linux/security/keys/keyctl.c
<<
>>
Prefs
   1/* keyctl.c: userspace keyctl operations
   2 *
   3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
   4 * Written by David Howells (dhowells@redhat.com)
   5 *
   6 * This program is free software; you can redistribute it and/or
   7 * modify it under the terms of the GNU General Public License
   8 * as published by the Free Software Foundation; either version
   9 * 2 of the License, or (at your option) any later version.
  10 */
  11
  12#include <linux/module.h>
  13#include <linux/init.h>
  14#include <linux/sched.h>
  15#include <linux/slab.h>
  16#include <linux/syscalls.h>
  17#include <linux/keyctl.h>
  18#include <linux/fs.h>
  19#include <linux/capability.h>
  20#include <linux/string.h>
  21#include <linux/err.h>
  22#include <linux/vmalloc.h>
  23#include <linux/security.h>
  24#include <asm/uaccess.h>
  25#include "internal.h"
  26
  27static int key_get_type_from_user(char *type,
  28                                  const char __user *_type,
  29                                  unsigned len)
  30{
  31        int ret;
  32
  33        ret = strncpy_from_user(type, _type, len);
  34
  35        if (ret < 0)
  36                return -EFAULT;
  37
  38        if (ret == 0 || ret >= len)
  39                return -EINVAL;
  40
  41        if (type[0] == '.')
  42                return -EPERM;
  43
  44        type[len - 1] = '\0';
  45
  46        return 0;
  47}
  48
  49/*****************************************************************************/
  50/*
  51 * extract the description of a new key from userspace and either add it as a
  52 * new key to the specified keyring or update a matching key in that keyring
  53 * - the keyring must be writable
  54 * - returns the new key's serial number
  55 * - implements add_key()
  56 */
  57SYSCALL_DEFINE5(add_key, const char __user *, _type,
  58                const char __user *, _description,
  59                const void __user *, _payload,
  60                size_t, plen,
  61                key_serial_t, ringid)
  62{
  63        key_ref_t keyring_ref, key_ref;
  64        char type[32], *description;
  65        void *payload;
  66        long ret;
  67        bool vm;
  68
  69        ret = -EINVAL;
  70        if (plen > 1024 * 1024 - 1)
  71                goto error;
  72
  73        /* draw all the data into kernel space */
  74        ret = key_get_type_from_user(type, _type, sizeof(type));
  75        if (ret < 0)
  76                goto error;
  77
  78        description = strndup_user(_description, PAGE_SIZE);
  79        if (IS_ERR(description)) {
  80                ret = PTR_ERR(description);
  81                goto error;
  82        }
  83
  84        /* pull the payload in if one was supplied */
  85        payload = NULL;
  86
  87        vm = false;
  88        if (_payload) {
  89                ret = -ENOMEM;
  90                payload = kmalloc(plen, GFP_KERNEL);
  91                if (!payload) {
  92                        if (plen <= PAGE_SIZE)
  93                                goto error2;
  94                        vm = true;
  95                        payload = vmalloc(plen);
  96                        if (!payload)
  97                                goto error2;
  98                }
  99
 100                ret = -EFAULT;
 101                if (copy_from_user(payload, _payload, plen) != 0)
 102                        goto error3;
 103        }
 104
 105        /* find the target keyring (which must be writable) */
 106        keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
 107        if (IS_ERR(keyring_ref)) {
 108                ret = PTR_ERR(keyring_ref);
 109                goto error3;
 110        }
 111
 112        /* create or update the requested key and add it to the target
 113         * keyring */
 114        key_ref = key_create_or_update(keyring_ref, type, description,
 115                                       payload, plen, KEY_PERM_UNDEF,
 116                                       KEY_ALLOC_IN_QUOTA);
 117        if (!IS_ERR(key_ref)) {
 118                ret = key_ref_to_ptr(key_ref)->serial;
 119                key_ref_put(key_ref);
 120        }
 121        else {
 122                ret = PTR_ERR(key_ref);
 123        }
 124
 125        key_ref_put(keyring_ref);
 126 error3:
 127        if (!vm)
 128                kfree(payload);
 129        else
 130                vfree(payload);
 131 error2:
 132        kfree(description);
 133 error:
 134        return ret;
 135
 136} /* end sys_add_key() */
 137
 138/*****************************************************************************/
 139/*
 140 * search the process keyrings for a matching key
 141 * - nested keyrings may also be searched if they have Search permission
 142 * - if a key is found, it will be attached to the destination keyring if
 143 *   there's one specified
 144 * - /sbin/request-key will be invoked if _callout_info is non-NULL
 145 *   - the _callout_info string will be passed to /sbin/request-key
 146 *   - if the _callout_info string is empty, it will be rendered as "-"
 147 * - implements request_key()
 148 */
 149SYSCALL_DEFINE4(request_key, const char __user *, _type,
 150                const char __user *, _description,
 151                const char __user *, _callout_info,
 152                key_serial_t, destringid)
 153{
 154        struct key_type *ktype;
 155        struct key *key;
 156        key_ref_t dest_ref;
 157        size_t callout_len;
 158        char type[32], *description, *callout_info;
 159        long ret;
