CRED: Inaugurate COW credentials
[linux-2.6.git] / security / keys / process_keys.c
1 /* Management of a process's keyrings
2  *
3  * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/sched.h>
15 #include <linux/slab.h>
16 #include <linux/keyctl.h>
17 #include <linux/fs.h>
18 #include <linux/err.h>
19 #include <linux/mutex.h>
20 #include <asm/uaccess.h>
21 #include "internal.h"
22
23 /* session keyring create vs join semaphore */
24 static DEFINE_MUTEX(key_session_mutex);
25
26 /* user keyring creation semaphore */
27 static DEFINE_MUTEX(key_user_keyring_mutex);
28
29 /* the root user's tracking struct */
30 struct key_user root_key_user = {
31         .usage          = ATOMIC_INIT(3),
32         .cons_lock      = __MUTEX_INITIALIZER(root_key_user.cons_lock),
33         .lock           = __SPIN_LOCK_UNLOCKED(root_key_user.lock),
34         .nkeys          = ATOMIC_INIT(2),
35         .nikeys         = ATOMIC_INIT(2),
36         .uid            = 0,
37 };
38
39 /*****************************************************************************/
40 /*
41  * install user and user session keyrings for a particular UID
42  */
43 int install_user_keyrings(void)
44 {
45         struct user_struct *user;
46         const struct cred *cred;
47         struct key *uid_keyring, *session_keyring;
48         char buf[20];
49         int ret;
50
51         cred = current_cred();
52         user = cred->user;
53
54         kenter("%p{%u}", user, user->uid);
55
56         if (user->uid_keyring) {
57                 kleave(" = 0 [exist]");
58                 return 0;
59         }
60
61         mutex_lock(&key_user_keyring_mutex);
62         ret = 0;
63
64         if (!user->uid_keyring) {
65                 /* get the UID-specific keyring
66                  * - there may be one in existence already as it may have been
67                  *   pinned by a session, but the user_struct pointing to it
68                  *   may have been destroyed by setuid */
69                 sprintf(buf, "_uid.%u", user->uid);
70
71                 uid_keyring = find_keyring_by_name(buf, true);
72                 if (IS_ERR(uid_keyring)) {
73                         uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
74                                                     cred, KEY_ALLOC_IN_QUOTA,
75                                                     NULL);
76                         if (IS_ERR(uid_keyring)) {
77                                 ret = PTR_ERR(uid_keyring);
78                                 goto error;
79                         }
80                 }
81
82                 /* get a default session keyring (which might also exist
83                  * already) */
84                 sprintf(buf, "_uid_ses.%u", user->uid);
85
86                 session_keyring = find_keyring_by_name(buf, true);
87                 if (IS_ERR(session_keyring)) {
88                         session_keyring =
89                                 keyring_alloc(buf, user->uid, (gid_t) -1,
90                                               cred, KEY_ALLOC_IN_QUOTA, NULL);
91                         if (IS_ERR(session_keyring)) {
92                                 ret = PTR_ERR(session_keyring);
93                                 goto error_release;
94                         }
95
96                         /* we install a link from the user session keyring to
97                          * the user keyring */
98                         ret = key_link(session_keyring, uid_keyring);
99                         if (ret < 0)
100                                 goto error_release_both;
101                 }
102
103                 /* install the keyrings */
104                 user->uid_keyring = uid_keyring;
105                 user->session_keyring = session_keyring;
106         }
107
108         mutex_unlock(&key_user_keyring_mutex);
109         kleave(" = 0");
110         return 0;
111
112 error_release_both:
113         key_put(session_keyring);
114 error_release:
115         key_put(uid_keyring);
116 error:
117         mutex_unlock(&key_user_keyring_mutex);
118         kleave(" = %d", ret);
119         return ret;
120 }
121
122 /*
123  * install a fresh thread keyring directly to new credentials
124  */
125 int install_thread_keyring_to_cred(struct cred *new)
126 {
127         struct key *keyring;
128
129         keyring = keyring_alloc("_tid", new->uid, new->gid, new,
130                                 KEY_ALLOC_QUOTA_OVERRUN, NULL);
131         if (IS_ERR(keyring))
132                 return PTR_ERR(keyring);
133
134         new->thread_keyring = keyring;
135         return 0;
136 }
137
138 /*
139  * install a fresh thread keyring, discarding the old one
140  */
