Root/security/keys/keyring.c

Source at commit be977234bfb4a6dca8a39e7c52165e4cd536ad71 created 9 years 5 months ago.
By Lars-Peter Clausen, jz4740: Fix compile error
1/* Keyring handling
2 *
3 * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 */
11
12#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/sched.h>
15#include <linux/slab.h>
16#include <linux/security.h>
17#include <linux/seq_file.h>
18#include <linux/err.h>
19#include <keys/keyring-type.h>
20#include <linux/uaccess.h>
21#include "internal.h"
22
23#define rcu_dereference_locked_keyring(keyring) \
24    (rcu_dereference_protected( \
25        (keyring)->payload.subscriptions, \
26        rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem)))
27
28#define KEY_LINK_FIXQUOTA 1UL
29
30/*
31 * When plumbing the depths of the key tree, this sets a hard limit
32 * set on how deep we're willing to go.
33 */
34#define KEYRING_SEARCH_MAX_DEPTH 6
35
36/*
37 * We keep all named keyrings in a hash to speed looking them up.
38 */
39#define KEYRING_NAME_HASH_SIZE (1 << 5)
40
41static struct list_head keyring_name_hash[KEYRING_NAME_HASH_SIZE];
42static DEFINE_RWLOCK(keyring_name_lock);
43
44static inline unsigned keyring_hash(const char *desc)
45{
46    unsigned bucket = 0;
47
48    for (; *desc; desc++)
49        bucket += (unsigned char)*desc;
50
51    return bucket & (KEYRING_NAME_HASH_SIZE - 1);
52}
53
54/*
55 * The keyring key type definition. Keyrings are simply keys of this type and
56 * can be treated as ordinary keys in addition to having their own special
57 * operations.
58 */
59static int keyring_instantiate(struct key *keyring,
60                   const void *data, size_t datalen);
61static int keyring_match(const struct key *keyring, const void *criterion);
62static void keyring_revoke(struct key *keyring);
63static void keyring_destroy(struct key *keyring);
64static void keyring_describe(const struct key *keyring, struct seq_file *m);
65static long keyring_read(const struct key *keyring,
66             char __user *buffer, size_t buflen);
67
68struct key_type key_type_keyring = {
69    .name = "keyring",
70    .def_datalen = sizeof(struct keyring_list),
71    .instantiate = keyring_instantiate,
72    .match = keyring_match,
73    .revoke = keyring_revoke,
74    .destroy = keyring_destroy,
75    .describe = keyring_describe,
76    .read = keyring_read,
77};
78EXPORT_SYMBOL(key_type_keyring);
79
80/*
81 * Semaphore to serialise link/link calls to prevent two link calls in parallel
82 * introducing a cycle.
83 */
84static DECLARE_RWSEM(keyring_serialise_link_sem);
85
86/*
87 * Publish the name of a keyring so that it can be found by name (if it has
88 * one).
89 */
90static void keyring_publish_name(struct key *keyring)
91{
92    int bucket;
93
94    if (keyring->description) {
95        bucket = keyring_hash(keyring->description);
96
97        write_lock(&keyring_name_lock);
98
99        if (!keyring_name_hash[bucket].next)
100            INIT_LIST_HEAD(&keyring_name_hash[bucket]);
101
102        list_add_tail(&keyring->type_data.link,
103                  &keyring_name_hash[bucket]);
104
105        write_unlock(&keyring_name_lock);
106    }
107}
108
109/*
110 * Initialise a keyring.
111 *
112 * Returns 0 on success, -EINVAL if given any data.
113 */
114static int keyring_instantiate(struct key *keyring,
115                   const void *data, size_t datalen)
116{
117    int ret;
118
119    ret = -EINVAL;
120    if (datalen == 0) {
121        /* make the keyring available by name if it has one */
122        keyring_publish_name(keyring);
123        ret = 0;
124    }
125
126    return ret;
127}
128
129/*
130 * Match keyrings on their name
131 */
132static int keyring_match(const struct key *keyring, const void *description)
133{
134    return keyring->description &&
135        strcmp(keyring->description, description) == 0;
136}
137
138/*
139 * Clean up a keyring when it is destroyed. Unpublish its name if it had one
140 * and dispose of its data.
141 */
142static void keyring_destroy(struct key *keyring)
143{
144    struct keyring_list *klist;
145    int loop;
146
147    if (keyring->description) {
148        write_lock(&keyring_name_lock);
149
150        if (keyring->type_data.link.next != NULL &&
151            !list_empty(&keyring->type_data.link))
152            list_del(&keyring->type_data.link);
153
154        write_unlock(&keyring_name_lock);
155    }
156
157    klist = rcu_dereference_check(keyring->payload.subscriptions,
158                      rcu_read_lock_held() ||
159                      atomic_read(&keyring->usage) == 0);
160    if (klist) {
161        for (loop = klist->nkeys - 1; loop >= 0; loop--)
162            key_put(klist->keys[loop]);
163        kfree(klist);
164    }
165}
166
167/*
168 * Describe a keyring for /proc.
