process_keyring)
174                 return -EEXIST;
175
176         keyring = keyring_alloc("_pid", new->uid, new->gid,
177                                 new, KEY_ALLOC_QUOTA_OVERRUN, NULL);
178         if (IS_ERR(keyring))
179                 return PTR_ERR(keyring);
180
181         spin_lock_irq(&new->tgcred->lock);
182         if (!new->tgcred->process_keyring) {
183                 new->tgcred->process_keyring = keyring;
184                 keyring = NULL;
185                 ret = 0;
186         } else {
187                 ret = -EEXIST;
188         }
189         spin_unlock_irq(&new->tgcred->lock);
190         key_put(keyring);
191         return ret;
192 }
193
194 /*
195  * make sure a process keyring is installed
196  * - we
197  */
198 static int install_process_keyring(void)
199 {
200         struct cred *new;
201         int ret;
202
203         new = prepare_creds();
204         if (!new)
205                 return -ENOMEM;
206
207         ret = install_process_keyring_to_cred(new);
208         if (ret < 0) {
209                 abort_creds(new);
210                 return ret != -EEXIST ? ret : 0;
211         }
212
213         return commit_creds(new);
214 }
215
216 /*
217  * install a session keyring directly to a credentials struct
218  */
219 int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
220 {
221         unsigned long flags;
222         struct key *old;
223
224         might_sleep();
225
226         /* create an empty session keyring */
227         if (!keyring) {
228                 flags = KEY_ALLOC_QUOTA_OVERRUN;
229                 if (cred->tgcred->session_keyring)
230                         flags = KEY_ALLOC_IN_QUOTA;
231
232                 keyring = keyring_alloc("_ses", cred->uid, cred->gid,
233                                         cred, flags, NULL);
234                 if (IS_ERR(keyring))
235                         return PTR_ERR(keyring);
236         } else {
237                 atomic_inc(&keyring->usage);
238         }
239
240         /* install the keyring */
241         spin_lock_irq(&cred->tgcred->lock);
242         old = cred->tgcred->session_keyring;
243         rcu_assign_pointer(cred->tgcred->session_keyring, keyring);
244         spin_unlock_irq(&cred->tgcred->lock);
245
246         /* we're using RCU on the pointer, but there's no point synchronising
247          * on it if it didn't previously point to anything */
248         if (old) {
249                 synchronize_rcu();
250                 key_put(old);
251         }
252
253         return 0;
254 }
255
256 /*
257  * install a session keyring, discarding the old one
258  * - if a keyring is not supplied, an empty one is invented
259  */
260 static int install_session_keyring(struct key *keyring)
261 {
262         struct cred *new;
263         int ret;
264
265         new = prepare_creds();
266         if (!new)
267                 return -ENOMEM;
268
269         ret = install_session_keyring_to_cred(new, NULL);
270         if (ret < 0) {
271                 abort_creds(new);
272                 return ret;
273         }
274
275         return commit_creds(new);
276 }
277
278 /*****************************************************************************/
279 /*
280  * the filesystem user ID changed
281  */
282 void key_fsuid_changed(struct task_struct *tsk)
283 {
284         /* update the ownership of the thread keyring */
285         BUG_ON(!tsk->cred);
286         if (tsk->cred->thread_keyring) {
287                 down_write(&tsk->cred->thread_keyring->sem);
288                 tsk->cred->thread_keyring->uid = tsk->cred->fsuid;
289                 up_write(&tsk->cred->thread_keyring->sem);
290         }
291
292 } /* end key_fsuid_changed() */
293
294 /*****************************************************************************/
295 /*
296  * the filesystem group ID changed
297  */
298 void key_fsgid_changed(struct task_struct *tsk)
299 {
300         /* update the ownership of the thread keyring */
301         BUG_ON(!tsk->cred);
302         if (tsk->cred->thread_keyring) {
303                 down_write(&tsk->cred->thread_keyring->sem);
304                 tsk->cred->thread_keyring->gid = tsk->cred->fsgid;
305                 up_write(&tsk->cred->thread_keyring->sem);
306         }
307
308 } /* end key_fsgid_changed() */
309
310 /*****************************************************************************/
311 /*
312  * search only my process keyrings for the first matching key
313  * - we use the supplied match function to see if the description (or other
314  *   feature of interest) matches
315  * - we return -EAGAIN if we didn't find any matching key
316  * - we return -ENOKEY if we found only negative matching keys
317  */
318 key_ref_t search_my_process_keyrings(struct key_type *type,
319                                      const void *description,