141 static int install_thread_keyring(void)
142 {
143         struct cred *new;
144         int ret;
145
146         new = prepare_creds();
147         if (!new)
148                 return -ENOMEM;
149
150         BUG_ON(new->thread_keyring);
151
152         ret = install_thread_keyring_to_cred(new);
153         if (ret < 0) {
154                 abort_creds(new);
155                 return ret;
156         }
157
158         return commit_creds(new);
159 }
160
161 /*
162  * install a process keyring directly to a credentials struct
163  * - returns -EEXIST if there was already a process keyring, 0 if one installed,
164  *   and other -ve on any other error
165  */
166 int install_process_keyring_to_cred(struct cred *new)
167 {
168         struct key *keyring;
169         int ret;
170
171         if (new->tgcred->process_keyring)
172                 return -EEXIST;
173
174         keyring = keyring_alloc("_pid", new->uid, new->gid,
175                                 new, KEY_ALLOC_QUOTA_OVERRUN, NULL);
176         if (IS_ERR(keyring))
177                 return PTR_ERR(keyring);
178
179         spin_lock_irq(&new->tgcred->lock);
180         if (!new->tgcred->process_keyring) {
181                 new->tgcred->process_keyring = keyring;
182                 keyring = NULL;
183                 ret = 0;
184         } else {
185                 ret = -EEXIST;
186         }
187         spin_unlock_irq(&new->tgcred->lock);
188         key_put(keyring);
189         return ret;
190 }
191
192 /*
193  * make sure a process keyring is installed
194  * - we
195  */
196 static int install_process_keyring(void)
197 {
198         struct cred *new;
199         int ret;
200
201         new = prepare_creds();
202         if (!new)
203                 return -ENOMEM;
204
205         ret = install_process_keyring_to_cred(new);
206         if (ret < 0) {
207                 abort_creds(new);
208                 return ret != -EEXIST ?: 0;
209         }
210
211         return commit_creds(new);
212 }
213
214 /*
215  * install a session keyring directly to a credentials struct
216  */
217 static int install_session_keyring_to_cred(struct cred *cred,
218                                            struct key *keyring)
219 {
220         unsigned long flags;
221         struct key *old;
222
223         might_sleep();
224
225         /* create an empty session keyring */
226         if (!keyring) {
227                 flags = KEY_ALLOC_QUOTA_OVERRUN;
228                 if (cred->tgcred->session_keyring)
229                         flags = KEY_ALLOC_IN_QUOTA;
230
231                 keyring = keyring_alloc("_ses", cred->uid, cred->gid,
232                                         cred, flags, NULL);
233                 if (IS_ERR(keyring))
234                         return PTR_ERR(keyring);
235         } else {
236                 atomic_inc(&keyring->usage);
237         }
238
239         /* install the keyring */
240         spin_lock_irq(&cred->tgcred->lock);
241         old = cred->tgcred->session_keyring;
242         rcu_assign_pointer(cred->tgcred->session_keyring, keyring);
243         spin_unlock_irq(&cred->tgcred->lock);
244
245         /* we're using RCU on the pointer, but there's no point synchronising
246          * on it if it didn't previously point to anything */
247         if (old) {
248                 synchronize_rcu();
249                 key_put(old);
250         }
251
252         return 0;
253 }
254
255 /*
256  * install a session keyring, discarding the old one
257  * - if a keyring is not supplied, an empty one is invented
258  */
259 static int install_session_keyring(struct key *keyring)
260 {
261         struct cred *new;
262         int ret;
263
264         new = prepare_creds();
265         if (!new)
266                 return -ENOMEM;
267
268         ret = install_session_keyring_to_cred(new, NULL);
269         if (ret < 0) {
270                 abort_creds(new);
271                 return ret;
272         }
273
274         return commit_creds(new);
275 }
276
277 /*****************************************************************************/
278 /*
279  * deal with execve()
280  */
281 int exec_keys(struct task_struct *tsk)
282 {
283         struct thread_group_cred *tgcred = NULL;
284         struct cred *new;
285
286 #ifdef CONFIG_KEYS
287         tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
288         if (!tgcred)
289                 return -ENOMEM;
290 #endif
291
292         new = prepare_creds();
293         if (new < 0)
294                 return -ENOMEM;
295
296         /* newly exec'd tasks don't get a thread keyring */
297         key_put(new->thread_keyring);
298         new->thread_keyring = NULL;
299