 160
 161        /* pull the type into kernel space */
 162        ret = key_get_type_from_user(type, _type, sizeof(type));
 163        if (ret < 0)
 164                goto error;
 165
 166        /* pull the description into kernel space */
 167        description = strndup_user(_description, PAGE_SIZE);
 168        if (IS_ERR(description)) {
 169                ret = PTR_ERR(description);
 170                goto error;
 171        }
 172
 173        /* pull the callout info into kernel space */
 174        callout_info = NULL;
 175        callout_len = 0;
 176        if (_callout_info) {
 177                callout_info = strndup_user(_callout_info, PAGE_SIZE);
 178                if (IS_ERR(callout_info)) {
 179                        ret = PTR_ERR(callout_info);
 180                        goto error2;
 181                }
 182                callout_len = strlen(callout_info);
 183        }
 184
 185        /* get the destination keyring if specified */
 186        dest_ref = NULL;
 187        if (destringid) {
 188                dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE);
 189                if (IS_ERR(dest_ref)) {
 190                        ret = PTR_ERR(dest_ref);
 191                        goto error3;
 192                }
 193        }
 194
 195        /* find the key type */
 196        ktype = key_type_lookup(type);
 197        if (IS_ERR(ktype)) {
 198                ret = PTR_ERR(ktype);
 199                goto error4;
 200        }
 201
 202        /* do the search */
 203        key = request_key_and_link(ktype, description, callout_info,
 204                                   callout_len, NULL, key_ref_to_ptr(dest_ref),
 205                                   KEY_ALLOC_IN_QUOTA);
 206        if (IS_ERR(key)) {
 207                ret = PTR_ERR(key);
 208                goto error5;
 209        }
 210
 211        ret = key->serial;
 212
 213        key_put(key);
 214 error5:
 215        key_type_put(ktype);
 216 error4:
 217        key_ref_put(dest_ref);
 218 error3:
 219        kfree(callout_info);
 220 error2:
 221        kfree(description);
 222 error:
 223        return ret;
 224
 225} /* end sys_request_key() */
 226
 227/*****************************************************************************/
 228/*
 229 * get the ID of the specified process keyring
 230 * - the keyring must have search permission to be found
 231 * - implements keyctl(KEYCTL_GET_KEYRING_ID)
 232 */
 233long keyctl_get_keyring_ID(key_serial_t id, int create)
 234{
 235        key_ref_t key_ref;
 236        long ret;
 237
 238        key_ref = lookup_user_key(NULL, id, create, 0, KEY_SEARCH);
 239        if (IS_ERR(key_ref)) {
 240                ret = PTR_ERR(key_ref);
 241                goto error;
 242        }
 243
 244        ret = key_ref_to_ptr(key_ref)->serial;
 245        key_ref_put(key_ref);
 246 error:
 247        return ret;
 248
 249} /* end keyctl_get_keyring_ID() */
 250
 251/*****************************************************************************/
 252/*
 253 * join the session keyring
 254 * - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING)
 255 */
 256long keyctl_join_session_keyring(const char __user *_name)
 257{
 258        char *name;
 259        long ret;
 260
 261        /* fetch the name from userspace */
 262        name = NULL;
 263        if (_name) {
 264                name = strndup_user(_name, PAGE_SIZE);
 265                if (IS_ERR(name)) {
 266                        ret = PTR_ERR(name);
 267                        goto error;
 268                }
 269        }
 270
 271        /* join the session */
 272        ret = join_session_keyring(name);
 273        kfree(name);
 274
 275 error:
 276        return ret;
 277
 278} /* end keyctl_join_session_keyring() */
 279
 280/*****************************************************************************/
 281/*
 282 * update a key's data payload
 283 * - the key must be writable
 284 * - implements keyctl(KEYCTL_UPDATE)
 285 */
 286long keyctl_update_key(key_serial_t id,
 287                       const void __user *_payload,
 288                       size_t plen)
 289{
 290        key_ref_t key_ref;
 291        void *payload;
 292        long ret;
 293
 294        ret = -EINVAL;
 295        if (plen > PAGE_SIZE)
 296                goto error;
 297
 298        /* pull the payload in if one was supplied */
 299        payload = NULL;
 300        if (_payload) {
 301                ret = -ENOMEM;
 302                payload = kmalloc(plen, GFP_KERNEL);
 303                if (!payload)
 304                        goto error;
 305
 306                ret = -EFAULT;
 307                if (copy_from_user(payload, _payload, plen) != 0)
 308                        goto error2;
 309        }
 310
 311        /* find the target key (which must be writable) */
 312        key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE);
 313        if (IS_ERR(key_ref)) {
 314                ret = PTR_ERR(key_ref);
 315                goto error2;
 316        }
 317
 318        /* update the key */
 319        ret = key_update(key_ref, payload, plen);
 320
 321        key_ref_put(key_ref);
 322 error2:
 323        kfree(payload);
 324 error:
 325        return ret;
 326
 327} /* end keyctl_update_key() */
 328
 329/*****************************************************************************/
 330/*
 331 * revoke a key
 332 * - the key must be writable
 333 * - implements keyctl(KEYCTL_REVOKE)
 334 */
 335long keyctl_revoke_key(key_serial_t id)
 336{
 337        key_ref_t key_ref;
