linux/security/keys/key.c
<<
>>
Prefs
   1/* Basic authentication token and access key management
   2 *
   3 * Copyright (C) 2004-2008 Red Hat, Inc. All Rights Reserved.
   4 * Written by David Howells (dhowells@redhat.com)
   5 *
   6 * This program is free software; you can redistribute it and/or
   7 * modify it under the terms of the GNU General Public License
   8 * as published by the Free Software Foundation; either version
   9 * 2 of the License, or (at your option) any later version.
  10 */
  11
  12#include <linux/module.h>
  13#include <linux/init.h>
  14#include <linux/poison.h>
  15#include <linux/sched.h>
  16#include <linux/slab.h>
  17#include <linux/security.h>
  18#include <linux/workqueue.h>
  19#include <linux/random.h>
  20#include <linux/err.h>
  21#include <linux/user_namespace.h>
  22#include "internal.h"
  23
  24struct kmem_cache *key_jar;
  25struct rb_root          key_serial_tree; /* tree of keys indexed by serial */
  26DEFINE_SPINLOCK(key_serial_lock);
  27
  28struct rb_root  key_user_tree; /* tree of quota records indexed by UID */
  29DEFINE_SPINLOCK(key_user_lock);
  30
  31unsigned int key_quota_root_maxkeys = 200;      /* root's key count quota */
  32unsigned int key_quota_root_maxbytes = 20000;   /* root's key space quota */
  33unsigned int key_quota_maxkeys = 200;           /* general key count quota */
  34unsigned int key_quota_maxbytes = 20000;        /* general key space quota */
  35
  36static LIST_HEAD(key_types_list);
  37static DECLARE_RWSEM(key_types_sem);
  38
  39/* We serialise key instantiation and link */
  40DEFINE_MUTEX(key_construction_mutex);
  41
  42#ifdef KEY_DEBUGGING
  43void __key_check(const struct key *key)
  44{
  45        printk("__key_check: key %p {%08x} should be {%08x}\n",
  46               key, key->magic, KEY_DEBUG_MAGIC);
  47        BUG();
  48}
  49#endif
  50
  51/*
  52 * Get the key quota record for a user, allocating a new record if one doesn't
  53 * already exist.
  54 */
  55struct key_user *key_user_lookup(uid_t uid, struct user_namespace *user_ns)
  56{
  57        struct key_user *candidate = NULL, *user;
  58        struct rb_node *parent = NULL;
  59        struct rb_node **p;
  60
  61try_again:
  62        p = &key_user_tree.rb_node;
  63        spin_lock(&key_user_lock);
  64
  65        /* search the tree for a user record with a matching UID */
  66        while (*p) {
  67                parent = *p;
  68                user = rb_entry(parent, struct key_user, node);
  69
  70                if (uid < user->uid)
  71                        p = &(*p)->rb_left;
  72                else if (uid > user->uid)
  73                        p = &(*p)->rb_right;
  74                else if (user_ns < user->user_ns)
  75                        p = &(*p)->rb_left;
  76                else if (user_ns > user->user_ns)
  77                        p = &(*p)->rb_right;
  78                else
  79                        goto found;
  80        }
  81
  82        /* if we get here, we failed to find a match in the tree */
  83        if (!candidate) {
  84                /* allocate a candidate user record if we don't already have
  85                 * one */
  86                spin_unlock(&key_user_lock);
  87
  88                user = NULL;
  89                candidate = kmalloc(sizeof(struct key_user), GFP_KERNEL);
  90                if (unlikely(!candidate))
  91                        goto out;
  92
  93                /* the allocation may have scheduled, so we need to repeat the
  94                 * search lest someone else added the record whilst we were
  95                 * asleep */
  96                goto try_again;
  97        }
  98
  99        /* if we get here, then the user record still hadn't appeared on the
 100         * second pass - so we use the candidate record */
 101        atomic_set(&candidate->usage, 1);
 102        atomic_set(&candidate->nkeys, 0);
 103        atomic_set(&candidate->nikeys, 0);
 104        candidate->uid = uid;
 105        candidate->user_ns = get_user_ns(user_ns);
 106        candidate->qnkeys = 0;
 107        candidate->qnbytes = 0;
 108        spin_lock_init(&candidate->lock);
 109        mutex_init(&candidate->cons_lock);
 110
 111        rb_link_node(&candidate->node, parent, p);
 112        rb_insert_color(&candidate->node, &key_user_tree);
 113        spin_unlock(&key_user_lock);
 114        user = candidate;
 115        goto out;
 116
 117        /* okay - we found a user record for this UID */
 118found:
 119        atomic_inc(&user->usage);
 120        spin_unlock(&key_user_lock);
 121        kfree(candidate);
 122out:
 123        return user;
 124}
 125
 126/*
 127 * Dispose of a user structure
 128 */
 129void key_user_put(struct key_user *user)
 130{
 131        if (atomic_dec_and_lock(&user->usage, &key_user_lock)) {
 132                rb_erase(&user->node, &key_user_tree);
 133                spin_unlock(&key_user_lock);
 134                put_user_ns(user->user_ns);
 135
 136                kfree(user);
 137        }
 138}
 139
 140/*
 141 * Allocate a serial number for a key.  These are assigned randomly to avoid
 142 * security issues through covert channel problems.
