mirror of https://github.com/Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1794 lines
48 KiB
1794 lines
48 KiB
// SPDX-License-Identifier: GPL-2.0-or-later |
|
/* Keyring handling |
|
* |
|
* Copyright (C) 2004-2005, 2008, 2013 Red Hat, Inc. All Rights Reserved. |
|
* Written by David Howells ([email protected]) |
|
*/ |
|
|
|
#include <linux/export.h> |
|
#include <linux/init.h> |
|
#include <linux/sched.h> |
|
#include <linux/slab.h> |
|
#include <linux/security.h> |
|
#include <linux/seq_file.h> |
|
#include <linux/err.h> |
|
#include <linux/user_namespace.h> |
|
#include <linux/nsproxy.h> |
|
#include <keys/keyring-type.h> |
|
#include <keys/user-type.h> |
|
#include <linux/assoc_array_priv.h> |
|
#include <linux/uaccess.h> |
|
#include <net/net_namespace.h> |
|
#include "internal.h" |
|
|
|
/* |
|
* When plumbing the depths of the key tree, this sets a hard limit |
|
* set on how deep we're willing to go. |
|
*/ |
|
#define KEYRING_SEARCH_MAX_DEPTH 6 |
|
|
|
/* |
|
* We mark pointers we pass to the associative array with bit 1 set if |
|
* they're keyrings and clear otherwise. |
|
*/ |
|
#define KEYRING_PTR_SUBTYPE 0x2UL |
|
|
|
static inline bool keyring_ptr_is_keyring(const struct assoc_array_ptr *x) |
|
{ |
|
return (unsigned long)x & KEYRING_PTR_SUBTYPE; |
|
} |
|
static inline struct key *keyring_ptr_to_key(const struct assoc_array_ptr *x) |
|
{ |
|
void *object = assoc_array_ptr_to_leaf(x); |
|
return (struct key *)((unsigned long)object & ~KEYRING_PTR_SUBTYPE); |
|
} |
|
static inline void *keyring_key_to_ptr(struct key *key) |
|
{ |
|
if (key->type == &key_type_keyring) |
|
return (void *)((unsigned long)key | KEYRING_PTR_SUBTYPE); |
|
return key; |
|
} |
|
|
|
static DEFINE_RWLOCK(keyring_name_lock); |
|
|
|
/* |
|
* Clean up the bits of user_namespace that belong to us. |
|
*/ |
|
void key_free_user_ns(struct user_namespace *ns) |
|
{ |
|
write_lock(&keyring_name_lock); |
|
list_del_init(&ns->keyring_name_list); |
|
write_unlock(&keyring_name_lock); |
|
|
|
key_put(ns->user_keyring_register); |
|
#ifdef CONFIG_PERSISTENT_KEYRINGS |
|
key_put(ns->persistent_keyring_register); |
|
#endif |
|
} |
|
|
|
/* |
|
* The keyring key type definition. Keyrings are simply keys of this type and |
|
* can be treated as ordinary keys in addition to having their own special |
|
* operations. |
|
*/ |
|
static int keyring_preparse(struct key_preparsed_payload *prep); |
|
static void keyring_free_preparse(struct key_preparsed_payload *prep); |
|
static int keyring_instantiate(struct key *keyring, |
|
struct key_preparsed_payload *prep); |
|
static void keyring_revoke(struct key *keyring); |
|
static void keyring_destroy(struct key *keyring); |
|
static void keyring_describe(const struct key *keyring, struct seq_file *m); |
|
static long keyring_read(const struct key *keyring, |
|
char __user *buffer, size_t buflen); |
|
|
|
struct key_type key_type_keyring = { |
|
.name = "keyring", |
|
.def_datalen = 0, |
|
.preparse = keyring_preparse, |
|
.free_preparse = keyring_free_preparse, |
|
.instantiate = keyring_instantiate, |
|
.revoke = keyring_revoke, |
|
.destroy = keyring_destroy, |
|
.describe = keyring_describe, |
|
.read = keyring_read, |
|
}; |
|
EXPORT_SYMBOL(key_type_keyring); |
|
|
|
/* |
|
* Semaphore to serialise link/link calls to prevent two link calls in parallel |
|
* introducing a cycle. |
|
*/ |
|
static DEFINE_MUTEX(keyring_serialise_link_lock); |
|
|
|
/* |
|
* Publish the name of a keyring so that it can be found by name (if it has |
|
* one and it doesn't begin with a dot). |
|
*/ |
|
static void keyring_publish_name(struct key *keyring) |
|
{ |
|
struct user_namespace *ns = current_user_ns(); |
|
|
|
if (keyring->description && |
|
keyring->description[0] && |
|
keyring->description[0] != '.') { |
|
write_lock(&keyring_name_lock); |
|
list_add_tail(&keyring->name_link, &ns->keyring_name_list); |
|
write_unlock(&keyring_name_lock); |
|
} |
|
} |
|
|
|
/* |
|
* Preparse a keyring payload |
|
*/ |
|
static int keyring_preparse(struct key_preparsed_payload *prep) |
|
{ |
|
return prep->datalen != 0 ? -EINVAL : 0; |
|
} |
|
|
|
/* |
|
* Free a preparse of a user defined key payload |
|
*/ |
|
static void keyring_free_preparse(struct key_preparsed_payload *prep) |
|
{ |
|
} |
|
|
|
/* |
|
* Initialise a keyring. |
|
* |
|
* Returns 0 on success, -EINVAL if given any data. |
|
*/ |
|
static int keyring_instantiate(struct key *keyring, |
|
struct key_preparsed_payload *prep) |
|
{ |
|
assoc_array_init(&keyring->keys); |
|
/* make the keyring available by name if it has one */ |
|
keyring_publish_name(keyring); |
|
return 0; |
|
} |
|
|
|
/* |
|
* Multiply 64-bits by 32-bits to 96-bits and fold back to 64-bit. Ideally we'd |
|
* fold the carry back too, but that requires inline asm. |
|
*/ |
|
static u64 mult_64x32_and_fold(u64 x, u32 y) |
|
{ |
|
u64 hi = (u64)(u32)(x >> 32) * y; |
|
u64 lo = (u64)(u32)(x) * y; |
|
return lo + ((u64)(u32)hi << 32) + (u32)(hi >> 32); |
|
} |
|
|
|
/* |
|
* Hash a key type and description. |
|
*/ |
|
static void hash_key_type_and_desc(struct keyring_index_key *index_key) |
|
{ |
|
const unsigned level_shift = ASSOC_ARRAY_LEVEL_STEP; |
|
const unsigned long fan_mask = ASSOC_ARRAY_FAN_MASK; |
|
const char *description = index_key->description; |
|
unsigned long hash, type; |
|
u32 piece; |
|
u64 acc; |
|
int n, desc_len = index_key->desc_len; |
|
|
|
type = (unsigned long)index_key->type; |
|
acc = mult_64x32_and_fold(type, desc_len + 13); |
|
acc = mult_64x32_and_fold(acc, 9207); |
|
piece = (unsigned long)index_key->domain_tag; |
|
acc = mult_64x32_and_fold(acc, piece); |
|
acc = mult_64x32_and_fold(acc, 9207); |
|
|
|
for (;;) { |
|
n = desc_len; |
|
if (n <= 0) |
|
break; |
|
if (n > 4) |
|
n = 4; |
|
piece = 0; |
|
memcpy(&piece, description, n); |
|
description += n; |
|
desc_len -= n; |
|
acc = mult_64x32_and_fold(acc, piece); |
|
acc = mult_64x32_and_fold(acc, 9207); |
|
} |
|
|
|
/* Fold the hash down to 32 bits if need be. */ |
|
hash = acc; |
|
if (ASSOC_ARRAY_KEY_CHUNK_SIZE == 32) |
|
hash ^= acc >> 32; |
|
|
|
/* Squidge all the keyrings into a separate part of the tree to |
|
* ordinary keys by making sure the lowest level segment in the hash is |
|
* zero for keyrings and non-zero otherwise. |
|
*/ |
|
if (index_key->type != &key_type_keyring && (hash & fan_mask) == 0) |
|
hash |= (hash >> (ASSOC_ARRAY_KEY_CHUNK_SIZE - level_shift)) | 1; |
|
else if (index_key->type == &key_type_keyring && (hash & fan_mask) != 0) |
|
hash = (hash + (hash << level_shift)) & ~fan_mask; |
|
index_key->hash = hash; |
|
} |
|
|
|
/* |
|
* Finalise an index key to include a part of the description actually in the |
|
* index key, to set the domain tag and to calculate the hash. |