 338        long ret;
 339
 340        key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE);
 341        if (IS_ERR(key_ref)) {
 342                ret = PTR_ERR(key_ref);
 343                goto error;
 344        }
 345
 346        key_revoke(key_ref_to_ptr(key_ref));
 347        ret = 0;
 348
 349        key_ref_put(key_ref);
 350 error:
 351        return ret;
 352
 353} /* end keyctl_revoke_key() */
 354
 355/*****************************************************************************/
 356/*
 357 * clear the specified process keyring
 358 * - the keyring must be writable
 359 * - implements keyctl(KEYCTL_CLEAR)
 360 */
 361long keyctl_keyring_clear(key_serial_t ringid)
 362{
 363        key_ref_t keyring_ref;
 364        long ret;
 365
 366        keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
 367        if (IS_ERR(keyring_ref)) {
 368                ret = PTR_ERR(keyring_ref);
 369                goto error;
 370        }
 371
 372        ret = keyring_clear(key_ref_to_ptr(keyring_ref));
 373
 374        key_ref_put(keyring_ref);
 375 error:
 376        return ret;
 377
 378} /* end keyctl_keyring_clear() */
 379
 380/*****************************************************************************/
 381/*
 382 * link a key into a keyring
 383 * - the keyring must be writable
 384 * - the key must be linkable
 385 * - implements keyctl(KEYCTL_LINK)
 386 */
 387long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
 388{
 389        key_ref_t keyring_ref, key_ref;
 390        long ret;
 391
 392        keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
 393        if (IS_ERR(keyring_ref)) {
 394                ret = PTR_ERR(keyring_ref);
 395                goto error;
 396        }
 397
 398        key_ref = lookup_user_key(NULL, id, 1, 0, KEY_LINK);
 399        if (IS_ERR(key_ref)) {
 400                ret = PTR_ERR(key_ref);
 401                goto error2;
 402        }
 403
 404        ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref));
 405
 406        key_ref_put(key_ref);
 407 error2:
 408        key_ref_put(keyring_ref);
 409 error:
 410        return ret;
 411
 412} /* end keyctl_keyring_link() */
 413
 414/*****************************************************************************/
 415/*
 416 * unlink the first attachment of a key from a keyring
 417 * - the keyring must be writable
 418 * - we don't need any permissions on the key
 419 * - implements keyctl(KEYCTL_UNLINK)
 420 */
 421long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
 422{
 423        key_ref_t keyring_ref, key_ref;
 424        long ret;
 425
 426        keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE);
 427        if (IS_ERR(keyring_ref)) {
 428                ret = PTR_ERR(keyring_ref);
 429                goto error;
 430        }
 431
 432        key_ref = lookup_user_key(NULL, id, 0, 0, 0);
 433        if (IS_ERR(key_ref)) {
 434                ret = PTR_ERR(key_ref);
 435                goto error2;
 436        }
 437
 438        ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref));
 439
 440        key_ref_put(key_ref);
 441 error2:
 442        key_ref_put(keyring_ref);
 443 error:
 444        return ret;
 445
 446} /* end keyctl_keyring_unlink() */
 447
 448/*****************************************************************************/
 449/*
 450 * describe a user key
 451 * - the key must have view permission
 452 * - if there's a buffer, we place up to buflen bytes of data into it
 453 * - unless there's an error, we return the amount of description available,
 454 *   irrespective of how much we may have copied
 455 * - the description is formatted thus:
 456 *      type;uid;gid;perm;description<NUL>
 457 * - implements keyctl(KEYCTL_DESCRIBE)
 458 */
 459long keyctl_describe_key(key_serial_t keyid,
 460                         char __user *buffer,
 461                         size_t buflen)
 462{
 463        struct key *key, *instkey;
 464        key_ref_t key_ref;
 465        char *tmpbuf;
 466        long ret;
 467
 468        key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW);
 469        if (IS_ERR(key_ref)) {
 470                /* viewing a key under construction is permitted if we have the
 471                 * authorisation token handy */
 472                if (PTR_ERR(key_ref) == -EACCES) {
 473                        instkey = key_get_instantiation_authkey(keyid);
 474                        if (!IS_ERR(instkey)) {
 475                                key_put(instkey);
 476                                key_ref = lookup_user_key(NULL, keyid,
 477                                                          0, 1, 0);
 478                                if (!IS_ERR(key_ref))
 479                                        goto okay;
 480                        }
 481                }
 482
 483                ret = PTR_ERR(key_ref);
 484                goto error;
 485        }
 486
 487okay:
 488        /* calculate how much description we're going to return */
 489        ret = -ENOMEM;
 490        tmpbuf = kmalloc(PAGE_SIZE, GFP_KERNEL);
 491        if (!tmpbuf)
 492                goto error2;
 493
 494        key = key_ref_to_ptr(key_ref);
 495
 496        ret = snprintf(tmpbuf, PAGE_SIZE - 1,
 497                       "%s;%d;%d;%08x;%s",
 498                       key_ref_to_ptr(key_ref)->type->name,
 499                       key_ref_to_ptr(key_ref)->uid,
 500                       key_ref_to_ptr(key_ref)->gid,
 501                       key_ref_to_ptr(key_ref)->perm,
 502                       key_ref_to_ptr(key_ref)->description ?