300         /* create a new per-thread-group creds for all this set of threads to
301          * share */
302         memcpy(tgcred, new->tgcred, sizeof(struct thread_group_cred));
303
304         atomic_set(&tgcred->usage, 1);
305         spin_lock_init(&tgcred->lock);
306
307         /* inherit the session keyring; new process keyring */
308         key_get(tgcred->session_keyring);
309         tgcred->process_keyring = NULL;
310
311         release_tgcred(new);
312         new->tgcred = tgcred;
313
314         commit_creds(new);
315         return 0;
316
317 } /* end exec_keys() */
318
319 /*****************************************************************************/
320 /*
321  * the filesystem user ID changed
322  */
323 void key_fsuid_changed(struct task_struct *tsk)
324 {
325         /* update the ownership of the thread keyring */
326         BUG_ON(!tsk->cred);
327         if (tsk->cred->thread_keyring) {
328                 down_write(&tsk->cred->thread_keyring->sem);
329                 tsk->cred->thread_keyring->uid = tsk->cred->fsuid;
330                 up_write(&tsk->cred->thread_keyring->sem);
331         }
332
333 } /* end key_fsuid_changed() */
334
335 /*****************************************************************************/
336 /*
337  * the filesystem group ID changed
338  */
339 void key_fsgid_changed(struct task_struct *tsk)
340 {
341         /* update the ownership of the thread keyring */
342         BUG_ON(!tsk->cred);
343         if (tsk->cred->thread_keyring) {
344                 down_write(&tsk->cred->thread_keyring->sem);
345                 tsk->cred->thread_keyring->gid = tsk->cred->fsgid;
346                 up_write(&tsk->cred->thread_keyring->sem);
347         }
348
349 } /* end key_fsgid_changed() */
350
351 /*****************************************************************************/
352 /*
353  * search the process keyrings for the first matching key
354  * - we use the supplied match function to see if the description (or other
355  *   feature of interest) matches
356  * - we return -EAGAIN if we didn't find any matching key
357  * - we return -ENOKEY if we found only negative matching keys
358  */
359 key_ref_t search_process_keyrings(struct key_type *type,
360                                   const void *description,
361                                   key_match_func_t match,
362                                   const struct cred *cred)
363 {
364         struct request_key_auth *rka;
365         key_ref_t key_ref, ret, err;
366
367         might_sleep();
368
369         /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
370          * searchable, but we failed to find a key or we found a negative key;
371          * otherwise we want to return a sample error (probably -EACCES) if
372          * none of the keyrings were searchable
373          *
374          * in terms of priority: success > -ENOKEY > -EAGAIN > other error
375          */
376         key_ref = NULL;
377         ret = NULL;
378         err = ERR_PTR(-EAGAIN);
379
380         /* search the thread keyring first */
381         if (cred->thread_keyring) {
382                 key_ref = keyring_search_aux(
383                         make_key_ref(cred->thread_keyring, 1),
384                         cred, type, description, match);
385                 if (!IS_ERR(key_ref))
386                         goto found;
387
388                 switch (PTR_ERR(key_ref)) {
389                 case -EAGAIN: /* no key */
390                         if (ret)
391                                 break;
392                 case -ENOKEY: /* negative key */
393                         ret = key_ref;
394                         break;
395                 default:
396                         err = key_ref;
397                         break;
398                 }
399         }
400
401         /* search the process keyring second */
402         if (cred->tgcred->process_keyring) {
403                 key_ref = keyring_search_aux(
404                         make_key_ref(cred->tgcred->process_keyring, 1),
405                         cred, type, description, match);
406                 if (!IS_ERR(key_ref))
407                         goto found;
408
409                 switch (PTR_ERR(key_ref)) {
410                 case -EAGAIN: /* no key */
411                         if (ret)
412                                 break;
413                 case -ENOKEY: /* negative key */
414                         ret = key_ref;
415                         break;
416                 default:
417                         err = key_ref;
418                         break;
419                 }
420         }
421
422         /* search the session keyring */