|
*/ |
|
void key_set_index_key(struct keyring_index_key *index_key) |
|
{ |
|
static struct key_tag default_domain_tag = { .usage = REFCOUNT_INIT(1), }; |
|
size_t n = min_t(size_t, index_key->desc_len, sizeof(index_key->desc)); |
|
|
|
memcpy(index_key->desc, index_key->description, n); |
|
|
|
if (!index_key->domain_tag) { |
|
if (index_key->type->flags & KEY_TYPE_NET_DOMAIN) |
|
index_key->domain_tag = current->nsproxy->net_ns->key_domain; |
|
else |
|
index_key->domain_tag = &default_domain_tag; |
|
} |
|
|
|
hash_key_type_and_desc(index_key); |
|
} |
|
|
|
/** |
|
* key_put_tag - Release a ref on a tag. |
|
* @tag: The tag to release. |
|
* |
|
* This releases a reference the given tag and returns true if that ref was the |
|
* last one. |
|
*/ |
|
bool key_put_tag(struct key_tag *tag) |
|
{ |
|
if (refcount_dec_and_test(&tag->usage)) { |
|
kfree_rcu(tag, rcu); |
|
return true; |
|
} |
|
|
|
return false; |
|
} |
|
|
|
/** |
|
* key_remove_domain - Kill off a key domain and gc its keys |
|
* @domain_tag: The domain tag to release. |
|
* |
|
* This marks a domain tag as being dead and releases a ref on it. If that |
|
* wasn't the last reference, the garbage collector is poked to try and delete |
|
* all keys that were in the domain. |
|
*/ |
|
void key_remove_domain(struct key_tag *domain_tag) |
|
{ |
|
domain_tag->removed = true; |
|
if (!key_put_tag(domain_tag)) |
|
key_schedule_gc_links(); |
|
} |
|
|
|
/* |
|
* Build the next index key chunk. |
|
* |
|
* We return it one word-sized chunk at a time. |
|
*/ |
|
static unsigned long keyring_get_key_chunk(const void *data, int level) |
|
{ |
|
const struct keyring_index_key *index_key = data; |
|
unsigned long chunk = 0; |
|
const u8 *d; |
|
int desc_len = index_key->desc_len, n = sizeof(chunk); |
|
|
|
level /= ASSOC_ARRAY_KEY_CHUNK_SIZE; |
|
switch (level) { |
|
case 0: |
|
return index_key->hash; |
|
case 1: |
|
return index_key->x; |
|
case 2: |
|
return (unsigned long)index_key->type; |
|
case 3: |
|
return (unsigned long)index_key->domain_tag; |
|
default: |
|
level -= 4; |
|
if (desc_len <= sizeof(index_key->desc)) |
|
return 0; |
|
|
|
d = index_key->description + sizeof(index_key->desc); |
|
d += level * sizeof(long); |
|
desc_len -= sizeof(index_key->desc); |
|
if (desc_len > n) |
|
desc_len = n; |
|
do { |
|
chunk <<= 8; |
|
chunk |= *d++; |
|
} while (--desc_len > 0); |
|
return chunk; |
|
} |
|
} |
|
|
|
static unsigned long keyring_get_object_key_chunk(const void *object, int level) |
|
{ |
|
const struct key *key = keyring_ptr_to_key(object); |
|
return keyring_get_key_chunk(&key->index_key, level); |
|
} |
|
|
|
static bool keyring_compare_object(const void *object, const void *data) |
|
{ |
|
const struct keyring_index_key *index_key = data; |
|
const struct key *key = keyring_ptr_to_key(object); |
|
|
|
return key->index_key.type == index_key->type && |
|
key->index_key.domain_tag == index_key->domain_tag && |
|
key->index_key.desc_len == index_key->desc_len && |
|
memcmp(key->index_key.description, index_key->description, |
|
index_key->desc_len) == 0; |
|
} |
|
|
|
/* |
|
* Compare the index keys of a pair of objects and determine the bit position |
|
* at which they differ - if they differ. |
|
*/ |
|
static int keyring_diff_objects(const void *object, const void *data) |
|
{ |
|
const struct key *key_a = keyring_ptr_to_key(object); |
|
const struct keyring_index_key *a = &key_a->index_key; |
|
const struct keyring_index_key *b = data; |
|
unsigned long seg_a, seg_b; |
|
int level, i; |
|
|
|
level = 0; |
|
seg_a = a->hash; |
|
seg_b = b->hash; |
|
if ((seg_a ^ seg_b) != 0) |
|
goto differ; |
|
level += ASSOC_ARRAY_KEY_CHUNK_SIZE / 8; |
|
|
|
/* The number of bits contributed by the hash is controlled by a |
|
* constant in the assoc_array headers. Everything else thereafter we |
|
* can deal with as being machine word-size dependent. |
|
*/ |
|
seg_a = a->x; |
|
seg_b = b->x; |
|
if ((seg_a ^ seg_b) != 0) |
|
goto differ; |
|
level += sizeof(unsigned long); |
|
|
|
/* The next bit may not work on big endian */ |
|
seg_a = (unsigned long)a->type; |
|
seg_b = (unsigned long)b->type; |
|
if ((seg_a ^ seg_b) != 0) |
|
goto differ; |
|
level += sizeof(unsigned long); |
|
|
|
seg_a = (unsigned long)a->domain_tag; |
|
seg_b = (unsigned long)b->domain_tag; |
|
if ((seg_a ^ seg_b) != 0) |
|
goto differ; |
|
level += sizeof(unsigned long); |
|
|
|
i = sizeof(a->desc); |
|
if (a->desc_len <= i) |
|
goto same; |
|
|
|
for (; i < a->desc_len; i++) { |
|
seg_a = *(unsigned char *)(a->description + i); |
|
seg_b = *(unsigned char *)(b->description + i); |
|
if ((seg_a ^ seg_b) != 0) |
|
goto differ_plus_i; |
|
} |
|
|
|
same: |
|
return -1; |
|
|
|
differ_plus_i: |
|
level += i; |
|
differ: |
|
i = level * 8 + __ffs(seg_a ^ seg_b); |
|
return i; |
|
} |
|
|
|
/* |
|
* Free an object after stripping the keyring flag off of the pointer. |
|
*/ |
|
static void keyring_free_object(void *object) |
|
{ |
|
key_put(keyring_ptr_to_key(object)); |
|
} |
|
|
|
/* |
|
* Operations for keyring management by the index-tree routines. |
|
*/ |
|
static const struct assoc_array_ops keyring_assoc_array_ops = { |
|
.get_key_chunk = keyring_get_key_chunk, |
|
.get_object_key_chunk = keyring_get_object_key_chunk, |
|
.compare_object = keyring_compare_object, |
|
.diff_objects = keyring_diff_objects, |
|
.free_object = keyring_free_object, |
|
}; |
|
|
|
/* |
|
* Clean up a keyring when it is destroyed. Unpublish its name if it had one |
|
* and dispose of its data. |
|
* |
|
* The garbage collector detects the final key_put(), removes the keyring from |
|
* the serial number tree and then does RCU synchronisation before coming here, |
|
* so we shouldn't need to worry about code poking around here with the RCU |
|
* readlock held by this time. |
|
*/ |
|
static void keyring_destroy(struct key *keyring) |
|
{ |
|
if (keyring->description) { |
|
write_lock(&keyring_name_lock); |
|
|
|
if (keyring->name_link.next != NULL && |
|
!list_empty(&keyring->name_link)) |
|
list_del(&keyring->name_link); |
|
|
|
write_unlock(&keyring_name_lock); |
|
} |
|
|
|
if (keyring->restrict_link) { |
|
struct key_restriction *keyres = keyring->restrict_link; |
|
|
|
key_put(keyres->key); |
|
kfree(keyres); |
|
} |
|
|
|
assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops); |
|
} |
|
|
|
/* |
|
* Describe a keyring for /proc. |
|
*/ |
|
static void keyring_describe(const struct key *keyring, struct seq_file *m) |
|
{ |
|
if (keyring->description) |
|
seq_puts(m, keyring->description); |
|
else |
|
seq_puts(m, "[anon]"); |
|
|
|
if (key_is_positive(keyring)) { |
|
if (keyring->keys.nr_leaves_on_tree != 0) |
|
seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree); |