 143 */
 144static inline void key_alloc_serial(struct key *key)
 145{
 146        struct rb_node *parent, **p;
 147        struct key *xkey;
 148
 149        /* propose a random serial number and look for a hole for it in the
 150         * serial number tree */
 151        do {
 152                get_random_bytes(&key->serial, sizeof(key->serial));
 153
 154                key->serial >>= 1; /* negative numbers are not permitted */
 155        } while (key->serial < 3);
 156
 157        spin_lock(&key_serial_lock);
 158
 159attempt_insertion:
 160        parent = NULL;
 161        p = &key_serial_tree.rb_node;
 162
 163        while (*p) {
 164                parent = *p;
 165                xkey = rb_entry(parent, struct key, serial_node);
 166
 167                if (key->serial < xkey->serial)
 168                        p = &(*p)->rb_left;
 169                else if (key->serial > xkey->serial)
 170                        p = &(*p)->rb_right;
 171                else
 172                        goto serial_exists;
 173        }
 174
 175        /* we've found a suitable hole - arrange for this key to occupy it */
 176        rb_link_node(&key->serial_node, parent, p);
 177        rb_insert_color(&key->serial_node, &key_serial_tree);
 178
 179        spin_unlock(&key_serial_lock);
 180        return;
 181
 182        /* we found a key with the proposed serial number - walk the tree from
 183         * that point looking for the next unused serial number */
 184serial_exists:
 185        for (;;) {
 186                key->serial++;
 187                if (key->serial < 3) {
 188                        key->serial = 3;
 189                        goto attempt_insertion;
 190                }
 191
 192                parent = rb_next(parent);
 193                if (!parent)
 194                        goto attempt_insertion;
 195
 196                xkey = rb_entry(parent, struct key, serial_node);
 197                if (key->serial < xkey->serial)
 198                        goto attempt_insertion;
 199        }
 200}
 201
 202/**
 203 * key_alloc - Allocate a key of the specified type.
 204 * @type: The type of key to allocate.
 205 * @desc: The key description to allow the key to be searched out.
 206 * @uid: The owner of the new key.
 207 * @gid: The group ID for the new key's group permissions.
 208 * @cred: The credentials specifying UID namespace.
 209 * @perm: The permissions mask of the new key.
 210 * @flags: Flags specifying quota properties.
 211 *
 212 * Allocate a key of the specified type with the attributes given.  The key is
 213 * returned in an uninstantiated state and the caller needs to instantiate the
 214 * key before returning.
 215 *
 216 * The user's key count quota is updated to reflect the creation of the key and
 217 * the user's key data quota has the default for the key type reserved.  The
 218 * instantiation function should amend this as necessary.  If insufficient
 219 * quota is available, -EDQUOT will be returned.
 220 *
 221 * The LSM security modules can prevent a key being created, in which case
 222 * -EACCES will be returned.
 223 *
 224 * Returns a pointer to the new key if successful and an error code otherwise.
 225 *
 226 * Note that the caller needs to ensure the key type isn't uninstantiated.
 227 * Internally this can be done by locking key_types_sem.  Externally, this can
 228 * be done by either never unregistering the key type, or making sure
 229 * key_alloc() calls don't race with module unloading.
 230 */
 231struct key *key_alloc(struct key_type *type, const char *desc,
 232                      uid_t uid, gid_t gid, const struct cred *cred,
 233                      key_perm_t perm, unsigned long flags)
 234{
 235        struct key_user *user = NULL;
 236        struct key *key;
 237        size_t desclen, quotalen;
 238        int ret;
 239
 240        key = ERR_PTR(-EINVAL);
 241        if (!desc || !*desc)
 242                goto error;
 243
 244        if (type->vet_description) {
 245                ret = type->vet_description(desc);
 246                if (ret < 0) {
 247                        key = ERR_PTR(ret);
 248                        goto error;
 249                }
 250        }
 251
 252        desclen = strlen(desc) + 1;
 253        quotalen = desclen + type->def_datalen;
 254
 255        /* get hold of the key tracking for this user */
 256        user = key_user_lookup(uid, cred->user_ns);
 257        if (!user)
 258                goto no_memory_1;
 259
 260        /* check that the user's quota permits allocation of another key and
 261         * its description */
 262        if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) {
 263                unsigned maxkeys = (uid == 0) ?