 503                       key_ref_to_ptr(key_ref)->description : ""
 504                       );
 505
 506        /* include a NUL char at the end of the data */
 507        if (ret > PAGE_SIZE - 1)
 508                ret = PAGE_SIZE - 1;
 509        tmpbuf[ret] = 0;
 510        ret++;
 511
 512        /* consider returning the data */
 513        if (buffer && buflen > 0) {
 514                if (buflen > ret)
 515                        buflen = ret;
 516
 517                if (copy_to_user(buffer, tmpbuf, buflen) != 0)
 518                        ret = -EFAULT;
 519        }
 520
 521        kfree(tmpbuf);
 522 error2:
 523        key_ref_put(key_ref);
 524 error:
 525        return ret;
 526
 527} /* end keyctl_describe_key() */
 528
 529/*****************************************************************************/
 530/*
 531 * search the specified keyring for a matching key
 532 * - the start keyring must be searchable
 533 * - nested keyrings may also be searched if they are searchable
 534 * - only keys with search permission may be found
 535 * - if a key is found, it will be attached to the destination keyring if
 536 *   there's one specified
 537 * - implements keyctl(KEYCTL_SEARCH)
 538 */
 539long keyctl_keyring_search(key_serial_t ringid,
 540                           const char __user *_type,
 541                           const char __user *_description,
 542                           key_serial_t destringid)
 543{
 544        struct key_type *ktype;
 545        key_ref_t keyring_ref, key_ref, dest_ref;
 546        char type[32], *description;
 547        long ret;
 548
 549        /* pull the type and description into kernel space */
 550        ret = key_get_type_from_user(type, _type, sizeof(type));
 551        if (ret < 0)
 552                goto error;
 553
 554        description = strndup_user(_description, PAGE_SIZE);
 555        if (IS_ERR(description)) {
 556                ret = PTR_ERR(description);
 557                goto error;
 558        }
 559
 560        /* get the keyring at which to begin the search */
 561        keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH);
 562        if (IS_ERR(keyring_ref)) {
 563                ret = PTR_ERR(keyring_ref);
 564                goto error2;
 565        }
 566
 567        /* get the destination keyring if specified */
 568        dest_ref = NULL;
 569        if (destringid) {
 570                dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE);
 571                if (IS_ERR(dest_ref)) {
 572                        ret = PTR_ERR(dest_ref);
 573                        goto error3;
 574                }
 575        }
 576
 577        /* find the key type */
 578        ktype = key_type_lookup(type);
 579        if (IS_ERR(ktype)) {
 580                ret = PTR_ERR(ktype);
 581                goto error4;
 582        }
 583
 584        /* do the search */
 585        key_ref = keyring_search(keyring_ref, ktype, description);
 586        if (IS_ERR(key_ref)) {
 587                ret = PTR_ERR(key_ref);
 588
 589                /* treat lack or presence of a negative key the same */
 590                if (ret == -EAGAIN)
 591                        ret = -ENOKEY;
 592                goto error5;
 593        }
 594
 595        /* link the resulting key to the destination keyring if we can */
 596        if (dest_ref) {
 597                ret = key_permission(key_ref, KEY_LINK);
 598                if (ret < 0)
 599                        goto error6;
 600
 601                ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref));
 602                if (ret < 0)
 603                        goto error6;
 604        }
 605
 606        ret = key_ref_to_ptr(key_ref)->serial;
 607
 608 error6:
 609        key_ref_put(key_ref);
 610 error5:
 611        key_type_put(ktype);
 612 error4:
 613        key_ref_put(dest_ref);
 614 error3:
 615        key_ref_put(keyring_ref);
 616 error2:
 617        kfree(description);
 618 error:
 619        return ret;
 620
 621} /* end keyctl_keyring_search() */
 622
 623/*****************************************************************************/
 624/*
 625 * read a user key's payload