|
else |
|
seq_puts(m, ": empty"); |
|
} |
|
} |
|
|
|
struct keyring_read_iterator_context { |
|
size_t buflen; |
|
size_t count; |
|
key_serial_t *buffer; |
|
}; |
|
|
|
static int keyring_read_iterator(const void *object, void *data) |
|
{ |
|
struct keyring_read_iterator_context *ctx = data; |
|
const struct key *key = keyring_ptr_to_key(object); |
|
|
|
kenter("{%s,%d},,{%zu/%zu}", |
|
key->type->name, key->serial, ctx->count, ctx->buflen); |
|
|
|
if (ctx->count >= ctx->buflen) |
|
return 1; |
|
|
|
*ctx->buffer++ = key->serial; |
|
ctx->count += sizeof(key->serial); |
|
return 0; |
|
} |
|
|
|
/* |
|
* Read a list of key IDs from the keyring's contents in binary form |
|
* |
|
* The keyring's semaphore is read-locked by the caller. This prevents someone |
|
* from modifying it under us - which could cause us to read key IDs multiple |
|
* times. |
|
*/ |
|
static long keyring_read(const struct key *keyring, |
|
char *buffer, size_t buflen) |
|
{ |
|
struct keyring_read_iterator_context ctx; |
|
long ret; |
|
|
|
kenter("{%d},,%zu", key_serial(keyring), buflen); |
|
|
|
if (buflen & (sizeof(key_serial_t) - 1)) |
|
return -EINVAL; |
|
|
|
/* Copy as many key IDs as fit into the buffer */ |
|
if (buffer && buflen) { |
|
ctx.buffer = (key_serial_t *)buffer; |
|
ctx.buflen = buflen; |
|
ctx.count = 0; |
|
ret = assoc_array_iterate(&keyring->keys, |
|
keyring_read_iterator, &ctx); |
|
if (ret < 0) { |
|
kleave(" = %ld [iterate]", ret); |
|
return ret; |
|
} |
|
} |
|
|
|
/* Return the size of the buffer needed */ |
|
ret = keyring->keys.nr_leaves_on_tree * sizeof(key_serial_t); |
|
if (ret <= buflen) |
|
kleave("= %ld [ok]", ret); |
|
else |
|
kleave("= %ld [buffer too small]", ret); |
|
return ret; |
|
} |
|
|
|
/* |
|
* Allocate a keyring and link into the destination keyring. |
|
*/ |
|
struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid, |
|
const struct cred *cred, key_perm_t perm, |
|
unsigned long flags, |
|
struct key_restriction *restrict_link, |
|
struct key *dest) |
|
{ |
|
struct key *keyring; |
|
int ret; |
|
|
|
keyring = key_alloc(&key_type_keyring, description, |
|
uid, gid, cred, perm, flags, restrict_link); |
|
if (!IS_ERR(keyring)) { |
|
ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL); |
|
if (ret < 0) { |
|
key_put(keyring); |
|
keyring = ERR_PTR(ret); |
|
} |
|
} |
|
|
|
return keyring; |
|
} |
|
EXPORT_SYMBOL(keyring_alloc); |
|
|
|
/** |
|
* restrict_link_reject - Give -EPERM to restrict link |
|
* @keyring: The keyring being added to. |
|
* @type: The type of key being added. |
|
* @payload: The payload of the key intended to be added. |
|
* @restriction_key: Keys providing additional data for evaluating restriction. |
|
* |
|
* Reject the addition of any links to a keyring. It can be overridden by |
|
* passing KEY_ALLOC_BYPASS_RESTRICTION to key_instantiate_and_link() when |
|
* adding a key to a keyring. |
|
* |
|
* This is meant to be stored in a key_restriction structure which is passed |
|
* in the restrict_link parameter to keyring_alloc(). |
|
*/ |
|
int restrict_link_reject(struct key *keyring, |
|
const struct key_type *type, |
|
const union key_payload *payload, |
|
struct key *restriction_key) |
|
{ |
|
return -EPERM; |
|
} |
|
|
|
/* |
|
* By default, we keys found by getting an exact match on their descriptions. |
|
*/ |
|
bool key_default_cmp(const struct key *key, |
|
const struct key_match_data *match_data) |
|
{ |
|
return strcmp(key->description, match_data->raw_data) == 0; |
|
} |
|
|
|
/* |
|
* Iteration function to consider each key found. |
|
*/ |
|
static int keyring_search_iterator(const void *object, void *iterator_data) |
|
{ |
|
struct keyring_search_context *ctx = iterator_data; |
|
const struct key *key = keyring_ptr_to_key(object); |
|
unsigned long kflags = READ_ONCE(key->flags); |
|
short state = READ_ONCE(key->state); |
|
|
|
kenter("{%d}", key->serial); |
|
|
|
/* ignore keys not of this type */ |
|
if (key->type != ctx->index_key.type) { |
|
kleave(" = 0 [!type]"); |
|
return 0; |
|
} |
|
|
|
/* skip invalidated, revoked and expired keys */ |
|
if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) { |
|
time64_t expiry = READ_ONCE(key->expiry); |
|
|
|
if (kflags & ((1 << KEY_FLAG_INVALIDATED) | |
|
(1 << KEY_FLAG_REVOKED))) { |
|
ctx->result = ERR_PTR(-EKEYREVOKED); |
|
kleave(" = %d [invrev]", ctx->skipped_ret); |
|
goto skipped; |
|
} |
|
|
|
if (expiry && ctx->now >= expiry) { |
|
if (!(ctx->flags & KEYRING_SEARCH_SKIP_EXPIRED)) |
|
ctx->result = ERR_PTR(-EKEYEXPIRED); |
|
kleave(" = %d [expire]", ctx->skipped_ret); |
|
goto skipped; |
|
} |
|
} |
|
|
|
/* keys that don't match */ |
|
if (!ctx->match_data.cmp(key, &ctx->match_data)) { |
|
kleave(" = 0 [!match]"); |
|
return 0; |
|
} |
|
|
|
/* key must have search permissions */ |
|
if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) && |
|
key_task_permission(make_key_ref(key, ctx->possessed), |
|
ctx->cred, KEY_NEED_SEARCH) < 0) { |
|
ctx->result = ERR_PTR(-EACCES); |
|
kleave(" = %d [!perm]", ctx->skipped_ret); |
|
goto skipped; |
|
} |
|
|
|
if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) { |
|
/* we set a different error code if we pass a negative key */ |
|
if (state < 0) { |
|
ctx->result = ERR_PTR(state); |
|
kleave(" = %d [neg]", ctx->skipped_ret); |
|
goto skipped; |
|
} |
|
} |
|
|
|
/* Found */ |
|
ctx->result = make_key_ref(key, ctx->possessed); |
|
kleave(" = 1 [found]"); |
|
return 1; |
|
|
|
skipped: |
|
return ctx->skipped_ret; |
|
} |
|
|
|
/* |
|
* Search inside a keyring for a key. We can search by walking to it |
|
* directly based on its index-key or we can iterate over the entire |
|
* tree looking for it, based on the match function. |
|
*/ |
|
static int search_keyring(struct key *keyring, struct keyring_search_context *ctx) |
|
{ |
|
if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_DIRECT) { |
|
const void *object; |
|
|
|
object = assoc_array_find(&keyring->keys, |
|
&keyring_assoc_array_ops, |
|
&ctx->index_key); |
|
return object ? ctx->iterator(object, ctx) : 0; |
|
} |
|
return assoc_array_iterate(&keyring->keys, ctx->iterator, ctx); |
|
} |
|
|
|
/* |
|
* Search a tree of keyrings that point to other keyrings up to the maximum |
|
* depth. |
|
*/ |
|
static bool search_nested_keyrings(struct key *keyring, |
|
struct keyring_search_context *ctx) |
|
{ |
|
struct { |
|
struct key *keyring; |
|
struct assoc_array_node *node; |
|
int slot; |
|
} stack[KEYRING_SEARCH_MAX_DEPTH]; |
|
|
|
struct assoc_array_shortcut *shortcut; |
|
struct assoc_array_node *node; |
|
struct assoc_array_ptr *ptr; |
|
struct key *key; |
|
int sp = 0, slot; |
|
|
|
kenter("{%d},{%s,%s}", |
|
keyring->serial, |
|