 264                        key_quota_root_maxkeys : key_quota_maxkeys;
 265                unsigned maxbytes = (uid == 0) ?
 266                        key_quota_root_maxbytes : key_quota_maxbytes;
 267
 268                spin_lock(&user->lock);
 269                if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) {
 270                        if (user->qnkeys + 1 >= maxkeys ||
 271                            user->qnbytes + quotalen >= maxbytes ||
 272                            user->qnbytes + quotalen < user->qnbytes)
 273                                goto no_quota;
 274                }
 275
 276                user->qnkeys++;
 277                user->qnbytes += quotalen;
 278                spin_unlock(&user->lock);
 279        }
 280
 281        /* allocate and initialise the key and its description */
 282        key = kmem_cache_alloc(key_jar, GFP_KERNEL);
 283        if (!key)
 284                goto no_memory_2;
 285
 286        if (desc) {
 287                key->description = kmemdup(desc, desclen, GFP_KERNEL);
 288                if (!key->description)
 289                        goto no_memory_3;
 290        }
 291
 292        atomic_set(&key->usage, 1);
 293        init_rwsem(&key->sem);
 294        lockdep_set_class(&key->sem, &type->lock_class);
 295        key->type = type;
 296        key->user = user;
 297        key->quotalen = quotalen;
 298        key->datalen = type->def_datalen;
 299        key->uid = uid;
 300        key->gid = gid;
 301        key->perm = perm;
 302        key->flags = 0;
 303        key->expiry = 0;
 304        key->payload.data = NULL;
 305        key->security = NULL;
 306
 307        if (!(flags & KEY_ALLOC_NOT_IN_QUOTA))
 308                key->flags |= 1 << KEY_FLAG_IN_QUOTA;
 309
 310        memset(&key->type_data, 0, sizeof(key->type_data));
 311
 312#ifdef KEY_DEBUGGING
 313        key->magic = KEY_DEBUG_MAGIC;
 314#endif
 315
 316        /* let the security module know about the key */
 317        ret = security_key_alloc(key, cred, flags);
 318        if (ret < 0)
 319                goto security_error;
 320
 321        /* publish the key by giving it a serial number */
 322        atomic_inc(&user->nkeys);
 323        key_alloc_serial(key);
 324
 325error:
 326        return key;
 327
 328security_error:
 329        kfree(key->description);
 330        kmem_cache_free(key_jar, key);
 331        if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) {
 332                spin_lock(&user->lock);
 333                user->qnkeys--;
 334                user->qnbytes -= quotalen;
 335                spin_unlock(&user->lock);
 336        }
 337        key_user_put(user);
 338        key = ERR_PTR(ret);
 339        goto error;
 340
 341no_memory_3:
 342        kmem_cache_free(key_jar, key);
 343no_memory_2:
 344        if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) {
 345                spin_lock(&user->lock);
 346                user->qnkeys--;
 347                user->qnbytes -= quotalen;
 348                spin_unlock(&user->lock);
 349        }
 350        key_user_put(user);
 351no_memory_1:
 352        key = ERR_PTR(-ENOMEM);
 353        goto error;
 354
 355no_quota:
 356        spin_unlock(&user->lock);
 357        key_user_put(user);
 358        key = ERR_PTR(-EDQUOT);
 359        goto error;
 360}
 361EXPORT_SYMBOL(key_alloc);
 362
 363/**
 364 * key_payload_reserve - Adjust data quota reservation for the key's payload
 365 * @key: The key to make the reservation for.
 366 * @datalen: The amount of data payload the caller now wants.
 367 *
 368 * Adjust the amount of the owning user's key data quota that a key reserves.
 369 * If the amount is increased, then -EDQUOT may be returned if there isn't
 370 * enough free quota available.
 371 *
 372 * If successful, 0 is returned.
 373 */
 374int key_payload_reserve(struct key *key, size_t datalen)
 375{
 376        int delta = (int)datalen - key->datalen;
 377        int ret = 0;
 378
 379        key_check(key);
 380
 381        /* contemplate the quota adjustment */
 382        if (delta != 0 && test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
 383                unsigned maxbytes = (key->user->uid == 0) ?
