CRED: Make execve() take advantage of copy-on-write credentials
[linux-3.10.git] / security / keys / process_keys.c
1 /* Management of a process's keyrings
2  *
3  * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/sched.h>
15 #include <linux/slab.h>
16 #include <linux/keyctl.h>
17 #include <linux/fs.h>
18 #include <linux/err.h>
19 #include <linux/mutex.h>
20 #include <asm/uaccess.h>
21 #include "internal.h"
22
23 /* session keyring create vs join semaphore */
24 static DEFINE_MUTEX(key_session_mutex);
25
26 /* user keyring creation semaphore */
27 static DEFINE_MUTEX(key_user_keyring_mutex);
28
29 /* the root user's tracking struct */
30 struct key_user root_key_user = {
31         .usage          = ATOMIC_INIT(3),
32         .cons_lock      = __MUTEX_INITIALIZER(root_key_user.cons_lock),
33         .lock           = __SPIN_LOCK_UNLOCKED(root_key_user.lock),
34         .nkeys          = ATOMIC_INIT(2),
35         .nikeys         = ATOMIC_INIT(2),
36         .uid            = 0,
37 };
38
39 /*****************************************************************************/
40 /*
41  * install user and user session keyrings for a particular UID
42  */
43 int install_user_keyrings(void)
44 {
45         struct user_struct *user;
46         const struct cred *cred;
47         struct key *uid_keyring, *session_keyring;
48         char buf[20];
49         int ret;
50
51         cred = current_cred();
52         user = cred->user;
53
54         kenter("%p{%u}", user, user->uid);
55
56         if (user->uid_keyring) {
57                 kleave(" = 0 [exist]");
58                 return 0;
59         }
60
61         mutex_lock(&key_user_keyring_mutex);
62         ret = 0;
63
64         if (!user->uid_keyring) {
65                 /* get the UID-specific keyring
66                  * - there may be one in existence already as it may have been
67                  *   pinned by a session, but the user_struct pointing to it
68                  *   may have been destroyed by setuid */
69                 sprintf(buf, "_uid.%u", user->uid);
70
71                 uid_keyring = find_keyring_by_name(buf, true);
72                 if (IS_ERR(uid_keyring)) {
73                         uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
74                                                     cred, KEY_ALLOC_IN_QUOTA,
75                                                     NULL);
76                         if (IS_ERR(uid_keyring)) {
77                                 ret = PTR_ERR(uid_keyring);
78                                 goto error;
79                         }
80                 }
81
82                 /* get a default session keyring (which might also exist
83                  * already) */
84                 sprintf(buf, "_uid_ses.%u", user->uid);
85
86                 session_keyring = find_keyring_by_name(buf, true);
87                 if (IS_ERR(session_keyring)) {
88                         session_keyring =
89                                 keyring_alloc(buf, user->uid, (gid_t) -1,
90                                               cred, KEY_ALLOC_IN_QUOTA, NULL);
91                         if (IS_ERR(session_keyring)) {
92                                 ret = PTR_ERR(session_keyring);
93                                 goto error_release;
94                         }
95
96                         /* we install a link from the user session keyring to
97                          * the user keyring */
98                         ret = key_link(session_keyring, uid_keyring);
99                         if (ret < 0)
100                                 goto error_release_both;
101                 }
102
103                 /* install the keyrings */
104                 user->uid_keyring = uid_keyring;
105                 user->session_keyring = session_keyring;
106         }
107
108         mutex_unlock(&key_user_keyring_mutex);
109         kleave(" = 0");
110         return 0;
111
112 error_release_both:
113         key_put(session_keyring);
114 error_release:
115         key_put(uid_keyring);
116 error:
117         mutex_unlock(&key_user_keyring_mutex);
118         kleave(" = %d", ret);
119         return ret;
120 }
121
122 /*
123  * install a fresh thread keyring directly to new credentials
124  */
125 int install_thread_keyring_to_cred(struct cred *new)
126 {
127         struct key *keyring;
128
129         keyring = keyring_alloc("_tid", new->uid, new->gid, new,
130                                 KEY_ALLOC_QUOTA_OVERRUN, NULL);
131         if (IS_ERR(keyring))
132                 return PTR_ERR(keyring);
133
134         new->thread_keyring = keyring;
135         return 0;
136 }
137
138 /*
139  * install a fresh thread keyring, discarding the old one
140  */
141 static int install_thread_keyring(void)
142 {
143         struct cred *new;
144         int ret;
145
146         new = prepare_creds();
147         if (!new)
148                 return -ENOMEM;
149
150         BUG_ON(new->thread_keyring);
151
152         ret = install_thread_keyring_to_cred(new);
153         if (ret < 0) {
154                 abort_creds(new);
155                 return ret;
156         }
157
158         return commit_creds(new);
159 }
160
161 /*
162  * install a process keyring directly to a credentials struct
163  * - returns -EEXIST if there was already a process keyring, 0 if one installed,
164  *   and other -ve on any other error
165  */