 626 * - the keyring must be readable or the key must be searchable from the
 627 *   process's keyrings
 628 * - if there's a buffer, we place up to buflen bytes of data into it
 629 * - unless there's an error, we return the amount of data in the key,
 630 *   irrespective of how much we may have copied
 631 * - implements keyctl(KEYCTL_READ)
 632 */
 633long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
 634{
 635        struct key *key;
 636        key_ref_t key_ref;
 637        long ret;
 638
 639        /* find the key first */
 640        key_ref = lookup_user_key(NULL, keyid, 0, 0, 0);
 641        if (IS_ERR(key_ref)) {
 642                ret = -ENOKEY;
 643                goto error;
 644        }
 645
 646        key = key_ref_to_ptr(key_ref);
 647
 648        /* see if we can read it directly */
 649        ret = key_permission(key_ref, KEY_READ);
 650        if (ret == 0)
 651                goto can_read_key;
 652        if (ret != -EACCES)
 653                goto error;
 654
 655        /* we can't; see if it's searchable from this process's keyrings
 656         * - we automatically take account of the fact that it may be
 657         *   dangling off an instantiation key
 658         */
 659        if (!is_key_possessed(key_ref)) {
 660                ret = -EACCES;
 661                goto error2;
 662        }
 663
 664        /* the key is probably readable - now try to read it */
 665 can_read_key:
 666        ret = key_validate(key);
 667        if (ret == 0) {
 668                ret = -EOPNOTSUPP;
 669                if (key->type->read) {
 670                        /* read the data with the semaphore held (since we
 671                         * might sleep) */
 672                        down_read(&key->sem);
 673                        ret = key->type->read(key, buffer, buflen);
 674                        up_read(&key->sem);
 675                }
 676        }
 677
 678 error2:
 679        key_put(key);
 680 error:
 681        return ret;
 682
 683} /* end keyctl_read_key() */
 684
 685/*****************************************************************************/
 686/*
 687 * change the ownership of a key
 688 * - the keyring owned by the changer
 689 * - if the uid or gid is -1, then that parameter is not changed
 690 * - implements keyctl(KEYCTL_CHOWN)
 691 */
 692long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
 693{
 694        struct key_user *newowner, *zapowner = NULL;
 695        struct key *key;
 696        key_ref_t key_ref;
 697        long ret;
 698
 699        ret = 0;
 700        if (uid == (uid_t) -1 && gid == (gid_t) -1)
 701                goto error;
 702
 703        key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR);
 704        if (IS_ERR(key_ref)) {
 705                ret = PTR_ERR(key_ref);
 706                goto error;
 707        }
 708
 709        key = key_ref_to_ptr(key_ref);
 710
 711        /* make the changes with the locks held to prevent chown/chown races */
 712        ret = -EACCES;
 713        down_write(&key->sem);
 714
 715        if (!capable(CAP_SYS_ADMIN)) {
 716                /* only the sysadmin can chown a key to some other UID */
 717                if (uid != (uid_t) -1 && key->uid != uid)
 718                        goto error_put;
 719
 720                /* only the sysadmin can set the key's GID to a group other
 721                 * than one of those that the current process subscribes to */
 722                if (gid != (gid_t) -1 && gid != key->gid && !in_group_p(gid))
 723                        goto error_put;
 724        }
 725
 726        /* change the UID */
 727        if (uid != (uid_t) -1 && uid != key->uid) {
 728                ret = -ENOMEM;
 729                newowner = key_user_lookup(uid);
 730                if (!newowner)
 731                        goto error_put;
 732
 733                /* transfer the quota burden to the new user */
 734                if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
 735                        unsigned maxkeys = (uid == 0) ?
 736                                key_quota_root_maxkeys : key_quota_maxkeys;
 737                        unsigned maxbytes = (uid == 0) ?