 384                        key_quota_root_maxbytes : key_quota_maxbytes;
 385
 386                spin_lock(&key->user->lock);
 387
 388                if (delta > 0 &&
 389                    (key->user->qnbytes + delta >= maxbytes ||
 390                     key->user->qnbytes + delta < key->user->qnbytes)) {
 391                        ret = -EDQUOT;
 392                }
 393                else {
 394                        key->user->qnbytes += delta;
 395                        key->quotalen += delta;
 396                }
 397                spin_unlock(&key->user->lock);
 398        }
 399
 400        /* change the recorded data length if that didn't generate an error */
 401        if (ret == 0)
 402                key->datalen = datalen;
 403
 404        return ret;
 405}
 406EXPORT_SYMBOL(key_payload_reserve);
 407
 408/*
 409 * Instantiate a key and link it into the target keyring atomically.  Must be
 410 * called with the target keyring's semaphore writelocked.  The target key's
 411 * semaphore need not be locked as instantiation is serialised by
 412 * key_construction_mutex.
 413 */
 414static int __key_instantiate_and_link(struct key *key,
 415                                      const void *data,
 416                                      size_t datalen,
 417                                      struct key *keyring,
 418                                      struct key *authkey,
 419                                      unsigned long *_prealloc)
 420{
 421        int ret, awaken;
 422
 423        key_check(key);
 424        key_check(keyring);
 425
 426        awaken = 0;
 427        ret = -EBUSY;
 428
 429        mutex_lock(&key_construction_mutex);
 430
 431        /* can't instantiate twice */
 432        if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) {
 433                /* instantiate the key */
 434                ret = key->type->instantiate(key, data, datalen);
 435
 436                if (ret == 0) {
 437                        /* mark the key as being instantiated */
 438                        atomic_inc(&key->user->nikeys);
 439                        set_bit(KEY_FLAG_INSTANTIATED, &key->flags);
 440
 441                        if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags))
 442                                awaken = 1;
 443
 444                        /* and link it into the destination keyring */
 445                        if (keyring)
 446                                __key_link(keyring, key, _prealloc);
 447
 448                        /* disable the authorisation key */
 449                        if (authkey)
 450                                key_revoke(authkey);
 451                }
 452        }
 453
 454        mutex_unlock(&key_construction_mutex);
 455
 456        /* wake up anyone waiting for a key to be constructed */
 457        if (awaken)
 458                wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT);
 459
 460        return ret;
 461}
 462
 463/**
 464 * key_instantiate_and_link - Instantiate a key and link it into the keyring.
 465 * @key: The key to instantiate.
 466 * @data: The data to use to instantiate the keyring.
 467 * @datalen: The length of @data.
 468 * @keyring: Keyring to create a link in on success (or NULL).
 469 * @authkey: The authorisation token permitting instantiation.
 470 *
 471 * Instantiate a key that's in the uninstantiated state using the provided data
 472 * and, if successful, link it in to the destination keyring if one is
 473 * supplied.
 474 *
 475 * If successful, 0 is returned, the authorisation token is revoked and anyone
 476 * waiting for the key is woken up.  If the key was already instantiated,
 477 * -EBUSY will be returned.
 478 */
 479int key_instantiate_and_link(struct key *key,
 480                             const void *data,
 481                             size_t datalen,
 482                             struct key *keyring,
 483                             struct key *authkey)
 484{
 485        unsigned long prealloc;
 486        int ret;
 487
 488        if (keyring) {
 489                ret = __key_link_begin(keyring, key->type, key->description,
 490                                       &prealloc);
 491                if (ret < 0)
 492                        return ret;
 493        }
 494
 495        ret = __key_instantiate_and_link(key, data, datalen, keyring, authkey,
 496                                         &prealloc);
 497
 498        if (keyring)
 499                __key_link_end(keyring, key->type, prealloc);
 500
 501        return ret;
 502}
 503
 504EXPORT_SYMBOL(key_instantiate_and_link);
 505
 506/**
 507 * key_reject_and_link - Negatively instantiate a key and link it into the keyring.
 508 * @key: The key to instantiate.
 509 * @timeout: The timeout on the negative key.
 510 * @error: The error to return when the key is hit.
 511 * @keyring: Keyring to create a link in on success (or NULL).
 512 * @authkey: The authorisation token permitting instantiation.
