1c793b7090a75be3c1412bba294af1ddd32b1332
[linux-3.10.git] / security / keys / process_keys.c
1 /* Management of a process's keyrings
2  *
3  * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/sched.h>
15 #include <linux/slab.h>
16 #include <linux/keyctl.h>
17 #include <linux/fs.h>
18 #include <linux/err.h>
19 #include <linux/mutex.h>
20 #include <asm/uaccess.h>
21 #include "internal.h"
22
23 /* session keyring create vs join semaphore */
24 static DEFINE_MUTEX(key_session_mutex);
25
26 /* user keyring creation semaphore */
27 static DEFINE_MUTEX(key_user_keyring_mutex);
28
29 /* the root user's tracking struct */
30 struct key_user root_key_user = {
31         .usage          = ATOMIC_INIT(3),
32         .cons_lock      = __MUTEX_INITIALIZER(root_key_user.cons_lock),
33         .lock           = __SPIN_LOCK_UNLOCKED(root_key_user.lock),
34         .nkeys          = ATOMIC_INIT(2),
35         .nikeys         = ATOMIC_INIT(2),
36         .uid            = 0,
37 };
38
39 /*****************************************************************************/
40 /*
41  * install user and user session keyrings for a particular UID
42  */
43 int install_user_keyrings(void)
44 {
45         struct user_struct *user = current->user;
46         struct key *uid_keyring, *session_keyring;
47         char buf[20];
48         int ret;
49
50         kenter("%p{%u}", user, user->uid);
51
52         if (user->uid_keyring) {
53                 kleave(" = 0 [exist]");
54                 return 0;
55         }
56
57         mutex_lock(&key_user_keyring_mutex);
58         ret = 0;
59
60         if (!user->uid_keyring) {
61                 /* get the UID-specific keyring
62                  * - there may be one in existence already as it may have been
63                  *   pinned by a session, but the user_struct pointing to it
64                  *   may have been destroyed by setuid */
65                 sprintf(buf, "_uid.%u", user->uid);
66
67                 uid_keyring = find_keyring_by_name(buf, true);
68                 if (IS_ERR(uid_keyring)) {
69                         uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
70                                                     current, KEY_ALLOC_IN_QUOTA,
71                                                     NULL);
72                         if (IS_ERR(uid_keyring)) {
73                                 ret = PTR_ERR(uid_keyring);
74                                 goto error;
75                         }
76                 }
77
78                 /* get a default session keyring (which might also exist
79                  * already) */
80                 sprintf(buf, "_uid_ses.%u", user->uid);
81
82                 session_keyring = find_keyring_by_name(buf, true);
83                 if (IS_ERR(session_keyring)) {
84                         session_keyring =
85                                 keyring_alloc(buf, user->uid, (gid_t) -1,
86                                               current, KEY_ALLOC_IN_QUOTA,
87                                               NULL);
88                         if (IS_ERR(session_keyring)) {
89                                 ret = PTR_ERR(session_keyring);
90                                 goto error_release;
91                         }
92
93                         /* we install a link from the user session keyring to
94                          * the user keyring */
95                         ret = key_link(session_keyring, uid_keyring);
96                         if (ret < 0)
97                                 goto error_release_both;
98                 }
99
100                 /* install the keyrings */
101                 user->uid_keyring = uid_keyring;
102                 user->session_keyring = session_keyring;
103         }
104
105         mutex_unlock(&key_user_keyring_mutex);
106         kleave(" = 0");
107         return 0;
108
109 error_release_both:
110         key_put(session_keyring);
111 error_release:
112         key_put(uid_keyring);
113 error:
114         mutex_unlock(&key_user_keyring_mutex);
115         kleave(" = %d", ret);
116         return ret;
117 }
118
119 /*****************************************************************************/
120 /*
121  * deal with the UID changing
122  */
123 void switch_uid_keyring(struct user_struct *new_user)
124 {
125 #if 0 /* do nothing for now */
126         struct key *old;
127
128         /* switch to the new user's session keyring if we were running under
129          * root's default session keyring */
130         if (new_user->uid != 0 &&
131             current->session_keyring == &root_session_keyring
132             ) {
133                 atomic_inc(&new_user->session_keyring->usage);
134
135                 task_lock(current);
136                 old = current->session_keyring;
137                 current->session_keyring = new_user->session_keyring;