320                                      key_match_func_t match,
321                                      const struct cred *cred)
322 {
323         key_ref_t key_ref, ret, err;
324
325         /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
326          * searchable, but we failed to find a key or we found a negative key;
327          * otherwise we want to return a sample error (probably -EACCES) if
328          * none of the keyrings were searchable
329          *
330          * in terms of priority: success > -ENOKEY > -EAGAIN > other error
331          */
332         key_ref = NULL;
333         ret = NULL;
334         err = ERR_PTR(-EAGAIN);
335
336         /* search the thread keyring first */
337         if (cred->thread_keyring) {
338                 key_ref = keyring_search_aux(
339                         make_key_ref(cred->thread_keyring, 1),
340                         cred, type, description, match);
341                 if (!IS_ERR(key_ref))
342                         goto found;
343
344                 switch (PTR_ERR(key_ref)) {
345                 case -EAGAIN: /* no key */
346                         if (ret)
347                                 break;
348                 case -ENOKEY: /* negative key */
349                         ret = key_ref;
350                         break;
351                 default:
352                         err = key_ref;
353                         break;
354                 }
355         }
356
357         /* search the process keyring second */
358         if (cred->tgcred->process_keyring) {
359                 key_ref = keyring_search_aux(
360                         make_key_ref(cred->tgcred->process_keyring, 1),
361                         cred, type, description, match);
362                 if (!IS_ERR(key_ref))
363                         goto found;
364
365                 switch (PTR_ERR(key_ref)) {
366                 case -EAGAIN: /* no key */
367                         if (ret)
368                                 break;
369                 case -ENOKEY: /* negative key */
370                         ret = key_ref;
371                         break;
372                 default:
373                         err = key_ref;
374                         break;
375                 }
376         }
377
378         /* search the session keyring */
379         if (cred->tgcred->session_keyring) {
380                 rcu_read_lock();
381                 key_ref = keyring_search_aux(
382                         make_key_ref(rcu_dereference(
383                                              cred->tgcred->session_keyring),
384                                      1),
385                         cred, type, description, match);
386                 rcu_read_unlock();
387
388                 if (!IS_ERR(key_ref))
389                         goto found;
390
391                 switch (PTR_ERR(key_ref)) {
392                 case -EAGAIN: /* no key */
393                         if (ret)
394                                 break;
395                 case -ENOKEY: /* negative key */
396                         ret = key_ref;
397                         break;
398                 default:
399                         err = key_ref;
400                         break;
401                 }
402         }
403         /* or search the user-session keyring */
404         else if (cred->user->session_keyring) {
405                 key_ref = keyring_search_aux(
406                         make_key_ref(cred->user->session_keyring, 1),
407                         cred, type, description, match);
408                 if (!IS_ERR(key_ref))
409                         goto found;
410
411                 switch (PTR_ERR(key_ref)) {
412                 case -EAGAIN: /* no key */
413                         if (ret)
414                                 break;
415                 case -ENOKEY: /* negative key */
416                         ret = key_ref;
417                         break;
418                 default:
419                         err = key_ref;
420                         break;
421                 }
422         }
423
424         /* no key - decide on the error we're going to go for */
425         key_ref = ret ? ret : err;
426
427 found:
428         return key_ref;
429 }
430
431 /*****************************************************************************/
432 /*
433  * search the process keyrings for the first matching key
434  * - we use the supplied match function to see if the description (or other
435  *   feature of interest) matches
436  * - we return -EAGAIN if we didn't find any matching key
437  * - we return -ENOKEY if we found only negative matching keys
438  */
439 key_ref_t search_process_keyrings(struct key_type *type,
440                                   const void *description,
441                                   key_match_func_t match,