 513 *
 514 * Negatively instantiate a key that's in the uninstantiated state and, if
 515 * successful, set its timeout and stored error and link it in to the
 516 * destination keyring if one is supplied.  The key and any links to the key
 517 * will be automatically garbage collected after the timeout expires.
 518 *
 519 * Negative keys are used to rate limit repeated request_key() calls by causing
 520 * them to return the stored error code (typically ENOKEY) until the negative
 521 * key expires.
 522 *
 523 * If successful, 0 is returned, the authorisation token is revoked and anyone
 524 * waiting for the key is woken up.  If the key was already instantiated,
 525 * -EBUSY will be returned.
 526 */
 527int key_reject_and_link(struct key *key,
 528                        unsigned timeout,
 529                        unsigned error,
 530                        struct key *keyring,
 531                        struct key *authkey)
 532{
 533        unsigned long prealloc;
 534        struct timespec now;
 535        int ret, awaken, link_ret = 0;
 536
 537        key_check(key);
 538        key_check(keyring);
 539
 540        awaken = 0;
 541        ret = -EBUSY;
 542
 543        if (keyring)
 544                link_ret = __key_link_begin(keyring, key->type,
 545                                            key->description, &prealloc);
 546
 547        mutex_lock(&key_construction_mutex);
 548
 549        /* can't instantiate twice */
 550        if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) {
 551                /* mark the key as being negatively instantiated */
 552                atomic_inc(&key->user->nikeys);
 553                set_bit(KEY_FLAG_NEGATIVE, &key->flags);
 554                set_bit(KEY_FLAG_INSTANTIATED, &key->flags);
 555                key->type_data.reject_error = -error;
 556                now = current_kernel_time();
 557                key->expiry = now.tv_sec + timeout;
 558                key_schedule_gc(key->expiry + key_gc_delay);
 559
 560                if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags))
 561                        awaken = 1;
 562
 563                ret = 0;
 564
 565                /* and link it into the destination keyring */
 566                if (keyring && link_ret == 0)
 567                        __key_link(keyring, key, &prealloc);
 568
 569                /* disable the authorisation key */
 570                if (authkey)
 571                        key_revoke(authkey);
 572        }
 573
 574        mutex_unlock(&key_construction_mutex);
 575
 576        if (keyring)
 577                __key_link_end(keyring, key->type, prealloc);
 578
 579        /* wake up anyone waiting for a key to be constructed */
 580        if (awaken)
 581                wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT);
 582
 583        return ret == 0 ? link_ret : ret;
 584}
 585EXPORT_SYMBOL(key_reject_and_link);
 586
 587/**
 588 * key_put - Discard a reference to a key.
 589 * @key: The key to discard a reference from.
 590 *
 591 * Discard a reference to a key, and when all the references are gone, we
 592 * schedule the cleanup task to come and pull it out of the tree in process
 593 * context at some later time.
 594 */
 595void key_put(struct key *key)
 596{
 597        if (key) {
 598                key_check(key);
 599
 600                if (atomic_dec_and_test(&key->usage))
 601                        queue_work(system_nrt_wq, &key_gc_work);
 602        }
 603}
 604EXPORT_SYMBOL(key_put);
 605
 606/*
 607 * Find a key by its serial number.
 608 */
 609struct key *key_lookup(key_serial_t id)
 610{
 611        struct rb_node *n;
 612        struct key *key;
 613
 614        spin_lock(&key_serial_lock);
 615
 616        /* search the tree for the specified key */
 617        n = key_serial_tree.rb_node;
 618        while (n) {
 619                key = rb_entry(n, struct key, serial_node);
 620
 621                if (id < key->serial)
 622                        n = n->rb_left;
 623                else if (id > key->serial)
 624                        n = n->rb_right;
 625                else
 626                        goto found;
 627        }
 628
 629not_found:
 630        key = ERR_PTR(-ENOKEY);
 631        goto error;
 632
 633found:
 634        /* pretend it doesn't exist if it is awaiting deletion */
 635        if (atomic_read(&key->usage) == 0)
 636                goto not_found;
 637
 638        /* this races with key_put(), but that doesn't matter since key_put()
 639         * doesn't actually change the key
 640         */
 641        atomic_inc(&key->usage);
 642
 643error:
 644        spin_unlock(&key_serial_lock);
 645        return key;
 646}
 647
 648/*
 649 * Find and lock the specified key type against removal.
 650 *
 651 * We return with the sem read-locked if successful.  If the type wasn't
 652 * available -ENOKEY is returned instead.