166 int install_process_keyring_to_cred(struct cred *new)
167 {
168         struct key *keyring;
169         int ret;
170
171         if (new->tgcred->process_keyring)
172                 return -EEXIST;
173
174         keyring = keyring_alloc("_pid", new->uid, new->gid,
175                                 new, KEY_ALLOC_QUOTA_OVERRUN, NULL);
176         if (IS_ERR(keyring))
177                 return PTR_ERR(keyring);
178
179         spin_lock_irq(&new->tgcred->lock);
180         if (!new->tgcred->process_keyring) {
181                 new->tgcred->process_keyring = keyring;
182                 keyring = NULL;
183                 ret = 0;
184         } else {
185                 ret = -EEXIST;
186         }
187         spin_unlock_irq(&new->tgcred->lock);
188         key_put(keyring);
189         return ret;
190 }
191
192 /*
193  * make sure a process keyring is installed
194  * - we
195  */
196 static int install_process_keyring(void)
197 {
198         struct cred *new;
199         int ret;
200
201         new = prepare_creds();
202         if (!new)
203                 return -ENOMEM;
204
205         ret = install_process_keyring_to_cred(new);
206         if (ret < 0) {
207                 abort_creds(new);
208                 return ret != -EEXIST ?: 0;
209         }
210
211         return commit_creds(new);
212 }
213
214 /*
215  * install a session keyring directly to a credentials struct
216  */
217 static int install_session_keyring_to_cred(struct cred *cred,
218                                            struct key *keyring)
219 {
220         unsigned long flags;
221         struct key *old;
222
223         might_sleep();
224
225         /* create an empty session keyring */
226         if (!keyring) {
227                 flags = KEY_ALLOC_QUOTA_OVERRUN;
228                 if (cred->tgcred->session_keyring)
229                         flags = KEY_ALLOC_IN_QUOTA;
230
231                 keyring = keyring_alloc("_ses", cred->uid, cred->gid,
232                                         cred, flags, NULL);
233                 if (IS_ERR(keyring))
234                         return PTR_ERR(keyring);
235         } else {
236                 atomic_inc(&keyring->usage);
237         }
238
239         /* install the keyring */
240         spin_lock_irq(&cred->tgcred->lock);
241         old = cred->tgcred->session_keyring;
242         rcu_assign_pointer(cred->tgcred->session_keyring, keyring);
243         spin_unlock_irq(&cred->tgcred->lock);
244
245         /* we're using RCU on the pointer, but there's no point synchronising
246          * on it if it didn't previously point to anything */
247         if (old) {
248                 synchronize_rcu();
249                 key_put(old);
250         }
251
252         return 0;
253 }
254
255 /*
256  * install a session keyring, discarding the old one
257  * - if a keyring is not supplied, an empty one is invented
258  */
259 static int install_session_keyring(struct key *keyring)
260 {
261         struct cred *new;
262         int ret;
263
264         new = prepare_creds();
265         if (!new)
266                 return -ENOMEM;
267
268         ret = install_session_keyring_to_cred(new, NULL);
269         if (ret < 0) {
270                 abort_creds(new);
271                 return ret;
272         }
273
274         return commit_creds(new);
275 }
276
277 /*****************************************************************************/
278 /*
279  * the filesystem user ID changed
280  */
281 void key_fsuid_changed(struct task_struct *tsk)
282 {
283         /* update the ownership of the thread keyring */
284         BUG_ON(!tsk->cred);
285         if (tsk->cred->thread_keyring) {
286                 down_write(&tsk->cred->thread_keyring->sem);
287                 tsk->cred->thread_keyring->uid = tsk->cred->fsuid;
288                 up_write(&tsk->cred->thread_keyring->sem);
289         }
290
291 } /* end key_fsuid_changed() */
292
293 /*****************************************************************************/
294 /*
295  * the filesystem group ID changed
296  */
297 void key_fsgid_changed(struct task_struct *tsk)
298 {
299         /* update the ownership of the thread keyring */
300         BUG_ON(!tsk->cred);
301         if (tsk->cred->thread_keyring) {
302                 down_write(&tsk->cred->thread_keyring->sem);
303                 tsk->cred->thread_keyring->gid = tsk->cred->fsgid;
304                 up_write(&tsk->cred->thread_keyring->sem);
305         }
306
307 } /* end key_fsgid_changed() */
308
309 /*****************************************************************************/
310 /*
311  * search the process keyrings for the first matching key
312  * - we use the supplied match function to see if the description (or other
313  *   feature of interest) matches
314  * - we return -EAGAIN if we didn't find any matching key
315  * - we return -ENOKEY if we found only negative matching keys
316  */
317 key_ref_t search_process_keyrings(struct key_type *type,
318                                   const void *description,
319                                   key_match_func_t match,
320                                   const struct cred *cred)
321 {
322         struct request_key_auth *rka;
323         key_ref_t key_ref, ret, err;
324
325         might_sleep();
326
327         /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