423         if (cred->tgcred->session_keyring) {
424                 rcu_read_lock();
425                 key_ref = keyring_search_aux(
426                         make_key_ref(rcu_dereference(
427                                              cred->tgcred->session_keyring),
428                                      1),
429                         cred, type, description, match);
430                 rcu_read_unlock();
431
432                 if (!IS_ERR(key_ref))
433                         goto found;
434
435                 switch (PTR_ERR(key_ref)) {
436                 case -EAGAIN: /* no key */
437                         if (ret)
438                                 break;
439                 case -ENOKEY: /* negative key */
440                         ret = key_ref;
441                         break;
442                 default:
443                         err = key_ref;
444                         break;
445                 }
446         }
447         /* or search the user-session keyring */
448         else if (cred->user->session_keyring) {
449                 key_ref = keyring_search_aux(
450                         make_key_ref(cred->user->session_keyring, 1),
451                         cred, type, description, match);
452                 if (!IS_ERR(key_ref))
453                         goto found;
454
455                 switch (PTR_ERR(key_ref)) {
456                 case -EAGAIN: /* no key */
457                         if (ret)
458                                 break;
459                 case -ENOKEY: /* negative key */
460                         ret = key_ref;
461                         break;
462                 default:
463                         err = key_ref;
464                         break;
465                 }
466         }
467
468         /* if this process has an instantiation authorisation key, then we also
469          * search the keyrings of the process mentioned there
470          * - we don't permit access to request_key auth keys via this method
471          */
472         if (cred->request_key_auth &&
473             cred == current_cred() &&
474             type != &key_type_request_key_auth
475             ) {
476                 /* defend against the auth key being revoked */
477                 down_read(&cred->request_key_auth->sem);
478
479                 if (key_validate(cred->request_key_auth) == 0) {
480                         rka = cred->request_key_auth->payload.data;
481
482                         key_ref = search_process_keyrings(type, description,
483                                                           match, rka->cred);
484
485                         up_read(&cred->request_key_auth->sem);
486
487                         if (!IS_ERR(key_ref))
488                                 goto found;
489
490                         switch (PTR_ERR(key_ref)) {
491                         case -EAGAIN: /* no key */
492                                 if (ret)
493                                         break;
494                         case -ENOKEY: /* negative key */
495                                 ret = key_ref;
496                                 break;
497                         default:
498                                 err = key_ref;
499                                 break;
500                         }
501                 } else {
502                         up_read(&cred->request_key_auth->sem);
503                 }
504         }
505
506         /* no key - decide on the error we're going to go for */
507         key_ref = ret ? ret : err;
508
509 found:
510         return key_ref;
511
512 } /* end search_process_keyrings() */
513
514 /*****************************************************************************/
515 /*
516  * see if the key we're looking at is the target key
517  */
518 static int lookup_user_key_possessed(const struct key *key, const void *target)
519 {
520         return key == target;
521
522 } /* end lookup_user_key_possessed() */
523
524 /*****************************************************************************/
525 /*
526  * lookup a key given a key ID from userspace with a given permissions mask
527  * - don't create special keyrings unless so requested
528  * - partially constructed keys aren't found unless requested
529  */
530 key_ref_t lookup_user_key(key_serial_t id, int create, int partial,
531                           key_perm_t perm)
532 {
533         struct request_key_auth *rka;
534         const struct cred *cred;
535         struct key *key;
536         key_ref_t key_ref, skey_ref;
537         int ret;
538
539 try_again:
540         cred = get_current_cred();
541         key_ref = ERR_PTR(-ENOKEY);
542
543         switch (id) {