 653 */
 654struct key_type *key_type_lookup(const char *type)
 655{
 656        struct key_type *ktype;
 657
 658        down_read(&key_types_sem);
 659
 660        /* look up the key type to see if it's one of the registered kernel
 661         * types */
 662        list_for_each_entry(ktype, &key_types_list, link) {
 663                if (strcmp(ktype->name, type) == 0)
 664                        goto found_kernel_type;
 665        }
 666
 667        up_read(&key_types_sem);
 668        ktype = ERR_PTR(-ENOKEY);
 669
 670found_kernel_type:
 671        return ktype;
 672}
 673
 674void key_set_timeout(struct key *key, unsigned timeout)
 675{
 676        struct timespec now;
 677        time_t expiry = 0;
 678
 679        /* make the changes with the locks held to prevent races */
 680        down_write(&key->sem);
 681
 682        if (timeout > 0) {
 683                now = current_kernel_time();
 684                expiry = now.tv_sec + timeout;
 685        }
 686
 687        key->expiry = expiry;
 688        key_schedule_gc(key->expiry + key_gc_delay);
 689
 690        up_write(&key->sem);
 691}
 692EXPORT_SYMBOL_GPL(key_set_timeout);
 693
 694/*
 695 * Unlock a key type locked by key_type_lookup().
 696 */
 697void key_type_put(struct key_type *ktype)
 698{
 699        up_read(&key_types_sem);
 700}
 701
 702/*
 703 * Attempt to update an existing key.
 704 *
 705 * The key is given to us with an incremented refcount that we need to discard
 706 * if we get an error.
 707 */
 708static inline key_ref_t __key_update(key_ref_t key_ref,
 709                                     const void *payload, size_t plen)
 710{
 711        struct key *key = key_ref_to_ptr(key_ref);
 712        int ret;
 713
 714        /* need write permission on the key to update it */
 715        ret = key_permission(key_ref, KEY_WRITE);
 716        if (ret < 0)
 717                goto error;
 718
 719        ret = -EEXIST;
 720        if (!key->type->update)
 721                goto error;
 722
 723        down_write(&key->sem);
 724
 725        ret = key->type->update(key, payload, plen);
 726        if (ret == 0)
 727                /* updating a negative key instantiates it */
 728                clear_bit(KEY_FLAG_NEGATIVE, &key->flags);
 729
 730        up_write(&key->sem);
 731
 732        if (ret < 0)
 733                goto error;
 734out:
 735        return key_ref;
 736
 737error:
 738        key_put(key);
 739        key_ref = ERR_PTR(ret);
 740        goto out;
 741}
 742
 743/**
 744 * key_create_or_update - Update or create and instantiate a key.
 745 * @keyring_ref: A pointer to the destination keyring with possession flag.
 746 * @type: The type of key.
 747 * @description: The searchable description for the key.
 748 * @payload: The data to use to instantiate or update the key.
 749 * @plen: The length of @payload.
 750 * @perm: The permissions mask for a new key.
 751 * @flags: The quota flags for a new key.
 752 *
 753 * Search the destination keyring for a key of the same description and if one
 754 * is found, update it, otherwise create and instantiate a new one and create a
 755 * link to it from that keyring.
 756 *
 757 * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be
 758 * concocted.
 759 *
 760 * Returns a pointer to the new key if successful, -ENODEV if the key type
 761 * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the
 762 * caller isn't permitted to modify the keyring or the LSM did not permit
 763 * creation of the key.
 764 *
 765 * On success, the possession flag from the keyring ref will be tacked on to
 766 * the key ref before it is returned.