138                 task_unlock(current);
139
140                 key_put(old);
141         }
142 #endif
143
144 } /* end switch_uid_keyring() */
145
146 /*****************************************************************************/
147 /*
148  * install a fresh thread keyring, discarding the old one
149  */
150 int install_thread_keyring(void)
151 {
152         struct task_struct *tsk = current;
153         struct key *keyring, *old;
154         char buf[20];
155         int ret;
156
157         sprintf(buf, "_tid.%u", tsk->pid);
158
159         keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk,
160                                 KEY_ALLOC_QUOTA_OVERRUN, NULL);
161         if (IS_ERR(keyring)) {
162                 ret = PTR_ERR(keyring);
163                 goto error;
164         }
165
166         task_lock(tsk);
167         old = tsk->thread_keyring;
168         tsk->thread_keyring = keyring;
169         task_unlock(tsk);
170
171         ret = 0;
172
173         key_put(old);
174 error:
175         return ret;
176
177 } /* end install_thread_keyring() */
178
179 /*****************************************************************************/
180 /*
181  * make sure a process keyring is installed
182  */
183 int install_process_keyring(void)
184 {
185         struct task_struct *tsk = current;
186         struct key *keyring;
187         char buf[20];
188         int ret;
189
190         might_sleep();
191
192         if (!tsk->signal->process_keyring) {
193                 sprintf(buf, "_pid.%u", tsk->tgid);
194
195                 keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk,
196                                         KEY_ALLOC_QUOTA_OVERRUN, NULL);
197                 if (IS_ERR(keyring)) {
198                         ret = PTR_ERR(keyring);
199                         goto error;
200                 }
201
202                 /* attach keyring */
203                 spin_lock_irq(&tsk->sighand->siglock);
204                 if (!tsk->signal->process_keyring) {
205                         tsk->signal->process_keyring = keyring;
206                         keyring = NULL;
207                 }
208                 spin_unlock_irq(&tsk->sighand->siglock);
209
210                 key_put(keyring);
211         }
212
213         ret = 0;
214 error:
215         return ret;
216
217 } /* end install_process_keyring() */
218
219 /*****************************************************************************/
220 /*
221  * install a session keyring, discarding the old one
222  * - if a keyring is not supplied, an empty one is invented
223  */
224 static int install_session_keyring(struct key *keyring)
225 {
226         struct task_struct *tsk = current;
227         unsigned long flags;
228         struct key *old;
229         char buf[20];
230
231         might_sleep();
232
233         /* create an empty session keyring */
234         if (!keyring) {
235                 sprintf(buf, "_ses.%u", tsk->tgid);
236
237                 flags = KEY_ALLOC_QUOTA_OVERRUN;
238                 if (tsk->signal->session_keyring)
239                         flags = KEY_ALLOC_IN_QUOTA;
240
241                 keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk,
242                                         flags, NULL);
243                 if (IS_ERR(keyring))
244                         return PTR_ERR(keyring);
245         }
246         else {
247                 atomic_inc(&keyring->usage);
248         }
249
250         /* install the keyring */
251         spin_lock_irq(&tsk->sighand->siglock);
252         old = tsk->signal->session_keyring;
253         rcu_assign_pointer(tsk->signal->session_keyring, keyring);
254         spin_unlock_irq(&tsk->sighand->siglock);
255
256         /* we're using RCU on the pointer, but there's no point synchronising
257          * on it if it didn't previously point to anything */
258         if (old) {
259                 synchronize_rcu();
260                 key_put(old);
261         }
262
263         return 0;
264
265 } /* end install_session_keyring() */
266
267 /*****************************************************************************/
268 /*
269  * copy the keys in a thread group for fork without CLONE_THREAD
270  */
271 int copy_thread_group_keys(struct task_struct *tsk)
272 {
273         key_check(current->thread_group->session_keyring);
274         key_check(current->thread_group->process_keyring);
275
276         /* no process keyring yet */
277         tsk->signal->process_keyring = NULL;
278
279         /* same session keyring */
280         rcu_read_lock();
281         tsk->signal->session_keyring =
282                 key_get(rcu_dereference(current->signal->session_keyring));
283         rcu_read_unlock();
284
285         return 0;
286
287 } /* end copy_thread_group_keys() */
288