544         case KEY_SPEC_THREAD_KEYRING:
545                 if (!cred->thread_keyring) {
546                         if (!create)
547                                 goto error;
548
549                         ret = install_thread_keyring();
550                         if (ret < 0) {
551                                 key = ERR_PTR(ret);
552                                 goto error;
553                         }
554                         goto reget_creds;
555                 }
556
557                 key = cred->thread_keyring;
558                 atomic_inc(&key->usage);
559                 key_ref = make_key_ref(key, 1);
560                 break;
561
562         case KEY_SPEC_PROCESS_KEYRING:
563                 if (!cred->tgcred->process_keyring) {
564                         if (!create)
565                                 goto error;
566
567                         ret = install_process_keyring();
568                         if (ret < 0) {
569                                 key = ERR_PTR(ret);
570                                 goto error;
571                         }
572                         goto reget_creds;
573                 }
574
575                 key = cred->tgcred->process_keyring;
576                 atomic_inc(&key->usage);
577                 key_ref = make_key_ref(key, 1);
578                 break;
579
580         case KEY_SPEC_SESSION_KEYRING:
581                 if (!cred->tgcred->session_keyring) {
582                         /* always install a session keyring upon access if one
583                          * doesn't exist yet */
584                         ret = install_user_keyrings();
585                         if (ret < 0)
586                                 goto error;
587                         ret = install_session_keyring(
588                                 cred->user->session_keyring);
589
590                         if (ret < 0)
591                                 goto error;
592                         goto reget_creds;
593                 }
594
595                 rcu_read_lock();
596                 key = rcu_dereference(cred->tgcred->session_keyring);
597                 atomic_inc(&key->usage);
598                 rcu_read_unlock();
599                 key_ref = make_key_ref(key, 1);
600                 break;
601
602         case KEY_SPEC_USER_KEYRING:
603                 if (!cred->user->uid_keyring) {
604                         ret = install_user_keyrings();
605                         if (ret < 0)
606                                 goto error;
607                 }
608
609                 key = cred->user->uid_keyring;
610                 atomic_inc(&key->usage);
611                 key_ref = make_key_ref(key, 1);
612                 break;
613
614         case KEY_SPEC_USER_SESSION_KEYRING:
615                 if (!cred->user->session_keyring) {
616                         ret = install_user_keyrings();
617                         if (ret < 0)
618                                 goto error;
619                 }
620
621                 key = cred->user->session_keyring;
622                 atomic_inc(&key->usage);
623                 key_ref = make_key_ref(key, 1);
624                 break;
625
626         case KEY_SPEC_GROUP_KEYRING:
627                 /* group keyrings are not yet supported */
628                 key = ERR_PTR(-EINVAL);
629                 goto error;
630
631         case KEY_SPEC_REQKEY_AUTH_KEY:
632                 key = cred->request_key_auth;
633                 if (!key)
634                         goto error;
635
636                 atomic_inc(&key->usage);
637                 key_ref = make_key_ref(key, 1);
638                 break;
639
640         case KEY_SPEC_REQUESTOR_KEYRING:
641                 if (!cred->request_key_auth)
642                         goto error;
643
644                 down_read(&cred->request_key_auth->sem);
645                 if (cred->request_key_auth->flags & KEY_FLAG_REVOKED) {
646                         key_ref = ERR_PTR(-EKEYREVOKED);
647                         key = NULL;
648                 } else {
649                         rka = cred->request_key_auth->payload.data;
650                         key = rka->dest_keyring;
651                         atomic_inc(&key->usage);
652                 }
653                 up_read(&cred->request_key_auth->sem);
654                 if (!key)
655                         goto error;
656                 key_ref = make_key_ref(key, 1);
657                 break;
658
659         default:
660                 key_ref = ERR_PTR(-EINVAL);
661                 if (id < 1)
662                         goto error;
663
664                 key = key_lookup(id);
665                 if (IS_ERR(key)) {