ctx->index_key.type->name, |
|
ctx->index_key.description); |
|
|
|
#define STATE_CHECKS (KEYRING_SEARCH_NO_STATE_CHECK | KEYRING_SEARCH_DO_STATE_CHECK) |
|
BUG_ON((ctx->flags & STATE_CHECKS) == 0 || |
|
(ctx->flags & STATE_CHECKS) == STATE_CHECKS); |
|
|
|
if (ctx->index_key.description) |
|
key_set_index_key(&ctx->index_key); |
|
|
|
/* Check to see if this top-level keyring is what we are looking for |
|
* and whether it is valid or not. |
|
*/ |
|
if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_ITERATE || |
|
keyring_compare_object(keyring, &ctx->index_key)) { |
|
ctx->skipped_ret = 2; |
|
switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) { |
|
case 1: |
|
goto found; |
|
case 2: |
|
return false; |
|
default: |
|
break; |
|
} |
|
} |
|
|
|
ctx->skipped_ret = 0; |
|
|
|
/* Start processing a new keyring */ |
|
descend_to_keyring: |
|
kdebug("descend to %d", keyring->serial); |
|
if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) | |
|
(1 << KEY_FLAG_REVOKED))) |
|
goto not_this_keyring; |
|
|
|
/* Search through the keys in this keyring before its searching its |
|
* subtrees. |
|
*/ |
|
if (search_keyring(keyring, ctx)) |
|
goto found; |
|
|
|
/* Then manually iterate through the keyrings nested in this one. |
|
* |
|
* Start from the root node of the index tree. Because of the way the |
|
* hash function has been set up, keyrings cluster on the leftmost |
|
* branch of the root node (root slot 0) or in the root node itself. |
|
* Non-keyrings avoid the leftmost branch of the root entirely (root |
|
* slots 1-15). |
|
*/ |
|
if (!(ctx->flags & KEYRING_SEARCH_RECURSE)) |
|
goto not_this_keyring; |
|
|
|
ptr = READ_ONCE(keyring->keys.root); |
|
if (!ptr) |
|
goto not_this_keyring; |
|
|
|
if (assoc_array_ptr_is_shortcut(ptr)) { |
|
/* If the root is a shortcut, either the keyring only contains |
|
* keyring pointers (everything clusters behind root slot 0) or |
|
* doesn't contain any keyring pointers. |
|
*/ |
|
shortcut = assoc_array_ptr_to_shortcut(ptr); |
|
if ((shortcut->index_key[0] & ASSOC_ARRAY_FAN_MASK) != 0) |
|
goto not_this_keyring; |
|
|
|
ptr = READ_ONCE(shortcut->next_node); |
|
node = assoc_array_ptr_to_node(ptr); |
|
goto begin_node; |
|
} |
|
|
|
node = assoc_array_ptr_to_node(ptr); |
|
ptr = node->slots[0]; |
|
if (!assoc_array_ptr_is_meta(ptr)) |
|
goto begin_node; |
|
|
|
descend_to_node: |
|
/* Descend to a more distal node in this keyring's content tree and go |
|
* through that. |
|
*/ |
|
kdebug("descend"); |
|
if (assoc_array_ptr_is_shortcut(ptr)) { |
|
shortcut = assoc_array_ptr_to_shortcut(ptr); |
|
ptr = READ_ONCE(shortcut->next_node); |
|
BUG_ON(!assoc_array_ptr_is_node(ptr)); |
|
} |
|
node = assoc_array_ptr_to_node(ptr); |
|
|
|
begin_node: |
|
kdebug("begin_node"); |
|
slot = 0; |
|
ascend_to_node: |
|
/* Go through the slots in a node */ |
|
for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) { |
|
ptr = READ_ONCE(node->slots[slot]); |
|
|
|
if (assoc_array_ptr_is_meta(ptr) && node->back_pointer) |
|
goto descend_to_node; |
|
|
|
if (!keyring_ptr_is_keyring(ptr)) |
|
continue; |
|
|
|
key = keyring_ptr_to_key(ptr); |
|
|
|
if (sp >= KEYRING_SEARCH_MAX_DEPTH) { |
|
if (ctx->flags & KEYRING_SEARCH_DETECT_TOO_DEEP) { |
|
ctx->result = ERR_PTR(-ELOOP); |
|
return false; |
|
} |
|
goto not_this_keyring; |
|
} |
|
|
|
/* Search a nested keyring */ |
|
if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) && |
|
key_task_permission(make_key_ref(key, ctx->possessed), |
|
ctx->cred, KEY_NEED_SEARCH) < 0) |
|
continue; |
|
|
|
/* stack the current position */ |
|
stack[sp].keyring = keyring; |
|
stack[sp].node = node; |
|
stack[sp].slot = slot; |
|
sp++; |
|
|
|
/* begin again with the new keyring */ |
|
keyring = key; |
|
goto descend_to_keyring; |
|
} |
|
|
|
/* We've dealt with all the slots in the current node, so now we need |
|
* to ascend to the parent and continue processing there. |
|
*/ |
|
ptr = READ_ONCE(node->back_pointer); |
|
slot = node->parent_slot; |
|
|
|
if (ptr && assoc_array_ptr_is_shortcut(ptr)) { |
|
shortcut = assoc_array_ptr_to_shortcut(ptr); |
|
ptr = READ_ONCE(shortcut->back_pointer); |
|
slot = shortcut->parent_slot; |
|
} |
|
if (!ptr) |
|
goto not_this_keyring; |
|
node = assoc_array_ptr_to_node(ptr); |
|
slot++; |
|
|
|
/* If we've ascended to the root (zero backpointer), we must have just |
|
* finished processing the leftmost branch rather than the root slots - |
|
* so there can't be any more keyrings for us to find. |
|
*/ |
|
if (node->back_pointer) { |
|
kdebug("ascend %d", slot); |
|
goto ascend_to_node; |
|
} |
|
|
|
/* The keyring we're looking at was disqualified or didn't contain a |
|
* matching key. |
|
*/ |
|
not_this_keyring: |
|
kdebug("not_this_keyring %d", sp); |
|
if (sp <= 0) { |
|
kleave(" = false"); |
|
return false; |
|
} |
|
|
|
/* Resume the processing of a keyring higher up in the tree */ |
|
sp--; |
|
keyring = stack[sp].keyring; |
|
node = stack[sp].node; |
|
slot = stack[sp].slot + 1; |
|
kdebug("ascend to %d [%d]", keyring->serial, slot); |
|
goto ascend_to_node; |
|
|
|
/* We found a viable match */ |
|
found: |
|
key = key_ref_to_ptr(ctx->result); |
|
key_check(key); |
|
if (!(ctx->flags & KEYRING_SEARCH_NO_UPDATE_TIME)) { |
|
key->last_used_at = ctx->now; |
|
keyring->last_used_at = ctx->now; |
|
while (sp > 0) |
|
stack[--sp].keyring->last_used_at = ctx->now; |
|
} |
|
kleave(" = true"); |
|
return true; |
|
} |
|
|
|
/** |
|
* keyring_search_rcu - Search a keyring tree for a matching key under RCU |
|
* @keyring_ref: A pointer to the keyring with possession indicator. |
|
* @ctx: The keyring search context. |
|
* |
|
* Search the supplied keyring tree for a key that matches the criteria given. |
|
* The root keyring and any linked keyrings must grant Search permission to the |
|
* caller to be searchable and keys can only be found if they too grant Search |
|
* to the caller. The possession flag on the root keyring pointer controls use |
|
* of the possessor bits in permissions checking of the entire tree. In |
|
* addition, the LSM gets to forbid keyring searches and key matches. |
|
* |
|
* The search is performed as a breadth-then-depth search up to the prescribed |
|
* limit (KEYRING_SEARCH_MAX_DEPTH). The caller must hold the RCU read lock to |
|
* prevent keyrings from being destroyed or rearranged whilst they are being |
|
* searched. |
|
* |
|
* Keys are matched to the type provided and are then filtered by the match |
|
* function, which is given the description to use in any way it sees fit. The |
|
* match function may use any attributes of a key that it wishes to |
|
* determine the match. Normally the match function from the key type would be |
|
* used. |
|
* |
|