289 /*****************************************************************************/
290 /*
291  * copy the keys for fork
292  */
293 int copy_keys(unsigned long clone_flags, struct task_struct *tsk)
294 {
295         key_check(tsk->thread_keyring);
296         key_check(tsk->request_key_auth);
297
298         /* no thread keyring yet */
299         tsk->thread_keyring = NULL;
300
301         /* copy the request_key() authorisation for this thread */
302         key_get(tsk->request_key_auth);
303
304         return 0;
305
306 } /* end copy_keys() */
307
308 /*****************************************************************************/
309 /*
310  * dispose of thread group keys upon thread group destruction
311  */
312 void exit_thread_group_keys(struct signal_struct *tg)
313 {
314         key_put(tg->session_keyring);
315         key_put(tg->process_keyring);
316
317 } /* end exit_thread_group_keys() */
318
319 /*****************************************************************************/
320 /*
321  * dispose of per-thread keys upon thread exit
322  */
323 void exit_keys(struct task_struct *tsk)
324 {
325         key_put(tsk->thread_keyring);
326         key_put(tsk->request_key_auth);
327
328 } /* end exit_keys() */
329
330 /*****************************************************************************/
331 /*
332  * deal with execve()
333  */
334 int exec_keys(struct task_struct *tsk)
335 {
336         struct key *old;
337
338         /* newly exec'd tasks don't get a thread keyring */
339         task_lock(tsk);
340         old = tsk->thread_keyring;
341         tsk->thread_keyring = NULL;
342         task_unlock(tsk);
343
344         key_put(old);
345
346         /* discard the process keyring from a newly exec'd task */
347         spin_lock_irq(&tsk->sighand->siglock);
348         old = tsk->signal->process_keyring;
349         tsk->signal->process_keyring = NULL;
350         spin_unlock_irq(&tsk->sighand->siglock);
351
352         key_put(old);
353
354         return 0;
355
356 } /* end exec_keys() */
357
358 /*****************************************************************************/
359 /*
360  * deal with SUID programs
361  * - we might want to make this invent a new session keyring
362  */
363 int suid_keys(struct task_struct *tsk)
364 {
365         return 0;
366
367 } /* end suid_keys() */
368
369 /*****************************************************************************/
370 /*
371  * the filesystem user ID changed
372  */
373 void key_fsuid_changed(struct task_struct *tsk)
374 {
375         /* update the ownership of the thread keyring */
376         if (tsk->thread_keyring) {
377                 down_write(&tsk->thread_keyring->sem);
378                 tsk->thread_keyring->uid = tsk->fsuid;
379                 up_write(&tsk->thread_keyring->sem);
380         }
381
382 } /* end key_fsuid_changed() */
383
384 /*****************************************************************************/
385 /*
386  * the filesystem group ID changed
387  */
388 void key_fsgid_changed(struct task_struct *tsk)
389 {
390         /* update the ownership of the thread keyring */
391         if (tsk->thread_keyring) {
392                 down_write(&tsk->thread_keyring->sem);
393                 tsk->thread_keyring->gid = tsk->fsgid;
394                 up_write(&tsk->thread_keyring->sem);
395         }
396
397 } /* end key_fsgid_changed() */
398
399 /*****************************************************************************/
400 /*
401  * search the process keyrings for the first matching key
402  * - we use the supplied match function to see if the description (or other
403  *   feature of interest) matches
404  * - we return -EAGAIN if we didn't find any matching key
405  * - we return -ENOKEY if we found only negative matching keys
406  */
407 key_ref_t search_process_keyrings(struct key_type *type,
408                                   const void *description,
409                                   key_match_func_t match,
410                                   struct task_struct *context)
411 {
412         struct request_key_auth *rka;
413         key_ref_t key_ref, ret, err;
414
415         might_sleep();
416
417         /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
418          * searchable, but we failed to find a key or we found a negative key;
419          * otherwise we want to return a sample error (probably -EACCES) if
420          * none of the keyrings were searchable
421          *
422          * in terms of priority: success > -ENOKEY > -EAGAIN > other error
423          */
424         key_ref = NULL;
425         ret = NULL;
426         err = ERR_PTR(-EAGAIN);
427
428         /* search the thread keyring first */
429         if (context->thread_keyring) {
430                 key_ref = keyring_search_aux(
431                         make_key_ref(context->thread_keyring, 1),