 738                                key_quota_root_maxbytes : key_quota_maxbytes;
 739
 740                        spin_lock(&newowner->lock);
 741                        if (newowner->qnkeys + 1 >= maxkeys ||
 742                            newowner->qnbytes + key->quotalen >= maxbytes ||
 743                            newowner->qnbytes + key->quotalen <
 744                            newowner->qnbytes)
 745                                goto quota_overrun;
 746
 747                        newowner->qnkeys++;
 748                        newowner->qnbytes += key->quotalen;
 749                        spin_unlock(&newowner->lock);
 750
 751                        spin_lock(&key->user->lock);
 752                        key->user->qnkeys--;
 753                        key->user->qnbytes -= key->quotalen;
 754                        spin_unlock(&key->user->lock);
 755                }
 756
 757                atomic_dec(&key->user->nkeys);
 758                atomic_inc(&newowner->nkeys);
 759
 760                if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) {
 761                        atomic_dec(&key->user->nikeys);
 762                        atomic_inc(&newowner->nikeys);
 763                }
 764
 765                zapowner = key->user;
 766                key->user = newowner;
 767                key->uid = uid;
 768        }
 769
 770        /* change the GID */
 771        if (gid != (gid_t) -1)
 772                key->gid = gid;
 773
 774        ret = 0;
 775
 776error_put:
 777        up_write(&key->sem);
 778        key_put(key);
 779        if (zapowner)
 780                key_user_put(zapowner);
 781error:
 782        return ret;
 783
 784quota_overrun:
 785        spin_unlock(&newowner->lock);
 786        zapowner = newowner;
 787        ret = -EDQUOT;
 788        goto error_put;
 789
 790} /* end keyctl_chown_key() */
 791
 792/*****************************************************************************/
 793/*
 794 * change the permission mask on a key
 795 * - the keyring owned by the changer
 796 * - implements keyctl(KEYCTL_SETPERM)
 797 */
 798long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
 799{
 800        struct key *key;
 801        key_ref_t key_ref;
 802        long ret;
 803
 804        ret = -EINVAL;
 805        if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL))
 806                goto error;
 807
 808        key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR);
 809        if (IS_ERR(key_ref)) {
 810                ret = PTR_ERR(key_ref);
 811                goto error;
 812        }
 813
 814        key = key_ref_to_ptr(key_ref);
 815
 816        /* make the changes with the locks held to prevent chown/chmod races */
 817        ret = -EACCES;
 818        down_write(&key->sem);
 819
 820        /* if we're not the sysadmin, we can only change a key that we own */
 821        if (capable(CAP_SYS_ADMIN) || key->uid == current->fsuid) {
 822                key->perm = perm;
 823                ret = 0;
 824        }
 825
 826        up_write(&key->sem);
 827        key_put(key);
 828error:
 829        return ret;
 830
 831} /* end keyctl_setperm_key() */
 832
 833/*****************************************************************************/
 834/*
 835 * instantiate the key with the specified payload, and, if one is given, link
 836 * the key into the keyring
 837 */
 838long keyctl_instantiate_key(key_serial_t id,
 839                            const void __user *_payload,
 840                            size_t plen,
 841                            key_serial_t ringid)
 842{
 843        struct request_key_auth *rka;
 844        struct key *instkey;
 845        key_ref_t keyring_ref;
 846        void *payload;
 847        long ret;
 848        bool vm = false;
 849
 850        ret = -EINVAL;
 851        if (plen > 1024 * 1024 - 1)
 852                goto error;
 853
 854        /* the appropriate instantiation authorisation key must have been
 855         * assumed before calling this */
 856        ret = -EPERM;
 857        instkey = current->request_key_auth;
 858        if (!instkey)
 859                goto error;
 860
 861        rka = instkey->payload.data;
 862        if (rka->target_key->serial != id)
 863                goto error;
 864
 865        /* pull the payload in if one was supplied */
 866        payload = NULL;
 867
 868        if (_payload) {
 869                ret = -ENOMEM;
 870                payload = kmalloc(plen, GFP_KERNEL);
 871                if (!payload) {
 872                        if (plen <= PAGE_SIZE)
 873                                goto error;
 874                        vm = true;
 875                        payload = vmalloc(plen);
 876                        if (!payload)
 877                                goto error;
 878                }
 879
 880                ret = -EFAULT;
 881                if (copy_from_user(payload, _payload, plen) != 0)
 882                        goto error2;
 883        }
 884
 885        /* find the destination keyring amongst those belonging to the
 886         * requesting task */
 887        keyring_ref = NULL;
 888        if (ringid) {
 889                keyring_ref = lookup_user_key(rka->context, ringid, 1, 0,
 890                                              KEY_WRITE);
 891                if (IS_ERR(keyring_ref)) {
 892                        ret = PTR_ERR(keyring_ref);
 893                        goto error2;
 894                }
 895        }
 896
 897        /* instantiate the key and link it into a keyring */
 898        ret = key_instantiate_and_link(rka->target_key, payload, plen,
 899                                       key_ref_to_ptr(keyring_ref), instkey);
 900
 901        key_ref_put(keyring_ref);
 902
 903        /* discard the assumed authority if it's just been disabled by
 904         * instantiation of the key */
 905        if (ret == 0) {
 906                key_put(current->request_key_auth);
 907                current->request_key_auth = NULL;