 767 */
 768key_ref_t key_create_or_update(key_ref_t keyring_ref,
 769                               const char *type,
 770                               const char *description,
 771                               const void *payload,
 772                               size_t plen,
 773                               key_perm_t perm,
 774                               unsigned long flags)
 775{
 776        unsigned long prealloc;
 777        const struct cred *cred = current_cred();
 778        struct key_type *ktype;
 779        struct key *keyring, *key = NULL;
 780        key_ref_t key_ref;
 781        int ret;
 782
 783        /* look up the key type to see if it's one of the registered kernel
 784         * types */
 785        ktype = key_type_lookup(type);
 786        if (IS_ERR(ktype)) {
 787                key_ref = ERR_PTR(-ENODEV);
 788                goto error;
 789        }
 790
 791        key_ref = ERR_PTR(-EINVAL);
 792        if (!ktype->match || !ktype->instantiate)
 793                goto error_2;
 794
 795        keyring = key_ref_to_ptr(keyring_ref);
 796
 797        key_check(keyring);
 798
 799        key_ref = ERR_PTR(-ENOTDIR);
 800        if (keyring->type != &key_type_keyring)
 801                goto error_2;
 802
 803        ret = __key_link_begin(keyring, ktype, description, &prealloc);
 804        if (ret < 0)
 805                goto error_2;
 806
 807        /* if we're going to allocate a new key, we're going to have
 808         * to modify the keyring */
 809        ret = key_permission(keyring_ref, KEY_WRITE);
 810        if (ret < 0) {
 811                key_ref = ERR_PTR(ret);
 812                goto error_3;
 813        }
 814
 815        /* if it's possible to update this type of key, search for an existing
 816         * key of the same type and description in the destination keyring and
 817         * update that instead if possible
 818         */
 819        if (ktype->update) {
 820                key_ref = __keyring_search_one(keyring_ref, ktype, description,
 821                                               0);
 822                if (!IS_ERR(key_ref))
 823                        goto found_matching_key;
 824        }
 825
 826        /* if the client doesn't provide, decide on the permissions we want */
 827        if (perm == KEY_PERM_UNDEF) {
 828                perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
 829                perm |= KEY_USR_VIEW | KEY_USR_SEARCH | KEY_USR_LINK | KEY_USR_SETATTR;
 830
 831                if (ktype->read)
 832                        perm |= KEY_POS_READ | KEY_USR_READ;
 833
 834                if (ktype == &key_type_keyring || ktype->update)
 835                        perm |= KEY_USR_WRITE;
 836        }
 837
 838        /* allocate a new key */
 839        key = key_alloc(ktype, description, cred->fsuid, cred->fsgid, cred,
 840                        perm, flags);
 841        if (IS_ERR(key)) {
 842                key_ref = ERR_CAST(key);
 843                goto error_3;
 844        }
 845
 846        /* instantiate it and link it into the target keyring */
 847        ret = __key_instantiate_and_link(key, payload, plen, keyring, NULL,
 848                                         &prealloc);
 849        if (ret < 0) {
 850                key_put(key);
 851                key_ref = ERR_PTR(ret);
 852                goto error_3;
 853        }
 854
 855        key_ref = make_key_ref(key, is_key_possessed(keyring_ref));
 856
 857 error_3:
 858        __key_link_end(keyring, ktype, prealloc);
 859 error_2:
 860        key_type_put(ktype);
 861 error:
 862        return key_ref;
 863
 864 found_matching_key:
 865        /* we found a matching key, so we're going to try to update it
 866         * - we can drop the locks first as we have the key pinned
 867         */
 868        __key_link_end(keyring, ktype, prealloc);
 869        key_type_put(ktype);
 870
 871        key_ref = __key_update(key_ref, payload, plen);
 872        goto error;
 873}
 874EXPORT_SYMBOL(key_create_or_update);
 875
 876/**
 877 * key_update - Update a key's contents.
 878 * @key_ref: The pointer (plus possession flag) to the key.
 879 * @payload: The data to be used to update the key.
 880 * @plen: The length of @payload.
 881 *
 882 * Attempt to update the contents of a key with the given payload data.  The
 883 * caller must be granted Write permission on the key.  Negative keys can be
 884 * instantiated by this method.
 885 *
 886 * Returns 0 on success, -EACCES if not permitted and -EOPNOTSUPP if the key
 887 * type does not support updating.  The key type may return other errors.
 888 */
 889int key_update(key_ref_t key_ref, const void *payload, size_t plen)
 890{
 891        struct key *key = key_ref_to_ptr(key_ref);
 892        int ret;
 893
 894        key_check(key);
 895
 896        /* the key must be writable */
 897        ret = key_permission(key_ref, KEY_WRITE);
 898        if (ret < 0)
 899                goto error;
 900
 901        /* attempt to update it if supported */
 902        ret = -EOPNOTSUPP;
 903        if (key->type->update) {
 904                down_write(&key->sem);
 905
 906                ret = key->type->update(key, payload, plen);
 907                if (ret == 0)
 908                        /* updating a negative key instantiates it */
 909                        clear_bit(KEY_FLAG_NEGATIVE, &key->flags);
 910
 911                up_write(&key->sem);
 912        }
 913
 914 error:
 915        return ret;
 916}
 917EXPORT_SYMBOL(key_update);
 918
 919/**
 920 * key_revoke - Revoke a key.
 921 * @key: The key to be revoked.
 922 *
 923 * Mark a key as being revoked and ask the type to free up its resources.  The
 924 * revocation timeout is set and the key and all its links will be
 925 * automatically garbage collected after key_gc_delay amount of time if they
 926 * are not manually dealt with first.