432                         context, type, description, match);
433                 if (!IS_ERR(key_ref))
434                         goto found;
435
436                 switch (PTR_ERR(key_ref)) {
437                 case -EAGAIN: /* no key */
438                         if (ret)
439                                 break;
440                 case -ENOKEY: /* negative key */
441                         ret = key_ref;
442                         break;
443                 default:
444                         err = key_ref;
445                         break;
446                 }
447         }
448
449         /* search the process keyring second */
450         if (context->signal->process_keyring) {
451                 key_ref = keyring_search_aux(
452                         make_key_ref(context->signal->process_keyring, 1),
453                         context, type, description, match);
454                 if (!IS_ERR(key_ref))
455                         goto found;
456
457                 switch (PTR_ERR(key_ref)) {
458                 case -EAGAIN: /* no key */
459                         if (ret)
460                                 break;
461                 case -ENOKEY: /* negative key */
462                         ret = key_ref;
463                         break;
464                 default:
465                         err = key_ref;
466                         break;
467                 }
468         }
469
470         /* search the session keyring */
471         if (context->signal->session_keyring) {
472                 rcu_read_lock();
473                 key_ref = keyring_search_aux(
474                         make_key_ref(rcu_dereference(
475                                              context->signal->session_keyring),
476                                      1),
477                         context, type, description, match);
478                 rcu_read_unlock();
479
480                 if (!IS_ERR(key_ref))
481                         goto found;
482
483                 switch (PTR_ERR(key_ref)) {
484                 case -EAGAIN: /* no key */
485                         if (ret)
486                                 break;
487                 case -ENOKEY: /* negative key */
488                         ret = key_ref;
489                         break;
490                 default:
491                         err = key_ref;
492                         break;
493                 }
494         }
495         /* or search the user-session keyring */
496         else if (context->user->session_keyring) {
497                 key_ref = keyring_search_aux(
498                         make_key_ref(context->user->session_keyring, 1),
499                         context, type, description, match);
500                 if (!IS_ERR(key_ref))
501                         goto found;
502
503                 switch (PTR_ERR(key_ref)) {
504                 case -EAGAIN: /* no key */
505                         if (ret)
506                                 break;
507                 case -ENOKEY: /* negative key */
508                         ret = key_ref;
509                         break;
510                 default:
511                         err = key_ref;
512                         break;
513                 }
514         }
515
516         /* if this process has an instantiation authorisation key, then we also
517          * search the keyrings of the process mentioned there
518          * - we don't permit access to request_key auth keys via this method
519          */
520         if (context->request_key_auth &&
521             context == current &&
522             type != &key_type_request_key_auth
523             ) {
524                 /* defend against the auth key being revoked */
525                 down_read(&context->request_key_auth->sem);
526
527                 if (key_validate(context->request_key_auth) == 0) {
528                         rka = context->request_key_auth->payload.data;
529
530                         key_ref = search_process_keyrings(type, description,
531                                                           match, rka->context);
532
533                         up_read(&context->request_key_auth->sem);
534
535                         if (!IS_ERR(key_ref))
536                                 goto found;
537
538                         switch (PTR_ERR(key_ref)) {
539                         case -EAGAIN: /* no key */
540                                 if (ret)
541                                         break;
542                         case -ENOKEY: /* negative key */
543                                 ret = key_ref;
544                                 break;
545                         default:
546                                 err = key_ref;
547                                 break;
548                         }
549                 } else {