 908        }
 909
 910error2:
 911        if (!vm)
 912                kfree(payload);
 913        else
 914                vfree(payload);
 915error:
 916        return ret;
 917
 918} /* end keyctl_instantiate_key() */
 919
 920/*****************************************************************************/
 921/*
 922 * negatively instantiate the key with the given timeout (in seconds), and, if
 923 * one is given, link the key into the keyring
 924 */
 925long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
 926{
 927        struct request_key_auth *rka;
 928        struct key *instkey;
 929        key_ref_t keyring_ref;
 930        long ret;
 931
 932        /* the appropriate instantiation authorisation key must have been
 933         * assumed before calling this */
 934        ret = -EPERM;
 935        instkey = current->request_key_auth;
 936        if (!instkey)
 937                goto error;
 938
 939        rka = instkey->payload.data;
 940        if (rka->target_key->serial != id)
 941                goto error;
 942
 943        /* find the destination keyring if present (which must also be
 944         * writable) */
 945        keyring_ref = NULL;
 946        if (ringid) {
 947                keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
 948                if (IS_ERR(keyring_ref)) {
 949                        ret = PTR_ERR(keyring_ref);
 950                        goto error;
 951                }
 952        }
 953
 954        /* instantiate the key and link it into a keyring */
 955        ret = key_negate_and_link(rka->target_key, timeout,
 956                                  key_ref_to_ptr(keyring_ref), instkey);
 957
 958        key_ref_put(keyring_ref);
 959
 960        /* discard the assumed authority if it's just been disabled by
 961         * instantiation of the key */
 962        if (ret == 0) {
 963                key_put(current->request_key_auth);
 964                current->request_key_auth = NULL;
 965        }
 966
 967error:
 968        return ret;
 969
 970} /* end keyctl_negate_key() */
 971
 972/*****************************************************************************/
 973/*
 974 * set the default keyring in which request_key() will cache keys
 975 * - return the old setting
 976 */
 977long keyctl_set_reqkey_keyring(int reqkey_defl)
 978{
 979        int ret;
 980
 981        switch (reqkey_defl) {
 982        case KEY_REQKEY_DEFL_THREAD_KEYRING:
 983                ret = install_thread_keyring(current);
 984                if (ret < 0)
 985                        return ret;
 986                goto set;
 987
 988        case KEY_REQKEY_DEFL_PROCESS_KEYRING:
 989                ret = install_process_keyring(current);
 990                if (ret < 0)
 991                        return ret;
 992
 993        case KEY_REQKEY_DEFL_DEFAULT:
 994        case KEY_REQKEY_DEFL_SESSION_KEYRING:
 995        case KEY_REQKEY_DEFL_USER_KEYRING:
 996        case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
 997        set:
 998                current->jit_keyring = reqkey_defl;
 999
1000        case KEY_REQKEY_DEFL_NO_CHANGE:
1001                return current->jit_keyring;
1002
1003        case KEY_REQKEY_DEFL_GROUP_KEYRING:
1004        default:
1005                return -EINVAL;
1006        }
1007
1008} /* end keyctl_set_reqkey_keyring() */
1009
1010/*****************************************************************************/
1011/*
1012 * set or clear the timeout for a key
1013 */
1014long keyctl_set_timeout(key_serial_t id, unsigned timeout)
1015{
1016        struct timespec now;
1017        struct key *key;
1018        key_ref_t key_ref;
1019        time_t expiry;
1020        long ret;
1021
1022        key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR);
1023        if (IS_ERR(key_ref)) {
1024                ret = PTR_ERR(key_ref);
1025                goto error;
1026        }
1027
1028        key = key_ref_to_ptr(key_ref);
1029
1030        /* make the changes with the locks held to prevent races */
1031        down_write(&key->sem);
1032
1033        expiry = 0;
1034        if (timeout > 0) {
1035                now = current_kernel_time();
1036                expiry = now.tv_sec + timeout;
1037        }
1038
1039        key->expiry = expiry;
1040
1041        up_write(&key->sem);
1042        key_put(key);
1043
1044        ret = 0;
1045error:
1046        return ret;
1047
1048} /* end keyctl_set_timeout() */
1049
1050/*****************************************************************************/
1051/*
1052 * assume the authority to instantiate the specified key
1053 */
1054long keyctl_assume_authority(key_serial_t id)
1055{
1056        struct key *authkey;
1057        long ret;
1058
1059        /* special key IDs aren't permitted */
1060        ret = -EINVAL;
1061        if (id < 0)
1062                goto error;
1063
1064        /* we divest ourselves of authority if given an ID of 0 */
1065        if (id == 0) {
1066                key_put(current->request_key_auth);
1067                current->request_key_auth = NULL;
1068                ret = 0;
1069                goto error;
1070        }
1071
1072        /* attempt to assume the authority temporarily granted to us whilst we
1073         * instantiate the specified key
1074         * - the authorisation key must be in the current task's keyrings
1075         *   somewhere
1076         */
1077        authkey = key_get_instantiation_authkey(id);
1078        if (IS_ERR(authkey)) {
1079                ret = PTR_ERR(authkey);
1080                goto error;
1081        }
1082
1083        key_put(current->request_key_auth);
1084        current->request_key_auth = authkey;
1085        ret = authkey->serial;
1086
1087error:
1088        return ret;
1089
1090} /* end keyctl_assume_authority() */
1091
1092/*
1093 * get the security label of a key
1094 * - the key must grant us view permission
1095 * - if there's a buffer, we place up to buflen bytes of data into it
1096 * - unless there's an error, we return the amount of information available,