442                                   const struct cred *cred)
443 {
444         struct request_key_auth *rka;
445         key_ref_t key_ref, ret = ERR_PTR(-EACCES), err;
446
447         might_sleep();
448
449         key_ref = search_my_process_keyrings(type, description, match, cred);
450         if (!IS_ERR(key_ref))
451                 goto found;
452         err = key_ref;
453
454         /* if this process has an instantiation authorisation key, then we also
455          * search the keyrings of the process mentioned there
456          * - we don't permit access to request_key auth keys via this method
457          */
458         if (cred->request_key_auth &&
459             cred == current_cred() &&
460             type != &key_type_request_key_auth
461             ) {
462                 /* defend against the auth key being revoked */
463                 down_read(&cred->request_key_auth->sem);
464
465                 if (key_validate(cred->request_key_auth) == 0) {
466                         rka = cred->request_key_auth->payload.data;
467
468                         key_ref = search_process_keyrings(type, description,
469                                                           match, rka->cred);
470
471                         up_read(&cred->request_key_auth->sem);
472
473                         if (!IS_ERR(key_ref))
474                                 goto found;
475
476                         ret = key_ref;
477                 } else {
478                         up_read(&cred->request_key_auth->sem);
479                 }
480         }
481
482         /* no key - decide on the error we're going to go for */
483         if (err == ERR_PTR(-ENOKEY) || ret == ERR_PTR(-ENOKEY))
484                 key_ref = ERR_PTR(-ENOKEY);
485         else if (err == ERR_PTR(-EACCES))
486                 key_ref = ret;
487         else
488                 key_ref = err;
489
490 found:
491         return key_ref;
492
493 } /* end search_process_keyrings() */
494
495 /*****************************************************************************/
496 /*
497  * see if the key we're looking at is the target key
498  */
499 int lookup_user_key_possessed(const struct key *key, const void *target)
500 {
501         return key == target;
502
503 } /* end lookup_user_key_possessed() */
504
505 /*****************************************************************************/
506 /*
507  * lookup a key given a key ID from userspace with a given permissions mask
508  * - don't create special keyrings unless so requested
509  * - partially constructed keys aren't found unless requested
510  */
511 key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
512                           key_perm_t perm)
513 {
514         struct request_key_auth *rka;
515         const struct cred *cred;
516         struct key *key;
517         key_ref_t key_ref, skey_ref;
518         int ret;
519
520 try_again:
521         cred = get_current_cred();
522         key_ref = ERR_PTR(-ENOKEY);
523
524         switch (id) {
525         case KEY_SPEC_THREAD_KEYRING:
526                 if (!cred->thread_keyring) {
527                         if (!(lflags & KEY_LOOKUP_CREATE))
528                                 goto error;
529
530                         ret = install_thread_keyring();
531                         if (ret < 0) {
532                                 key_ref = ERR_PTR(ret);
533                                 goto error;
534                         }
535                         goto reget_creds;
536                 }
537
538                 key = cred->thread_keyring;
539                 atomic_inc(&key->usage);
540                 key_ref = make_key_ref(key, 1);
541                 break;
542
543         case KEY_SPEC_PROCESS_KEYRING:
544                 if (!cred->tgcred->process_keyring) {
545                         if (!(lflags & KEY_LOOKUP_CREATE))
546                                 goto error;
547
548                         ret = install_process_keyring();
549                         if (ret < 0) {
550                                 key_ref = ERR_PTR(ret);
551                                 goto error;
552                         }
553                         goto reget_creds;
554                 }
555
556                 key = cred->tgcred->process_keyring;
557                 atomic_inc(&key->usage);
558                 key_ref = make_key_ref(key, 1);
559                 break;
560
561         case KEY_SPEC_SESSION_KEYRING:
562                 if (!cred->tgcred->session_keyring) {
563                         /* always install a session keyring upon access if one
564                          * doesn't exist yet */
565                         ret = install_user_keyrings();
566                         if (ret < 0)
567                                 goto error;
568                         ret = install_session_keyring(