328          * searchable, but we failed to find a key or we found a negative key;
329          * otherwise we want to return a sample error (probably -EACCES) if
330          * none of the keyrings were searchable
331          *
332          * in terms of priority: success > -ENOKEY > -EAGAIN > other error
333          */
334         key_ref = NULL;
335         ret = NULL;
336         err = ERR_PTR(-EAGAIN);
337
338         /* search the thread keyring first */
339         if (cred->thread_keyring) {
340                 key_ref = keyring_search_aux(
341                         make_key_ref(cred->thread_keyring, 1),
342                         cred, type, description, match);
343                 if (!IS_ERR(key_ref))
344                         goto found;
345
346                 switch (PTR_ERR(key_ref)) {
347                 case -EAGAIN: /* no key */
348                         if (ret)
349                                 break;
350                 case -ENOKEY: /* negative key */
351                         ret = key_ref;
352                         break;
353                 default:
354                         err = key_ref;
355                         break;
356                 }
357         }
358
359         /* search the process keyring second */
360         if (cred->tgcred->process_keyring) {
361                 key_ref = keyring_search_aux(
362                         make_key_ref(cred->tgcred->process_keyring, 1),
363                         cred, type, description, match);
364                 if (!IS_ERR(key_ref))
365                         goto found;
366
367                 switch (PTR_ERR(key_ref)) {
368                 case -EAGAIN: /* no key */
369                         if (ret)
370                                 break;
371                 case -ENOKEY: /* negative key */
372                         ret = key_ref;
373                         break;
374                 default:
375                         err = key_ref;
376                         break;
377                 }
378         }
379
380         /* search the session keyring */
381         if (cred->tgcred->session_keyring) {
382                 rcu_read_lock();
383                 key_ref = keyring_search_aux(
384                         make_key_ref(rcu_dereference(
385                                              cred->tgcred->session_keyring),
386                                      1),
387                         cred, type, description, match);
388                 rcu_read_unlock();
389
390                 if (!IS_ERR(key_ref))
391                         goto found;
392
393                 switch (PTR_ERR(key_ref)) {
394                 case -EAGAIN: /* no key */
395                         if (ret)
396                                 break;
397                 case -ENOKEY: /* negative key */
398                         ret = key_ref;
399                         break;
400                 default:
401                         err = key_ref;
402                         break;
403                 }
404         }
405         /* or search the user-session keyring */
406         else if (cred->user->session_keyring) {
407                 key_ref = keyring_search_aux(
408                         make_key_ref(cred->user->session_keyring, 1),
409                         cred, type, description, match);
410                 if (!IS_ERR(key_ref))
411                         goto found;
412
413                 switch (PTR_ERR(key_ref)) {
414                 case -EAGAIN: /* no key */
415                         if (ret)
416                                 break;
417                 case -ENOKEY: /* negative key */
418                         ret = key_ref;
419                         break;
420                 default:
421                         err = key_ref;
422                         break;
423                 }
424         }
425
426         /* if this process has an instantiation authorisation key, then we also
427          * search the keyrings of the process mentioned there
428          * - we don't permit access to request_key auth keys via this method
429          */
430         if (cred->request_key_auth &&
431             cred == current_cred() &&
432             type != &key_type_request_key_auth
433             ) {
434                 /* defend against the auth key being revoked */
435                 down_read(&cred->request_key_auth->sem);
436
437                 if (key_validate(cred->request_key_auth) == 0) {
438                         rka = cred->request_key_auth->payload.data;
439
440                         key_ref = search_process_keyrings(type, description,
441                                                           match, rka->cred);
442
443                         up_read(&cred->request_key_auth->sem);
444
445                         if (!IS_ERR(key_ref))
446                                 goto found;
447
448                         switch (PTR_ERR(key_ref)) {
449                         case -EAGAIN: /* no key */
450                                 if (ret)
451                                         break;
452                         case -ENOKEY: /* negative key */
453                                 ret = key_ref;
454                                 break;
455                         default:
456                                 err = key_ref;
457                                 break;
458                         }
459                 } else {