* RCU can be used to prevent the keyring key lists from disappearing without |
|
* the need to take lots of locks. |
|
* |
|
* Returns a pointer to the found key and increments the key usage count if |
|
* successful; -EAGAIN if no matching keys were found, or if expired or revoked |
|
* keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the |
|
* specified keyring wasn't a keyring. |
|
* |
|
* In the case of a successful return, the possession attribute from |
|
* @keyring_ref is propagated to the returned key reference. |
|
*/ |
|
key_ref_t keyring_search_rcu(key_ref_t keyring_ref, |
|
struct keyring_search_context *ctx) |
|
{ |
|
struct key *keyring; |
|
long err; |
|
|
|
ctx->iterator = keyring_search_iterator; |
|
ctx->possessed = is_key_possessed(keyring_ref); |
|
ctx->result = ERR_PTR(-EAGAIN); |
|
|
|
keyring = key_ref_to_ptr(keyring_ref); |
|
key_check(keyring); |
|
|
|
if (keyring->type != &key_type_keyring) |
|
return ERR_PTR(-ENOTDIR); |
|
|
|
if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM)) { |
|
err = key_task_permission(keyring_ref, ctx->cred, KEY_NEED_SEARCH); |
|
if (err < 0) |
|
return ERR_PTR(err); |
|
} |
|
|
|
ctx->now = ktime_get_real_seconds(); |
|
if (search_nested_keyrings(keyring, ctx)) |
|
__key_get(key_ref_to_ptr(ctx->result)); |
|
return ctx->result; |
|
} |
|
|
|
/** |
|
* keyring_search - Search the supplied keyring tree for a matching key |
|
* @keyring: The root of the keyring tree to be searched. |
|
* @type: The type of keyring we want to find. |
|
* @description: The name of the keyring we want to find. |
|
* @recurse: True to search the children of @keyring also |
|
* |
|
* As keyring_search_rcu() above, but using the current task's credentials and |
|
* type's default matching function and preferred search method. |
|
*/ |
|
key_ref_t keyring_search(key_ref_t keyring, |
|
struct key_type *type, |
|
const char *description, |
|
bool recurse) |
|
{ |
|
struct keyring_search_context ctx = { |
|
.index_key.type = type, |
|
.index_key.description = description, |
|
.index_key.desc_len = strlen(description), |
|
.cred = current_cred(), |
|
.match_data.cmp = key_default_cmp, |
|
.match_data.raw_data = description, |
|
.match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, |
|
.flags = KEYRING_SEARCH_DO_STATE_CHECK, |
|
}; |
|
key_ref_t key; |
|
int ret; |
|
|
|
if (recurse) |
|
ctx.flags |= KEYRING_SEARCH_RECURSE; |
|
if (type->match_preparse) { |
|
ret = type->match_preparse(&ctx.match_data); |
|
if (ret < 0) |
|
return ERR_PTR(ret); |
|
} |
|
|
|
rcu_read_lock(); |
|
key = keyring_search_rcu(keyring, &ctx); |
|
rcu_read_unlock(); |
|
|
|
if (type->match_free) |
|
type->match_free(&ctx.match_data); |
|
return key; |
|
} |
|
EXPORT_SYMBOL(keyring_search); |
|
|
|
static struct key_restriction *keyring_restriction_alloc( |
|
key_restrict_link_func_t check) |
|
{ |
|
struct key_restriction *keyres = |
|
kzalloc(sizeof(struct key_restriction), GFP_KERNEL); |
|
|
|
if (!keyres) |
|
return ERR_PTR(-ENOMEM); |
|
|
|
keyres->check = check; |
|
|
|
return keyres; |
|
} |
|
|
|
/* |
|
* Semaphore to serialise restriction setup to prevent reference count |
|
* cycles through restriction key pointers. |
|
*/ |
|
static DECLARE_RWSEM(keyring_serialise_restrict_sem); |
|
|
|
/* |
|
* Check for restriction cycles that would prevent keyring garbage collection. |
|
* keyring_serialise_restrict_sem must be held. |
|
*/ |
|
static bool keyring_detect_restriction_cycle(const struct key *dest_keyring, |
|
struct key_restriction *keyres) |
|
{ |
|
while (keyres && keyres->key && |
|
keyres->key->type == &key_type_keyring) { |
|
if (keyres->key == dest_keyring) |
|
return true; |
|
|
|
keyres = keyres->key->restrict_link; |
|
} |
|
|
|
return false; |
|
} |
|
|
|
/** |
|
* keyring_restrict - Look up and apply a restriction to a keyring |
|
* @keyring_ref: The keyring to be restricted |
|
* @type: The key type that will provide the restriction checker. |
|
* @restriction: The restriction options to apply to the keyring |
|
* |
|
* Look up a keyring and apply a restriction to it. The restriction is managed |
|
* by the specific key type, but can be configured by the options specified in |
|
* the restriction string. |
|
*/ |
|
int keyring_restrict(key_ref_t keyring_ref, const char *type, |
|
const char *restriction) |
|
{ |
|
struct key *keyring; |
|
struct key_type *restrict_type = NULL; |
|
struct key_restriction *restrict_link; |
|
int ret = 0; |
|
|
|
keyring = key_ref_to_ptr(keyring_ref); |
|
key_check(keyring); |
|
|
|
if (keyring->type != &key_type_keyring) |
|
return -ENOTDIR; |
|
|
|
if (!type) { |
|
restrict_link = keyring_restriction_alloc(restrict_link_reject); |
|
} else { |
|
restrict_type = key_type_lookup(type); |
|
|
|
if (IS_ERR(restrict_type)) |
|
return PTR_ERR(restrict_type); |
|
|
|
if (!restrict_type->lookup_restriction) { |
|
ret = -ENOENT; |
|
goto error; |
|
} |
|
|
|
restrict_link = restrict_type->lookup_restriction(restriction); |
|
} |
|
|
|
if (IS_ERR(restrict_link)) { |
|
ret = PTR_ERR(restrict_link); |
|
goto error; |
|
} |
|
|
|
down_write(&keyring->sem); |
|
down_write(&keyring_serialise_restrict_sem); |
|
|
|
if (keyring->restrict_link) { |
|
ret = -EEXIST; |
|
} else if (keyring_detect_restriction_cycle(keyring, restrict_link)) { |
|
ret = -EDEADLK; |
|
} else { |
|
keyring->restrict_link = restrict_link; |
|
notify_key(keyring, NOTIFY_KEY_SETATTR, 0); |
|
} |
|
|
|
up_write(&keyring_serialise_restrict_sem); |
|
up_write(&keyring->sem); |
|
|
|
if (ret < 0) { |
|
key_put(restrict_link->key); |
|
kfree(restrict_link); |
|
} |
|
|
|
error: |
|
if (restrict_type) |
|
key_type_put(restrict_type); |
|
|
|
return ret; |
|
} |
|
EXPORT_SYMBOL(keyring_restrict); |
|
|
|
/* |
|
* Search the given keyring for a key that might be updated. |
|
* |
|
* The caller must guarantee that the keyring is a keyring and that the |
|
* permission is granted to modify the keyring as no check is made here. The |
|
* caller must also hold a lock on the keyring semaphore. |
|
* |
|
* Returns a pointer to the found key with usage count incremented if |
|
* successful and returns NULL if not found. Revoked and invalidated keys are |
|
* skipped over. |
|
* |
|
* If successful, the possession indicator is propagated from the keyring ref |
|
* to the returned key reference. |
|
*/ |
|
key_ref_t find_key_to_update(key_ref_t keyring_ref, |
|
const struct keyring_index_key *index_key) |
|
{ |
|
struct key *keyring, *key; |
|
const void *object; |
|
|
|
keyring = key_ref_to_ptr(keyring_ref); |
|
|
|
kenter("{%d},{%s,%s}", |
|
keyring->serial, index_key->type->name, index_key->description); |
|
|
|
object = assoc_array_find(&keyring->keys, &keyring_assoc_array_ops, |
|