1097 *   irrespective of how much we may have copied (including the terminal NUL)
1098 * - implements keyctl(KEYCTL_GET_SECURITY)
1099 */
1100long keyctl_get_security(key_serial_t keyid,
1101                         char __user *buffer,
1102                         size_t buflen)
1103{
1104        struct key *key, *instkey;
1105        key_ref_t key_ref;
1106        char *context;
1107        long ret;
1108
1109        key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW);
1110        if (IS_ERR(key_ref)) {
1111                if (PTR_ERR(key_ref) != -EACCES)
1112                        return PTR_ERR(key_ref);
1113
1114                /* viewing a key under construction is also permitted if we
1115                 * have the authorisation token handy */
1116                instkey = key_get_instantiation_authkey(keyid);
1117                if (IS_ERR(instkey))
1118                        return PTR_ERR(key_ref);
1119                key_put(instkey);
1120
1121                key_ref = lookup_user_key(NULL, keyid, 0, 1, 0);
1122                if (IS_ERR(key_ref))
1123                        return PTR_ERR(key_ref);
1124        }
1125
1126        key = key_ref_to_ptr(key_ref);
1127        ret = security_key_getsecurity(key, &context);
1128        if (ret == 0) {
1129                /* if no information was returned, give userspace an empty
1130                 * string */
1131                ret = 1;
1132                if (buffer && buflen > 0 &&
1133                    copy_to_user(buffer, "", 1) != 0)
1134                        ret = -EFAULT;
1135        } else if (ret > 0) {
1136                /* return as much data as there's room for */
1137                if (buffer && buflen > 0) {
1138                        if (buflen > ret)
1139                                buflen = ret;
1140
1141                        if (copy_to_user(buffer, context, buflen) != 0)
1142                                ret = -EFAULT;
1143                }
1144
1145                kfree(context);
1146        }
1147
1148        key_ref_put(key_ref);
1149        return ret;
1150}
1151
1152/*****************************************************************************/
1153/*
1154 * the key control system call
1155 */
1156SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
1157                unsigned long, arg4, unsigned long, arg5)
1158{
1159        switch (option) {
1160        case KEYCTL_GET_KEYRING_ID:
1161                return keyctl_get_keyring_ID((key_serial_t) arg2,
1162                                             (int) arg3);
1163
1164        case KEYCTL_JOIN_SESSION_KEYRING:
1165                return keyctl_join_session_keyring((const char __user *) arg2);
1166
1167        case KEYCTL_UPDATE:
1168                return keyctl_update_key((key_serial_t) arg2,
1169                                         (const void __user *) arg3,
1170                                         (size_t) arg4);
1171
1172        case KEYCTL_REVOKE:
1173                return keyctl_revoke_key((key_serial_t) arg2);
1174
1175        case KEYCTL_DESCRIBE:
1176                return keyctl_describe_key((key_serial_t) arg2,
1177                                           (char __user *) arg3,
1178                                           (unsigned) arg4);
1179
1180        case KEYCTL_CLEAR:
1181                return keyctl_keyring_clear((key_serial_t) arg2);
1182
1183        case KEYCTL_LINK:
1184                return keyctl_keyring_link((key_serial_t) arg2,
1185                                           (key_serial_t) arg3);
1186
1187        case KEYCTL_UNLINK:
1188                return keyctl_keyring_unlink((key_serial_t) arg2,
1189                                             (key_serial_t) arg3);
1190
1191        case KEYCTL_SEARCH:
1192                return keyctl_keyring_search((key_serial_t) arg2,
1193                                             (const char __user *) arg3,
1194                                             (const char __user *) arg4,
1195                                             (key_serial_t) arg5);
1196
1197        case KEYCTL_READ:
1198                return keyctl_read_key((key_serial_t) arg2,
1199                                       (char __user *) arg3,
1200                                       (size_t) arg4);
1201
1202        case KEYCTL_CHOWN:
1203                return keyctl_chown_key((key_serial_t) arg2,
1204                                        (uid_t) arg3,
1205                                        (gid_t) arg4);
1206
1207        case KEYCTL_SETPERM:
1208                return keyctl_setperm_key((key_serial_t) arg2,
1209                                          (key_perm_t) arg3);
1210
1211        case KEYCTL_INSTANTIATE:
1212                return keyctl_instantiate_key((key_serial_t) arg2,
1213                                              (const void __user *) arg3,
1214                                              (size_t) arg4,
1215                                              (key_serial_t) arg5);
1216
1217        case KEYCTL_NEGATE:
1218                return keyctl_negate_key((key_serial_t) arg2,
1219                                         (unsigned) arg3,
1220                                         (key_serial_t) arg4);
1221
1222        case KEYCTL_SET_REQKEY_KEYRING:
1223                return keyctl_set_reqkey_keyring(arg2);
1224
1225        case KEYCTL_SET_TIMEOUT:
1226                return keyctl_set_timeout((key_serial_t) arg2,
1227                                          (unsigned) arg3);
1228
1229        case KEYCTL_ASSUME_AUTHORITY:
1230                return keyctl_assume_authority((key_serial_t) arg2);
1231
1232        case KEYCTL_GET_SECURITY:
1233                return keyctl_get_security((key_serial_t) arg2,
1234                                           (char *) arg3,
1235                                           (size_t) arg4);
1236
1237        default:
1238                return -EOPNOTSUPP;
1239        }
1240
1241} /* end sys_keyctl() */
1242