460                         up_read(&cred->request_key_auth->sem);
461                 }
462         }
463
464         /* no key - decide on the error we're going to go for */
465         key_ref = ret ? ret : err;
466
467 found:
468         return key_ref;
469
470 } /* end search_process_keyrings() */
471
472 /*****************************************************************************/
473 /*
474  * see if the key we're looking at is the target key
475  */
476 static int lookup_user_key_possessed(const struct key *key, const void *target)
477 {
478         return key == target;
479
480 } /* end lookup_user_key_possessed() */
481
482 /*****************************************************************************/
483 /*
484  * lookup a key given a key ID from userspace with a given permissions mask
485  * - don't create special keyrings unless so requested
486  * - partially constructed keys aren't found unless requested
487  */
488 key_ref_t lookup_user_key(key_serial_t id, int create, int partial,
489                           key_perm_t perm)
490 {
491         struct request_key_auth *rka;
492         const struct cred *cred;
493         struct key *key;
494         key_ref_t key_ref, skey_ref;
495         int ret;
496
497 try_again:
498         cred = get_current_cred();
499         key_ref = ERR_PTR(-ENOKEY);
500
501         switch (id) {
502         case KEY_SPEC_THREAD_KEYRING:
503                 if (!cred->thread_keyring) {
504                         if (!create)
505                                 goto error;
506
507                         ret = install_thread_keyring();
508                         if (ret < 0) {
509                                 key = ERR_PTR(ret);
510                                 goto error;
511                         }
512                         goto reget_creds;
513                 }
514
515                 key = cred->thread_keyring;
516                 atomic_inc(&key->usage);
517                 key_ref = make_key_ref(key, 1);
518                 break;
519
520         case KEY_SPEC_PROCESS_KEYRING:
521                 if (!cred->tgcred->process_keyring) {
522                         if (!create)
523                                 goto error;
524
525                         ret = install_process_keyring();
526                         if (ret < 0) {
527                                 key = ERR_PTR(ret);
528                                 goto error;
529                         }
530                         goto reget_creds;
531                 }
532
533                 key = cred->tgcred->process_keyring;
534                 atomic_inc(&key->usage);
535                 key_ref = make_key_ref(key, 1);
536                 break;
537
538         case KEY_SPEC_SESSION_KEYRING:
539                 if (!cred->tgcred->session_keyring) {
540                         /* always install a session keyring upon access if one
541                          * doesn't exist yet */
542                         ret = install_user_keyrings();
543                         if (ret < 0)
544                                 goto error;
545                         ret = install_session_keyring(
546                                 cred->user->session_keyring);
547
548                         if (ret < 0)
549                                 goto error;
550                         goto reget_creds;
551                 }
552
553                 rcu_read_lock();
554                 key = rcu_dereference(cred->tgcred->session_keyring);
555                 atomic_inc(&key->usage);
556                 rcu_read_unlock();
557                 key_ref = make_key_ref(key, 1);
558                 break;
559
560         case KEY_SPEC_USER_KEYRING:
561                 if (!cred->user->uid_keyring) {
562                         ret = install_user_keyrings();
563                         if (ret < 0)
564                                 goto error;
565                 }
566
567                 key = cred->user->uid_keyring;
568                 atomic_inc(&key->usage);
569                 key_ref = make_key_ref(key, 1);
570                 break;
571
572         case KEY_SPEC_USER_SESSION_KEYRING:
573                 if (!cred->user->session_keyring) {
574                         ret = install_user_keyrings();
575                         if (ret < 0)
576                                 goto error;
577                 }
578
579                 key = cred->user->session_keyring;
580                 atomic_inc(&key->usage);
581                 key_ref = make_key_ref(key, 1);
582                 break;
583
584         case KEY_SPEC_GROUP_KEYRING:
585                 /* group keyrings are not yet supported */
586                 key = ERR_PTR(-EINVAL);
587                 goto error;
588
589         case KEY_SPEC_REQKEY_AUTH_KEY:
590                 key = cred->request_key_auth;
591                 if (!key)
592                         goto error;
593
594                 atomic_inc(&key->usage);
595                 key_ref = make_key_ref(key, 1);
596                 break;
597
598         case KEY_SPEC_REQUESTOR_KEYRING:
599                 if (!cred->request_key_auth)
600                         goto error;
601
602                 down_read(&cred->request_key_auth->sem);
603                 if (cred->request_key_auth->flags & KEY_FLAG_REVOKED) {
604                         key_ref = ERR_PTR(-EKEYREVOKED);