index_key); |
|
|
|
if (object) |
|
goto found; |
|
|
|
kleave(" = NULL"); |
|
return NULL; |
|
|
|
found: |
|
key = keyring_ptr_to_key(object); |
|
if (key->flags & ((1 << KEY_FLAG_INVALIDATED) | |
|
(1 << KEY_FLAG_REVOKED))) { |
|
kleave(" = NULL [x]"); |
|
return NULL; |
|
} |
|
__key_get(key); |
|
kleave(" = {%d}", key->serial); |
|
return make_key_ref(key, is_key_possessed(keyring_ref)); |
|
} |
|
|
|
/* |
|
* Find a keyring with the specified name. |
|
* |
|
* Only keyrings that have nonzero refcount, are not revoked, and are owned by a |
|
* user in the current user namespace are considered. If @uid_keyring is %true, |
|
* the keyring additionally must have been allocated as a user or user session |
|
* keyring; otherwise, it must grant Search permission directly to the caller. |
|
* |
|
* Returns a pointer to the keyring with the keyring's refcount having being |
|
* incremented on success. -ENOKEY is returned if a key could not be found. |
|
*/ |
|
struct key *find_keyring_by_name(const char *name, bool uid_keyring) |
|
{ |
|
struct user_namespace *ns = current_user_ns(); |
|
struct key *keyring; |
|
|
|
if (!name) |
|
return ERR_PTR(-EINVAL); |
|
|
|
read_lock(&keyring_name_lock); |
|
|
|
/* Search this hash bucket for a keyring with a matching name that |
|
* grants Search permission and that hasn't been revoked |
|
*/ |
|
list_for_each_entry(keyring, &ns->keyring_name_list, name_link) { |
|
if (!kuid_has_mapping(ns, keyring->user->uid)) |
|
continue; |
|
|
|
if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) |
|
continue; |
|
|
|
if (strcmp(keyring->description, name) != 0) |
|
continue; |
|
|
|
if (uid_keyring) { |
|
if (!test_bit(KEY_FLAG_UID_KEYRING, |
|
&keyring->flags)) |
|
continue; |
|
} else { |
|
if (key_permission(make_key_ref(keyring, 0), |
|
KEY_NEED_SEARCH) < 0) |
|
continue; |
|
} |
|
|
|
/* we've got a match but we might end up racing with |
|
* key_cleanup() if the keyring is currently 'dead' |
|
* (ie. it has a zero usage count) */ |
|
if (!refcount_inc_not_zero(&keyring->usage)) |
|
continue; |
|
keyring->last_used_at = ktime_get_real_seconds(); |
|
goto out; |
|
} |
|
|
|
keyring = ERR_PTR(-ENOKEY); |
|
out: |
|
read_unlock(&keyring_name_lock); |
|
return keyring; |
|
} |
|
|
|
static int keyring_detect_cycle_iterator(const void *object, |
|
void *iterator_data) |
|
{ |
|
struct keyring_search_context *ctx = iterator_data; |
|
const struct key *key = keyring_ptr_to_key(object); |
|
|
|
kenter("{%d}", key->serial); |
|
|
|
/* We might get a keyring with matching index-key that is nonetheless a |
|
* different keyring. */ |
|
if (key != ctx->match_data.raw_data) |
|
return 0; |
|
|
|
ctx->result = ERR_PTR(-EDEADLK); |
|
return 1; |
|
} |
|
|
|
/* |
|
* See if a cycle will be created by inserting acyclic tree B in acyclic |
|
* tree A at the topmost level (ie: as a direct child of A). |
|
* |
|
* Since we are adding B to A at the top level, checking for cycles should just |
|
* be a matter of seeing if node A is somewhere in tree B. |
|
*/ |
|
static int keyring_detect_cycle(struct key *A, struct key *B) |
|
{ |
|
struct keyring_search_context ctx = { |
|
.index_key = A->index_key, |
|
.match_data.raw_data = A, |
|
.match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, |
|
.iterator = keyring_detect_cycle_iterator, |
|
.flags = (KEYRING_SEARCH_NO_STATE_CHECK | |
|
KEYRING_SEARCH_NO_UPDATE_TIME | |
|
KEYRING_SEARCH_NO_CHECK_PERM | |
|
KEYRING_SEARCH_DETECT_TOO_DEEP | |
|
KEYRING_SEARCH_RECURSE), |
|
}; |
|
|
|
rcu_read_lock(); |
|
search_nested_keyrings(B, &ctx); |
|
rcu_read_unlock(); |
|
return PTR_ERR(ctx.result) == -EAGAIN ? 0 : PTR_ERR(ctx.result); |
|
} |
|
|
|
/* |
|
* Lock keyring for link. |
|
*/ |
|
int __key_link_lock(struct key *keyring, |
|
const struct keyring_index_key *index_key) |
|
__acquires(&keyring->sem) |
|
__acquires(&keyring_serialise_link_lock) |
|
{ |
|
if (keyring->type != &key_type_keyring) |
|
return -ENOTDIR; |
|
|
|
down_write(&keyring->sem); |
|
|
|
/* Serialise link/link calls to prevent parallel calls causing a cycle |
|
* when linking two keyring in opposite orders. |
|
*/ |
|
if (index_key->type == &key_type_keyring) |
|
mutex_lock(&keyring_serialise_link_lock); |
|
|
|
return 0; |
|
} |
|
|
|
/* |
|
* Lock keyrings for move (link/unlink combination). |
|
*/ |
|
int __key_move_lock(struct key *l_keyring, struct key *u_keyring, |
|
const struct keyring_index_key *index_key) |
|
__acquires(&l_keyring->sem) |
|
__acquires(&u_keyring->sem) |
|
__acquires(&keyring_serialise_link_lock) |
|
{ |
|
if (l_keyring->type != &key_type_keyring || |
|
u_keyring->type != &key_type_keyring) |
|
return -ENOTDIR; |
|
|
|
/* We have to be very careful here to take the keyring locks in the |
|
* right order, lest we open ourselves to deadlocking against another |
|
* move operation. |
|
*/ |
|
if (l_keyring < u_keyring) { |
|
down_write(&l_keyring->sem); |
|
down_write_nested(&u_keyring->sem, 1); |
|
} else { |
|
down_write(&u_keyring->sem); |
|
down_write_nested(&l_keyring->sem, 1); |
|
} |
|
|
|
/* Serialise link/link calls to prevent parallel calls causing a cycle |
|
* when linking two keyring in opposite orders. |
|
*/ |
|
if (index_key->type == &key_type_keyring) |
|
mutex_lock(&keyring_serialise_link_lock); |
|
|
|
return 0; |
|
} |
|
|
|
/* |
|
* Preallocate memory so that a key can be linked into to a keyring. |
|
*/ |
|
int __key_link_begin(struct key *keyring, |
|
const struct keyring_index_key *index_key, |
|
struct assoc_array_edit **_edit) |
|
{ |
|
struct assoc_array_edit *edit; |
|
int ret; |
|
|
|
kenter("%d,%s,%s,", |
|
keyring->serial, index_key->type->name, index_key->description); |
|
|
|
BUG_ON(index_key->desc_len == 0); |
|
BUG_ON(*_edit != NULL); |
|
|
|
*_edit = NULL; |
|
|
|
ret = -EKEYREVOKED; |
|
if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) |
|
goto error; |
|
|
|
/* Create an edit script that will insert/replace the key in the |
|
* keyring tree. |
|
*/ |
|
edit = assoc_array_insert(&keyring->keys, |
|
&keyring_assoc_array_ops, |
|
index_key, |
|
NULL); |
|
if (IS_ERR(edit)) { |
|
ret = PTR_ERR(edit); |
|
goto error; |
|
} |
|
|
|
/* If we're not replacing a link in-place then we're going to need some |
|
* extra quota. |
|
*/ |
|
if (!edit->dead_leaf) { |
|
ret = key_payload_reserve(keyring, |
|
keyring->datalen + KEYQUOTA_LINK_BYTES); |
|
if (ret < 0) |
|
goto error_cancel; |
|
} |
|
|
|
*_edit = edit; |
|
kleave(" = 0"); |
|
return 0; |
|
|
|
error_cancel: |
|
assoc_array_cancel_edit(edit); |
|
error: |
|
kleave(" = %d", ret); |
|
return ret; |
|
} |
|
|
|
/* |
|
* Check already instantiated keys aren't going to be a problem. |
|
* |
|
* The caller must have called __key_link_begin(). Don't need to call this for |