550                         up_read(&context->request_key_auth->sem);
551                 }
552         }
553
554         /* no key - decide on the error we're going to go for */
555         key_ref = ret ? ret : err;
556
557 found:
558         return key_ref;
559
560 } /* end search_process_keyrings() */
561
562 /*****************************************************************************/
563 /*
564  * see if the key we're looking at is the target key
565  */
566 static int lookup_user_key_possessed(const struct key *key, const void *target)
567 {
568         return key == target;
569
570 } /* end lookup_user_key_possessed() */
571
572 /*****************************************************************************/
573 /*
574  * lookup a key given a key ID from userspace with a given permissions mask
575  * - don't create special keyrings unless so requested
576  * - partially constructed keys aren't found unless requested
577  */
578 key_ref_t lookup_user_key(key_serial_t id, int create, int partial,
579                           key_perm_t perm)
580 {
581         struct request_key_auth *rka;
582         struct task_struct *t = current;
583         key_ref_t key_ref, skey_ref;
584         struct key *key;
585         int ret;
586
587         key_ref = ERR_PTR(-ENOKEY);
588
589         switch (id) {
590         case KEY_SPEC_THREAD_KEYRING:
591                 if (!t->thread_keyring) {
592                         if (!create)
593                                 goto error;
594
595                         ret = install_thread_keyring();
596                         if (ret < 0) {
597                                 key = ERR_PTR(ret);
598                                 goto error;
599                         }
600                 }
601
602                 key = t->thread_keyring;
603                 atomic_inc(&key->usage);
604                 key_ref = make_key_ref(key, 1);
605                 break;
606
607         case KEY_SPEC_PROCESS_KEYRING:
608                 if (!t->signal->process_keyring) {
609                         if (!create)
610                                 goto error;
611
612                         ret = install_process_keyring();
613                         if (ret < 0) {
614                                 key = ERR_PTR(ret);
615                                 goto error;
616                         }
617                 }
618
619                 key = t->signal->process_keyring;
620                 atomic_inc(&key->usage);
621                 key_ref = make_key_ref(key, 1);
622                 break;
623
624         case KEY_SPEC_SESSION_KEYRING:
625                 if (!t->signal->session_keyring) {
626                         /* always install a session keyring upon access if one
627                          * doesn't exist yet */
628                         ret = install_user_keyrings();
629                         if (ret < 0)
630                                 goto error;
631                         ret = install_session_keyring(t->user->session_keyring);
632                         if (ret < 0)
633                                 goto error;
634                 }
635
636                 rcu_read_lock();
637                 key = rcu_dereference(t->signal->session_keyring);
638                 atomic_inc(&key->usage);
639                 rcu_read_unlock();
640                 key_ref = make_key_ref(key, 1);
641                 break;
642
643         case KEY_SPEC_USER_KEYRING:
644                 if (!t->user->uid_keyring) {
645                         ret = install_user_keyrings();
646                         if (ret < 0)
647                                 goto error;
648                 }
649
650                 key = t->user->uid_keyring;
651                 atomic_inc(&key->usage);
652                 key_ref = make_key_ref(key, 1);
653                 break;
654
655         case KEY_SPEC_USER_SESSION_KEYRING:
656                 if (!t->user->session_keyring) {
657                         ret = install_user_keyrings();
658                         if (ret < 0)
659                                 goto error;
660                 }
661
662                 key = t->user->session_keyring;
663                 atomic_inc(&key->usage);
664                 key_ref = make_key_ref(key, 1);
665                 break;
666
667         case KEY_SPEC_GROUP_KEYRING:
668                 /* group keyrings are not yet supported */
669                 key = ERR_PTR(-EINVAL);
670                 goto error;
671
672         case KEY_SPEC_REQKEY_AUTH_KEY:
673                 key = t->request_key_auth;
674                 if (!key)
675                         goto error;
676
677                 atomic_inc(&key->usage);
678                 key_ref = make_key_ref(key, 1);
679                 break;
680
681         case KEY_SPEC_REQUESTOR_KEYRING:
682                 if (!t->request_key_auth)
683                         goto error;
684
685                 down_read(&t->request_key_auth->sem);
686                 if (t->request_key_auth->flags & KEY_FLAG_REVOKED) {
687                         key_ref = ERR_PTR(-EKEYREVOKED);
688                         key = NULL;
689                 } else {
690                         rka = t->request_key_auth->payload.data;
691                         key = rka->dest_keyring;
692                         atomic_inc(&key->usage);
693                 }
694                 up_read(&t->request_key_auth->sem);
695                 if (!key)
696                         goto error;
697                 key_ref = make_key_ref(key, 1);
698                 break;
699
700         default:
701                 key_ref = ERR_PTR(-EINVAL);
702                 if (id < 1)
703                         goto error;
704
705                 key = key_lookup(id);
706                 if (IS_ERR(key)) {
707                         key_ref = ERR_CAST(key);
708                         goto error;
709                 }
710
711                 key_ref = make_key_ref(key, 0);
712
713                 /* check to see if we possess the key */
714                 skey_ref = search_process_keyrings(key->type, key,
715                                                    lookup_user_key_possessed,
716                                                    current);
717
718                 if (!IS_ERR(skey_ref)) {
719                         key_put(key);
720                         key_ref = skey_ref;
721                 }
722
723                 break;
724         }
725
726         if (!partial) {
727                 ret = wait_for_key_construction(key, true);
728                 switch (ret) {
729                 case -ERESTARTSYS:
730                         goto invalid_key;
731                 default:
732                         if (perm)
733                                 goto invalid_key;
734                 case 0:
735                         break;
736                 }
737         } else if (perm) {
738                 ret = key_validate(key);
739                 if (ret < 0)
740                         goto invalid_key;
741         }
742
743         ret = -EIO;
744         if (!partial && !test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
745                 goto invalid_key;
746
747         /* check the permissions */
748         ret = key_task_permission(key_ref, t, perm);
749         if (ret < 0)
750                 goto invalid_key;
751
752 error:
753         return key_ref;
754
755 invalid_key:
756         key_ref_put(key_ref);
757         key_ref = ERR_PTR(ret);
758         goto error;
759
760 } /* end lookup_user_key() */
761
762 /*****************************************************************************/
763 /*
764  * join the named keyring as the session keyring if possible, or attempt to
765  * create a new one of that name if not
766  * - if the name is NULL, an empty anonymous keyring is installed instead
767  * - named session keyring joining is done with a semaphore held
768  */
769 long join_session_keyring(const char *name)
770 {
771         struct task_struct *tsk = current;
772         struct key *keyring;
773         long ret;
774
775         /* if no name is provided, install an anonymous keyring */
776         if (!name) {
777                 ret = install_session_keyring(NULL);
778                 if (ret < 0)
779                         goto error;
780
781                 rcu_read_lock();
782                 ret = rcu_dereference(tsk->signal->session_keyring)->serial;
783                 rcu_read_unlock();
784                 goto error;
785         }
786
787         /* allow the user to join or create a named keyring */
788         mutex_lock(&key_session_mutex);
789
790         /* look for an existing keyring of this name */
791         keyring = find_keyring_by_name(name, false);
792         if (PTR_ERR(keyring) == -ENOKEY) {
793                 /* not found - try and create a new one */
794                 keyring = keyring_alloc(name, tsk->uid, tsk->gid, tsk,
795                                         KEY_ALLOC_IN_QUOTA, NULL);
796                 if (IS_ERR(keyring)) {
797                         ret = PTR_ERR(keyring);
798                         goto error2;
799                 }
800         }
801         else if (IS_ERR(keyring)) {
802                 ret = PTR_ERR(keyring);
803                 goto error2;
804         }
805
806         /* we've got a keyring - now to install it */
807         ret = install_session_keyring(keyring);
808         if (ret < 0)
809                 goto error2;
810
811         ret = keyring->serial;
812         key_put(keyring);
813
814 error2:
815         mutex_unlock(&key_session_mutex);
816 error:
817         return ret;
818
819 } /* end join_session_keyring() */