569                                 cred->user->session_keyring);
570
571                         if (ret < 0)
572                                 goto error;
573                         goto reget_creds;
574                 }
575
576                 rcu_read_lock();
577                 key = rcu_dereference(cred->tgcred->session_keyring);
578                 atomic_inc(&key->usage);
579                 rcu_read_unlock();
580                 key_ref = make_key_ref(key, 1);
581                 break;
582
583         case KEY_SPEC_USER_KEYRING:
584                 if (!cred->user->uid_keyring) {
585                         ret = install_user_keyrings();
586                         if (ret < 0)
587                                 goto error;
588                 }
589
590                 key = cred->user->uid_keyring;
591                 atomic_inc(&key->usage);
592                 key_ref = make_key_ref(key, 1);
593                 break;
594
595         case KEY_SPEC_USER_SESSION_KEYRING:
596                 if (!cred->user->session_keyring) {
597                         ret = install_user_keyrings();
598                         if (ret < 0)
599                                 goto error;
600                 }
601
602                 key = cred->user->session_keyring;
603                 atomic_inc(&key->usage);
604                 key_ref = make_key_ref(key, 1);
605                 break;
606
607         case KEY_SPEC_GROUP_KEYRING:
608                 /* group keyrings are not yet supported */
609                 key_ref = ERR_PTR(-EINVAL);
610                 goto error;
611
612         case KEY_SPEC_REQKEY_AUTH_KEY:
613                 key = cred->request_key_auth;
614                 if (!key)
615                         goto error;
616
617                 atomic_inc(&key->usage);
618                 key_ref = make_key_ref(key, 1);
619                 break;
620
621         case KEY_SPEC_REQUESTOR_KEYRING:
622                 if (!cred->request_key_auth)
623                         goto error;
624
625                 down_read(&cred->request_key_auth->sem);
626                 if (cred->request_key_auth->flags & KEY_FLAG_REVOKED) {
627                         key_ref = ERR_PTR(-EKEYREVOKED);
628                         key = NULL;
629                 } else {
630                         rka = cred->request_key_auth->payload.data;
631                         key = rka->dest_keyring;
632                         atomic_inc(&key->usage);
633                 }
634                 up_read(&cred->request_key_auth->sem);
635                 if (!key)
636                         goto error;
637                 key_ref = make_key_ref(key, 1);
638                 break;
639
640         default:
641                 key_ref = ERR_PTR(-EINVAL);
642                 if (id < 1)
643                         goto error;
644
645                 key = key_lookup(id);
646                 if (IS_ERR(key)) {
647                         key_ref = ERR_CAST(key);
648                         goto error;
649                 }
650
651                 key_ref = make_key_ref(key, 0);
652
653                 /* check to see if we possess the key */
654                 skey_ref = search_process_keyrings(key->type, key,
655                                                    lookup_user_key_possessed,
656                                                    cred);
657
658                 if (!IS_ERR(skey_ref)) {
659                         key_put(key);
660                         key_ref = skey_ref;
661                 }
662
663                 break;
664         }
665
666         /* unlink does not use the nominated key in any way, so can skip all
667          * the permission checks as it is only concerned with the keyring */
668         if (lflags & KEY_LOOKUP_FOR_UNLINK) {
669                 ret = 0;
670                 goto error;
671         }
672
673         if (!(lflags & KEY_LOOKUP_PARTIAL)) {
674                 ret = wait_for_key_construction(key, true);
675                 switch (ret) {
676                 case -ERESTARTSYS:
677                         goto invalid_key;
678                 default:
679                         if (perm)
680                                 goto invalid_key;
681                 case 0:
682                         break;
683                 }
684         } else if (perm) {
685                 ret = key_validate(key);
686                 if (ret < 0)
687                         goto invalid_key;
688         }
689
690         ret = -EIO;
691         if (!(lflags & KEY_LOOKUP_PARTIAL) &&
692             !test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
693                 goto invalid_key;
694
695         /* check the permissions */
696         ret = key_task_permission(key_ref, cred, perm);
697         if (ret < 0)
698                 goto invalid_key;