666                         key_ref = ERR_CAST(key);
667                         goto error;
668                 }
669
670                 key_ref = make_key_ref(key, 0);
671
672                 /* check to see if we possess the key */
673                 skey_ref = search_process_keyrings(key->type, key,
674                                                    lookup_user_key_possessed,
675                                                    cred);
676
677                 if (!IS_ERR(skey_ref)) {
678                         key_put(key);
679                         key_ref = skey_ref;
680                 }
681
682                 break;
683         }
684
685         if (!partial) {
686                 ret = wait_for_key_construction(key, true);
687                 switch (ret) {
688                 case -ERESTARTSYS:
689                         goto invalid_key;
690                 default:
691                         if (perm)
692                                 goto invalid_key;
693                 case 0:
694                         break;
695                 }
696         } else if (perm) {
697                 ret = key_validate(key);
698                 if (ret < 0)
699                         goto invalid_key;
700         }
701
702         ret = -EIO;
703         if (!partial && !test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
704                 goto invalid_key;
705
706         /* check the permissions */
707         ret = key_task_permission(key_ref, cred, perm);
708         if (ret < 0)
709                 goto invalid_key;
710
711 error:
712         put_cred(cred);
713         return key_ref;
714
715 invalid_key:
716         key_ref_put(key_ref);
717         key_ref = ERR_PTR(ret);
718         goto error;
719
720         /* if we attempted to install a keyring, then it may have caused new
721          * creds to be installed */
722 reget_creds:
723         put_cred(cred);
724         goto try_again;
725
726 } /* end lookup_user_key() */
727
728 /*****************************************************************************/
729 /*
730  * join the named keyring as the session keyring if possible, or attempt to
731  * create a new one of that name if not
732  * - if the name is NULL, an empty anonymous keyring is installed instead
733  * - named session keyring joining is done with a semaphore held
734  */
735 long join_session_keyring(const char *name)
736 {
737         const struct cred *old;
738         struct cred *new;
739         struct key *keyring;
740         long ret, serial;
741
742         /* only permit this if there's a single thread in the thread group -
743          * this avoids us having to adjust the creds on all threads and risking
744          * ENOMEM */
745         if (!is_single_threaded(current))
746                 return -EMLINK;
747
748         new = prepare_creds();
749         if (!new)
750                 return -ENOMEM;
751         old = current_cred();
752
753         /* if no name is provided, install an anonymous keyring */
754         if (!name) {
755                 ret = install_session_keyring_to_cred(new, NULL);
756                 if (ret < 0)
757                         goto error;
758
759                 serial = new->tgcred->session_keyring->serial;
760                 ret = commit_creds(new);
761                 if (ret == 0)
762                         ret = serial;
763                 goto okay;
764         }
765
766         /* allow the user to join or create a named keyring */
767         mutex_lock(&key_session_mutex);
768
769         /* look for an existing keyring of this name */
770         keyring = find_keyring_by_name(name, false);
771         if (PTR_ERR(keyring) == -ENOKEY) {
772                 /* not found - try and create a new one */
773                 keyring = keyring_alloc(name, old->uid, old->gid, old,
774                                         KEY_ALLOC_IN_QUOTA, NULL);
775                 if (IS_ERR(keyring)) {
776                         ret = PTR_ERR(keyring);
777                         goto error2;
778                 }
779         } else if (IS_ERR(keyring)) {
780                 ret = PTR_ERR(keyring);
781                 goto error2;
782         }
783
784         /* we've got a keyring - now to install it */
785         ret = install_session_keyring_to_cred(new, keyring);
786         if (ret < 0)
787                 goto error2;
788
789         commit_creds(new);
790         mutex_unlock(&key_session_mutex);
791
792         ret = keyring->serial;
793         key_put(keyring);
794 okay:
795         return ret;
796
797 error2:
798         mutex_unlock(&key_session_mutex);
799 error:
800         abort_creds(new);
801         return ret;
802 }