605                         key = NULL;
606                 } else {
607                         rka = cred->request_key_auth->payload.data;
608                         key = rka->dest_keyring;
609                         atomic_inc(&key->usage);
610                 }
611                 up_read(&cred->request_key_auth->sem);
612                 if (!key)
613                         goto error;
614                 key_ref = make_key_ref(key, 1);
615                 break;
616
617         default:
618                 key_ref = ERR_PTR(-EINVAL);
619                 if (id < 1)
620                         goto error;
621
622                 key = key_lookup(id);
623                 if (IS_ERR(key)) {
624                         key_ref = ERR_CAST(key);
625                         goto error;
626                 }
627
628                 key_ref = make_key_ref(key, 0);
629
630                 /* check to see if we possess the key */
631                 skey_ref = search_process_keyrings(key->type, key,
632                                                    lookup_user_key_possessed,
633                                                    cred);
634
635                 if (!IS_ERR(skey_ref)) {
636                         key_put(key);
637                         key_ref = skey_ref;
638                 }
639
640                 break;
641         }
642
643         if (!partial) {
644                 ret = wait_for_key_construction(key, true);
645                 switch (ret) {
646                 case -ERESTARTSYS:
647                         goto invalid_key;
648                 default:
649                         if (perm)
650                                 goto invalid_key;
651                 case 0:
652                         break;
653                 }
654         } else if (perm) {
655                 ret = key_validate(key);
656                 if (ret < 0)
657                         goto invalid_key;
658         }
659
660         ret = -EIO;
661         if (!partial && !test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
662                 goto invalid_key;
663
664         /* check the permissions */
665         ret = key_task_permission(key_ref, cred, perm);
666         if (ret < 0)
667                 goto invalid_key;
668
669 error:
670         put_cred(cred);
671         return key_ref;
672
673 invalid_key:
674         key_ref_put(key_ref);
675         key_ref = ERR_PTR(ret);
676         goto error;
677
678         /* if we attempted to install a keyring, then it may have caused new
679          * creds to be installed */
680 reget_creds:
681         put_cred(cred);
682         goto try_again;
683
684 } /* end lookup_user_key() */
685
686 /*****************************************************************************/
687 /*
688  * join the named keyring as the session keyring if possible, or attempt to
689  * create a new one of that name if not
690  * - if the name is NULL, an empty anonymous keyring is installed instead
691  * - named session keyring joining is done with a semaphore held
692  */
693 long join_session_keyring(const char *name)
694 {
695         const struct cred *old;
696         struct cred *new;
697         struct key *keyring;
698         long ret, serial;
699
700         /* only permit this if there's a single thread in the thread group -
701          * this avoids us having to adjust the creds on all threads and risking
702          * ENOMEM */
703         if (!is_single_threaded(current))
704                 return -EMLINK;
705
706         new = prepare_creds();
707         if (!new)
708                 return -ENOMEM;
709         old = current_cred();
710
711         /* if no name is provided, install an anonymous keyring */
712         if (!name) {
713                 ret = install_session_keyring_to_cred(new, NULL);
714                 if (ret < 0)
715                         goto error;
716
717                 serial = new->tgcred->session_keyring->serial;
718                 ret = commit_creds(new);
719                 if (ret == 0)
720                         ret = serial;
721                 goto okay;
722         }
723
724         /* allow the user to join or create a named keyring */
725         mutex_lock(&key_session_mutex);
726
727         /* look for an existing keyring of this name */
728         keyring = find_keyring_by_name(name, false);
729         if (PTR_ERR(keyring) == -ENOKEY) {
730                 /* not found - try and create a new one */
731                 keyring = keyring_alloc(name, old->uid, old->gid, old,
732                                         KEY_ALLOC_IN_QUOTA, NULL);
733                 if (IS_ERR(keyring)) {
734                         ret = PTR_ERR(keyring);
735                         goto error2;
736                 }
737         } else if (IS_ERR(keyring)) {
738                 ret = PTR_ERR(keyring);
739                 goto error2;
740         }
741
742         /* we've got a keyring - now to install it */
743         ret = install_session_keyring_to_cred(new, keyring);
744         if (ret < 0)
745                 goto error2;
746
747         commit_creds(new);
748         mutex_unlock(&key_session_mutex);
749
750         ret = keyring->serial;
751         key_put(keyring);
752 okay:
753         return ret;
754
755 error2:
756         mutex_unlock(&key_session_mutex);
757 error:
758         abort_creds(new);
759         return ret;
760 }