|
* keys that were created since __key_link_begin() was called. |
|
*/ |
|
int __key_link_check_live_key(struct key *keyring, struct key *key) |
|
{ |
|
if (key->type == &key_type_keyring) |
|
/* check that we aren't going to create a cycle by linking one |
|
* keyring to another */ |
|
return keyring_detect_cycle(keyring, key); |
|
return 0; |
|
} |
|
|
|
/* |
|
* Link a key into to a keyring. |
|
* |
|
* Must be called with __key_link_begin() having being called. Discards any |
|
* already extant link to matching key if there is one, so that each keyring |
|
* holds at most one link to any given key of a particular type+description |
|
* combination. |
|
*/ |
|
void __key_link(struct key *keyring, struct key *key, |
|
struct assoc_array_edit **_edit) |
|
{ |
|
__key_get(key); |
|
assoc_array_insert_set_object(*_edit, keyring_key_to_ptr(key)); |
|
assoc_array_apply_edit(*_edit); |
|
*_edit = NULL; |
|
notify_key(keyring, NOTIFY_KEY_LINKED, key_serial(key)); |
|
} |
|
|
|
/* |
|
* Finish linking a key into to a keyring. |
|
* |
|
* Must be called with __key_link_begin() having being called. |
|
*/ |
|
void __key_link_end(struct key *keyring, |
|
const struct keyring_index_key *index_key, |
|
struct assoc_array_edit *edit) |
|
__releases(&keyring->sem) |
|
__releases(&keyring_serialise_link_lock) |
|
{ |
|
BUG_ON(index_key->type == NULL); |
|
kenter("%d,%s,", keyring->serial, index_key->type->name); |
|
|
|
if (edit) { |
|
if (!edit->dead_leaf) { |
|
key_payload_reserve(keyring, |
|
keyring->datalen - KEYQUOTA_LINK_BYTES); |
|
} |
|
assoc_array_cancel_edit(edit); |
|
} |
|
up_write(&keyring->sem); |
|
|
|
if (index_key->type == &key_type_keyring) |
|
mutex_unlock(&keyring_serialise_link_lock); |
|
} |
|
|
|
/* |
|
* Check addition of keys to restricted keyrings. |
|
*/ |
|
static int __key_link_check_restriction(struct key *keyring, struct key *key) |
|
{ |
|
if (!keyring->restrict_link || !keyring->restrict_link->check) |
|
return 0; |
|
return keyring->restrict_link->check(keyring, key->type, &key->payload, |
|
keyring->restrict_link->key); |
|
} |
|
|
|
/** |
|
* key_link - Link a key to a keyring |
|
* @keyring: The keyring to make the link in. |
|
* @key: The key to link to. |
|
* |
|
* Make a link in a keyring to a key, such that the keyring holds a reference |
|
* on that key and the key can potentially be found by searching that keyring. |
|
* |
|
* This function will write-lock the keyring's semaphore and will consume some |
|
* of the user's key data quota to hold the link. |
|
* |
|
* Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, |
|
* -EKEYREVOKED if the keyring has been revoked, -ENFILE if the keyring is |
|
* full, -EDQUOT if there is insufficient key data quota remaining to add |
|
* another link or -ENOMEM if there's insufficient memory. |
|
* |
|
* It is assumed that the caller has checked that it is permitted for a link to |
|
* be made (the keyring should have Write permission and the key Link |
|
* permission). |
|
*/ |
|
int key_link(struct key *keyring, struct key *key) |
|
{ |
|
struct assoc_array_edit *edit = NULL; |
|
int ret; |
|
|
|
kenter("{%d,%d}", keyring->serial, refcount_read(&keyring->usage)); |
|
|
|
key_check(keyring); |
|
key_check(key); |
|
|
|
ret = __key_link_lock(keyring, &key->index_key); |
|
if (ret < 0) |
|
goto error; |
|
|
|
ret = __key_link_begin(keyring, &key->index_key, &edit); |
|
if (ret < 0) |
|
goto error_end; |
|
|
|
kdebug("begun {%d,%d}", keyring->serial, refcount_read(&keyring->usage)); |
|
ret = __key_link_check_restriction(keyring, key); |
|
if (ret == 0) |
|
ret = __key_link_check_live_key(keyring, key); |
|
if (ret == 0) |
|
__key_link(keyring, key, &edit); |
|
|
|
error_end: |
|
__key_link_end(keyring, &key->index_key, edit); |
|
error: |
|
kleave(" = %d {%d,%d}", ret, keyring->serial, refcount_read(&keyring->usage)); |
|
return ret; |
|
} |
|
EXPORT_SYMBOL(key_link); |
|
|
|
/* |
|
* Lock a keyring for unlink. |
|
*/ |
|
static int __key_unlink_lock(struct key *keyring) |
|
__acquires(&keyring->sem) |
|
{ |
|
if (keyring->type != &key_type_keyring) |
|
return -ENOTDIR; |
|
|
|
down_write(&keyring->sem); |
|
return 0; |
|
} |
|
|
|
/* |
|
* Begin the process of unlinking a key from a keyring. |
|
*/ |
|
static int __key_unlink_begin(struct key *keyring, struct key *key, |
|
struct assoc_array_edit **_edit) |
|
{ |
|
struct assoc_array_edit *edit; |
|
|
|
BUG_ON(*_edit != NULL); |
|
|
|
edit = assoc_array_delete(&keyring->keys, &keyring_assoc_array_ops, |
|
&key->index_key); |
|
if (IS_ERR(edit)) |
|
return PTR_ERR(edit); |
|
|
|
if (!edit) |
|
return -ENOENT; |
|
|
|
*_edit = edit; |
|
return 0; |
|
} |
|
|
|
/* |
|
* Apply an unlink change. |
|
*/ |
|
static void __key_unlink(struct key *keyring, struct key *key, |
|
struct assoc_array_edit **_edit) |
|
{ |
|
assoc_array_apply_edit(*_edit); |
|
notify_key(keyring, NOTIFY_KEY_UNLINKED, key_serial(key)); |
|
*_edit = NULL; |
|
key_payload_reserve(keyring, keyring->datalen - KEYQUOTA_LINK_BYTES); |
|
} |
|
|
|
/* |
|
* Finish unlinking a key from to a keyring. |
|
*/ |
|
static void __key_unlink_end(struct key *keyring, |
|
struct key *key, |
|
struct assoc_array_edit *edit) |
|
__releases(&keyring->sem) |
|
{ |
|
if (edit) |
|
assoc_array_cancel_edit(edit); |
|
up_write(&keyring->sem); |
|
} |
|
|
|
/** |
|
* key_unlink - Unlink the first link to a key from a keyring. |
|
* @keyring: The keyring to remove the link from. |
|
* @key: The key the link is to. |
|
* |
|
* Remove a link from a keyring to a key. |
|
* |
|
* This function will write-lock the keyring's semaphore. |
|
* |
|
* Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, -ENOENT if |
|
* the key isn't linked to by the keyring or -ENOMEM if there's insufficient |
|
* memory. |
|
* |
|
* It is assumed that the caller has checked that it is permitted for a link to |
|
* be removed (the keyring should have Write permission; no permissions are |
|
* required on the key). |
|
*/ |
|
int key_unlink(struct key *keyring, struct key *key) |
|
{ |
|
struct assoc_array_edit *edit = NULL; |
|
int ret; |
|
|
|
key_check(keyring); |
|
key_check(key); |
|
|
|
ret = __key_unlink_lock(keyring); |
|
if (ret < 0) |
|
return ret; |
|
|
|
ret = __key_unlink_begin(keyring, key, &edit); |
|
if (ret == 0) |
|
__key_unlink(keyring, key, &edit); |
|
__key_unlink_end(keyring, key, edit); |
|
return ret; |
|
} |
|
EXPORT_SYMBOL(key_unlink); |
|
|
|
/** |
|
* key_move - Move a key from one keyring to another |
|
* @key: The key to move |
|
* @from_keyring: The keyring to remove the link from. |
|
* @to_keyring: The keyring to make the link in. |
|
* @flags: Qualifying flags, such as KEYCTL_MOVE_EXCL. |
|
* |
|