 927 */
 928void key_revoke(struct key *key)
 929{
 930        struct timespec now;
 931        time_t time;
 932
 933        key_check(key);
 934
 935        /* make sure no one's trying to change or use the key when we mark it
 936         * - we tell lockdep that we might nest because we might be revoking an
 937         *   authorisation key whilst holding the sem on a key we've just
 938         *   instantiated
 939         */
 940        down_write_nested(&key->sem, 1);
 941        if (!test_and_set_bit(KEY_FLAG_REVOKED, &key->flags) &&
 942            key->type->revoke)
 943                key->type->revoke(key);
 944
 945        /* set the death time to no more than the expiry time */
 946        now = current_kernel_time();
 947        time = now.tv_sec;
 948        if (key->revoked_at == 0 || key->revoked_at > time) {
 949                key->revoked_at = time;
 950                key_schedule_gc(key->revoked_at + key_gc_delay);
 951        }
 952
 953        up_write(&key->sem);
 954}
 955EXPORT_SYMBOL(key_revoke);
 956
 957/**
 958 * key_invalidate - Invalidate a key.
 959 * @key: The key to be invalidated.
 960 *
 961 * Mark a key as being invalidated and have it cleaned up immediately.  The key
 962 * is ignored by all searches and other operations from this point.
 963 */
 964void key_invalidate(struct key *key)
 965{
 966        kenter("%d", key_serial(key));
 967
 968        key_check(key);
 969
 970        if (!test_bit(KEY_FLAG_INVALIDATED, &key->flags)) {
 971                down_write_nested(&key->sem, 1);
 972                if (!test_and_set_bit(KEY_FLAG_INVALIDATED, &key->flags))
 973                        key_schedule_gc_links();
 974                up_write(&key->sem);
 975        }
 976}
 977EXPORT_SYMBOL(key_invalidate);
 978
 979/**
 980 * register_key_type - Register a type of key.
 981 * @ktype: The new key type.
 982 *
 983 * Register a new key type.
 984 *
 985 * Returns 0 on success or -EEXIST if a type of this name already exists.
 986 */
 987int register_key_type(struct key_type *ktype)
 988{
 989        struct key_type *p;
 990        int ret;
 991
 992        memset(&ktype->lock_class, 0, sizeof(ktype->lock_class));
 993
 994        ret = -EEXIST;
 995        down_write(&key_types_sem);
 996
 997        /* disallow key types with the same name */
 998        list_for_each_entry(p, &key_types_list, link) {
 999                if (strcmp(p->name, ktype->name) == 0)
1000                        goto out;
1001        }
1002
1003        /* store the type */
1004        list_add(&ktype->link, &key_types_list);
1005
1006        pr_notice("Key type %s registered\n", ktype->name);
1007        ret = 0;
1008
1009out:
1010        up_write(&key_types_sem);
1011        return ret;
1012}
1013EXPORT_SYMBOL(register_key_type);
1014
1015/**
1016 * unregister_key_type - Unregister a type of key.
1017 * @ktype: The key type.
1018 *
1019 * Unregister a key type and mark all the extant keys of this type as dead.
1020 * Those keys of this type are then destroyed to get rid of their payloads and
1021 * they and their links will be garbage collected as soon as possible.
1022 */
1023void unregister_key_type(struct key_type *ktype)
1024{
1025        down_write(&key_types_sem);
1026        list_del_init(&ktype->link);
1027        downgrade_write(&key_types_sem);
1028        key_gc_keytype(ktype);
1029        pr_notice("Key type %s unregistered\n", ktype->name);
1030        up_read(&key_types_sem);
1031}
1032EXPORT_SYMBOL(unregister_key_type);
1033
1034/*
1035 * Initialise the key management state.
1036 */
1037void __init key_init(void)
1038{
1039        /* allocate a slab in which we can store keys */
1040        key_jar = kmem_cache_create("key_jar", sizeof(struct key),
1041                        0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
1042
1043        /* add the special key types */
1044        list_add_tail(&key_type_keyring.link, &key_types_list);
1045        list_add_tail(&key_type_dead.link, &key_types_list);
1046        list_add_tail(&key_type_user.link, &key_types_list);
1047        list_add_tail(&key_type_logon.link, &key_types_list);
1048
1049        /* record the root user tracking */
1050        rb_link_node(&root_key_user.node,
1051                     NULL,
1052                     &key_user_tree.rb_node);
1053
1054        rb_insert_color(&root_key_user.node,
1055                        &key_user_tree);
1056}
1057
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.