699
700 error:
701         put_cred(cred);
702         return key_ref;
703
704 invalid_key:
705         key_ref_put(key_ref);
706         key_ref = ERR_PTR(ret);
707         goto error;
708
709         /* if we attempted to install a keyring, then it may have caused new
710          * creds to be installed */
711 reget_creds:
712         put_cred(cred);
713         goto try_again;
714
715 } /* end lookup_user_key() */
716
717 /*****************************************************************************/
718 /*
719  * join the named keyring as the session keyring if possible, or attempt to
720  * create a new one of that name if not
721  * - if the name is NULL, an empty anonymous keyring is installed instead
722  * - named session keyring joining is done with a semaphore held
723  */
724 long join_session_keyring(const char *name)
725 {
726         const struct cred *old;
727         struct cred *new;
728         struct key *keyring;
729         long ret, serial;
730
731         /* only permit this if there's a single thread in the thread group -
732          * this avoids us having to adjust the creds on all threads and risking
733          * ENOMEM */
734         if (!current_is_single_threaded())
735                 return -EMLINK;
736
737         new = prepare_creds();
738         if (!new)
739                 return -ENOMEM;
740         old = current_cred();
741
742         /* if no name is provided, install an anonymous keyring */
743         if (!name) {
744                 ret = install_session_keyring_to_cred(new, NULL);
745                 if (ret < 0)
746                         goto error;
747
748                 serial = new->tgcred->session_keyring->serial;
749                 ret = commit_creds(new);
750                 if (ret == 0)
751                         ret = serial;
752                 goto okay;
753         }
754
755         /* allow the user to join or create a named keyring */
756         mutex_lock(&key_session_mutex);
757
758         /* look for an existing keyring of this name */
759         keyring = find_keyring_by_name(name, false);
760         if (PTR_ERR(keyring) == -ENOKEY) {
761                 /* not found - try and create a new one */
762                 keyring = keyring_alloc(name, old->uid, old->gid, old,
763                                         KEY_ALLOC_IN_QUOTA, NULL);
764                 if (IS_ERR(keyring)) {
765                         ret = PTR_ERR(keyring);
766                         goto error2;
767                 }
768         } else if (IS_ERR(keyring)) {
769                 ret = PTR_ERR(keyring);
770                 goto error2;
771         }
772
773         /* we've got a keyring - now to install it */
774         ret = install_session_keyring_to_cred(new, keyring);
775         if (ret < 0)
776                 goto error2;
777
778         commit_creds(new);
779         mutex_unlock(&key_session_mutex);
780
781         ret = keyring->serial;
782         key_put(keyring);
783 okay:
784         return ret;
785
786 error2:
787         mutex_unlock(&key_session_mutex);
788 error:
789         abort_creds(new);
790         return ret;
791 }
792
793 /*
794  * Replace a process's session keyring when that process resumes userspace on
795  * behalf of one of its children
796  */
797 void key_replace_session_keyring(void)
798 {
799         const struct cred *old;
800         struct cred *new;
801
802         if (!current->replacement_session_keyring)
803                 return;
804
805         write_lock_irq(&tasklist_lock);
806         new = current->replacement_session_keyring;
807         current->replacement_session_keyring = NULL;
808         write_unlock_irq(&tasklist_lock);
809
810         if (!new)
811                 return;
812
813         old = current_cred();
814         new->  uid      = old->  uid;
815         new-> euid      = old-> euid;
816         new-> suid      = old-> suid;
817         new->fsuid      = old->fsuid;
818         new->  gid      = old->  gid;
819         new-> egid      = old-> egid;
820         new-> sgid      = old-> sgid;
821         new->fsgid      = old->fsgid;
822         new->user       = get_uid(old->user);
823         new->group_info = get_group_info(old->group_info);
824
825         new->securebits = old->securebits;
826         new->cap_inheritable    = old->cap_inheritable;
827         new->cap_permitted      = old->cap_permitted;
828         new->cap_effective      = old->cap_effective;
829         new->cap_bset           = old->cap_bset;
830
831         new->jit_keyring        = old->jit_keyring;
832         new->thread_keyring     = key_get(old->thread_keyring);
833         new->tgcred->tgid       = old->tgcred->tgid;
834         new->tgcred->process_keyring = key_get(old->tgcred->process_keyring);
835
836         security_transfer_creds(new, old);
837
838         commit_creds(new);
839 }