* Make a link in @to_keyring to a key, such that the keyring holds a reference |
|
* on that key and the key can potentially be found by searching that keyring |
|
* whilst simultaneously removing a link to the key from @from_keyring. |
|
* |
|
* This function will write-lock both keyring's semaphores and will consume |
|
* some of the user's key data quota to hold the link on @to_keyring. |
|
* |
|
* Returns 0 if successful, -ENOTDIR if either keyring isn't a keyring, |
|
* -EKEYREVOKED if either keyring has been revoked, -ENFILE if the second |
|
* keyring is full, -EDQUOT if there is insufficient key data quota remaining |
|
* to add another link or -ENOMEM if there's insufficient memory. If |
|
* KEYCTL_MOVE_EXCL is set, then -EEXIST will be returned if there's already a |
|
* matching key in @to_keyring. |
|
* |
|
* It is assumed that the caller has checked that it is permitted for a link to |
|
* be made (the keyring should have Write permission and the key Link |
|
* permission). |
|
*/ |
|
int key_move(struct key *key, |
|
struct key *from_keyring, |
|
struct key *to_keyring, |
|
unsigned int flags) |
|
{ |
|
struct assoc_array_edit *from_edit = NULL, *to_edit = NULL; |
|
int ret; |
|
|
|
kenter("%d,%d,%d", key->serial, from_keyring->serial, to_keyring->serial); |
|
|
|
if (from_keyring == to_keyring) |
|
return 0; |
|
|
|
key_check(key); |
|
key_check(from_keyring); |
|
key_check(to_keyring); |
|
|
|
ret = __key_move_lock(from_keyring, to_keyring, &key->index_key); |
|
if (ret < 0) |
|
goto out; |
|
ret = __key_unlink_begin(from_keyring, key, &from_edit); |
|
if (ret < 0) |
|
goto error; |
|
ret = __key_link_begin(to_keyring, &key->index_key, &to_edit); |
|
if (ret < 0) |
|
goto error; |
|
|
|
ret = -EEXIST; |
|
if (to_edit->dead_leaf && (flags & KEYCTL_MOVE_EXCL)) |
|
goto error; |
|
|
|
ret = __key_link_check_restriction(to_keyring, key); |
|
if (ret < 0) |
|
goto error; |
|
ret = __key_link_check_live_key(to_keyring, key); |
|
if (ret < 0) |
|
goto error; |
|
|
|
__key_unlink(from_keyring, key, &from_edit); |
|
__key_link(to_keyring, key, &to_edit); |
|
error: |
|
__key_link_end(to_keyring, &key->index_key, to_edit); |
|
__key_unlink_end(from_keyring, key, from_edit); |
|
out: |
|
kleave(" = %d", ret); |
|
return ret; |
|
} |
|
EXPORT_SYMBOL(key_move); |
|
|
|
/** |
|
* keyring_clear - Clear a keyring |
|
* @keyring: The keyring to clear. |
|
* |
|
* Clear the contents of the specified keyring. |
|
* |
|
* Returns 0 if successful or -ENOTDIR if the keyring isn't a keyring. |
|
*/ |
|
int keyring_clear(struct key *keyring) |
|
{ |
|
struct assoc_array_edit *edit; |
|
int ret; |
|
|
|
if (keyring->type != &key_type_keyring) |
|
return -ENOTDIR; |
|
|
|
down_write(&keyring->sem); |
|
|
|
edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops); |
|
if (IS_ERR(edit)) { |
|
ret = PTR_ERR(edit); |
|
} else { |
|
if (edit) |
|
assoc_array_apply_edit(edit); |
|
notify_key(keyring, NOTIFY_KEY_CLEARED, 0); |
|
key_payload_reserve(keyring, 0); |
|
ret = 0; |
|
} |
|
|
|
up_write(&keyring->sem); |
|
return ret; |
|
} |
|
EXPORT_SYMBOL(keyring_clear); |
|
|
|
/* |
|
* Dispose of the links from a revoked keyring. |
|
* |
|
* This is called with the key sem write-locked. |
|
*/ |
|
static void keyring_revoke(struct key *keyring) |
|
{ |
|
struct assoc_array_edit *edit; |
|
|
|
edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops); |
|
if (!IS_ERR(edit)) { |
|
if (edit) |
|
assoc_array_apply_edit(edit); |
|
key_payload_reserve(keyring, 0); |
|
} |
|
} |
|
|
|
static bool keyring_gc_select_iterator(void *object, void *iterator_data) |
|
{ |
|
struct key *key = keyring_ptr_to_key(object); |
|
time64_t *limit = iterator_data; |
|
|
|
if (key_is_dead(key, *limit)) |
|
return false; |
|
key_get(key); |
|
return true; |
|
} |
|
|
|
static int keyring_gc_check_iterator(const void *object, void *iterator_data) |
|
{ |
|
const struct key *key = keyring_ptr_to_key(object); |
|
time64_t *limit = iterator_data; |
|
|
|
key_check(key); |
|
return key_is_dead(key, *limit); |
|
} |
|
|
|
/* |
|
* Garbage collect pointers from a keyring. |
|
* |
|
* Not called with any locks held. The keyring's key struct will not be |
|
* deallocated under us as only our caller may deallocate it. |
|
*/ |
|
void keyring_gc(struct key *keyring, time64_t limit) |
|
{ |
|
int result; |
|
|
|
kenter("%x{%s}", keyring->serial, keyring->description ?: ""); |
|
|
|
if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) | |
|
(1 << KEY_FLAG_REVOKED))) |
|
goto dont_gc; |
|
|
|
/* scan the keyring looking for dead keys */ |
|
rcu_read_lock(); |
|
result = assoc_array_iterate(&keyring->keys, |
|
keyring_gc_check_iterator, &limit); |
|
rcu_read_unlock(); |
|
if (result == true) |
|
goto do_gc; |
|
|
|
dont_gc: |
|
kleave(" [no gc]"); |
|
return; |
|
|
|
do_gc: |
|
down_write(&keyring->sem); |
|
assoc_array_gc(&keyring->keys, &keyring_assoc_array_ops, |
|
keyring_gc_select_iterator, &limit); |
|
up_write(&keyring->sem); |
|
kleave(" [gc]"); |
|
} |
|
|
|
/* |
|
* Garbage collect restriction pointers from a keyring. |
|
* |
|
* Keyring restrictions are associated with a key type, and must be cleaned |
|
* up if the key type is unregistered. The restriction is altered to always |
|
* reject additional keys so a keyring cannot be opened up by unregistering |
|
* a key type. |
|
* |
|
* Not called with any keyring locks held. The keyring's key struct will not |
|
* be deallocated under us as only our caller may deallocate it. |
|
* |
|
* The caller is required to hold key_types_sem and dead_type->sem. This is |
|
* fulfilled by key_gc_keytype() holding the locks on behalf of |
|
* key_garbage_collector(), which it invokes on a workqueue. |
|
*/ |
|
void keyring_restriction_gc(struct key *keyring, struct key_type *dead_type) |
|
{ |
|
struct key_restriction *keyres; |
|
|
|
kenter("%x{%s}", keyring->serial, keyring->description ?: ""); |
|
|
|
/* |
|
* keyring->restrict_link is only assigned at key allocation time |
|
* or with the key type locked, so the only values that could be |
|
* concurrently assigned to keyring->restrict_link are for key |
|
* types other than dead_type. Given this, it's ok to check |
|
* the key type before acquiring keyring->sem. |
|
*/ |
|
if (!dead_type || !keyring->restrict_link || |
|
keyring->restrict_link->keytype != dead_type) { |
|
kleave(" [no restriction gc]"); |
|
return; |
|
} |
|
|
|
/* Lock the keyring to ensure that a link is not in progress */ |
|
down_write(&keyring->sem); |
|
|
|
keyres = keyring->restrict_link; |
|
|
|
keyres->check = restrict_link_reject; |
|
|
|
key_put(keyres->key); |
|
keyres->key = NULL; |
|
keyres->keytype = NULL; |
|
|
|
up_write(&keyring->sem); |
|
|
|
kleave(" [restriction gc]"); |
|
}
|
|
|