169 */
170static void keyring_describe(const struct key *keyring, struct seq_file *m)
171{
172    struct keyring_list *klist;
173
174    if (keyring->description)
175        seq_puts(m, keyring->description);
176    else
177        seq_puts(m, "[anon]");
178
179    rcu_read_lock();
180    klist = rcu_dereference(keyring->payload.subscriptions);
181    if (klist)
182        seq_printf(m, ": %u/%u", klist->nkeys, klist->maxkeys);
183    else
184        seq_puts(m, ": empty");
185    rcu_read_unlock();
186}
187
188/*
189 * Read a list of key IDs from the keyring's contents in binary form
190 *
191 * The keyring's semaphore is read-locked by the caller.
192 */
193static long keyring_read(const struct key *keyring,
194             char __user *buffer, size_t buflen)
195{
196    struct keyring_list *klist;
197    struct key *key;
198    size_t qty, tmp;
199    int loop, ret;
200
201    ret = 0;
202    klist = rcu_dereference_locked_keyring(keyring);
203    if (klist) {
204        /* calculate how much data we could return */
205        qty = klist->nkeys * sizeof(key_serial_t);
206
207        if (buffer && buflen > 0) {
208            if (buflen > qty)
209                buflen = qty;
210
211            /* copy the IDs of the subscribed keys into the
212             * buffer */
213            ret = -EFAULT;
214
215            for (loop = 0; loop < klist->nkeys; loop++) {
216                key = klist->keys[loop];
217
218                tmp = sizeof(key_serial_t);
219                if (tmp > buflen)
220                    tmp = buflen;
221
222                if (copy_to_user(buffer,
223                         &key->serial,
224                         tmp) != 0)
225                    goto error;
226
227                buflen -= tmp;
228                if (buflen == 0)
229                    break;
230                buffer += tmp;
231            }
232        }
233
234        ret = qty;
235    }
236
237error:
238    return ret;
239}
240
241/*
242 * Allocate a keyring and link into the destination keyring.
243 */
244struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
245              const struct cred *cred, unsigned long flags,
246              struct key *dest)
247{
248    struct key *keyring;
249    int ret;
250
251    keyring = key_alloc(&key_type_keyring, description,
252                uid, gid, cred,
253                (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL,
254                flags);
255
256    if (!IS_ERR(keyring)) {
257        ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
258        if (ret < 0) {
259            key_put(keyring);
260            keyring = ERR_PTR(ret);
261        }
262    }
263
264    return keyring;
265}
266
267/**
268 * keyring_search_aux - Search a keyring tree for a key matching some criteria
269 * @keyring_ref: A pointer to the keyring with possession indicator.
270 * @cred: The credentials to use for permissions checks.
271 * @type: The type of key to search for.
272 * @description: Parameter for @match.
273 * @match: Function to rule on whether or not a key is the one required.
274 *
275 * Search the supplied keyring tree for a key that matches the criteria given.
276 * The root keyring and any linked keyrings must grant Search permission to the
277 * caller to be searchable and keys can only be found if they too grant Search
278 * to the caller. The possession flag on the root keyring pointer controls use
279 * of the possessor bits in permissions checking of the entire tree. In
280 * addition, the LSM gets to forbid keyring searches and key matches.
281 *
282 * The search is performed as a breadth-then-depth search up to the prescribed
283 * limit (KEYRING_SEARCH_MAX_DEPTH).
284 *
285 * Keys are matched to the type provided and are then filtered by the match
286 * function, which is given the description to use in any way it sees fit. The
287 * match function may use any attributes of a key that it wishes to to
288 * determine the match. Normally the match function from the key type would be
289 * used.
290 *
291 * RCU is used to prevent the keyring key lists from disappearing without the
292 * need to take lots of locks.
293 *
294 * Returns a pointer to the found key and increments the key usage count if
295 * successful; -EAGAIN if no matching keys were found, or if expired or revoked
296 * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the
297 * specified keyring wasn't a keyring.
298 *
299 * In the case of a successful return, the possession attribute from
300 * @keyring_ref is propagated to the returned key reference.
301 */
302key_ref_t keyring_search_aux(key_ref_t keyring_ref,
303                 const struct cred *cred,
304                 struct key_type *type,
305                 const void *description,
306                 key_match_func_t match)
307{
308    struct {
309        struct keyring_list *keylist;
310        int kix;
311    } stack[KEYRING_SEARCH_MAX_DEPTH];
312
313    struct keyring_list *keylist;
314    struct timespec now;
315    unsigned long possessed, kflags;
316    struct key *keyring, *key;
317    key_ref_t key_ref;
318    long err;
319    int sp, kix;
320
321    keyring = key_ref_to_ptr(keyring_ref);
322    possessed = is_key_possessed(keyring_ref);
323    key_check(keyring);
324
325    /* top keyring must have search permission to begin the search */
326    err = key_task_permission(keyring_ref, cred, KEY_SEARCH);
327    if (err < 0) {
328        key_ref = ERR_PTR(err);
329        goto error;
330    }
331
332    key_ref = ERR_PTR(-ENOTDIR);
333    if (keyring->type != &key_type_keyring)
334        goto error;
335
336    rcu_read_lock();
337
338    now = current_kernel_time();
339    err = -EAGAIN;
340    sp = 0;
341
342    /* firstly we should check to see if this top-level keyring is what we
343     * are looking for */
344    key_ref = ERR_PTR(-EAGAIN);
345    kflags = keyring->flags;
346    if (keyring->type == type && match(keyring, description)) {
347        key = keyring;
348
349        /* check it isn't negative and hasn't expired or been
350         * revoked */
351        if (kflags & (1 << KEY_FLAG_REVOKED))
352            goto error_2;
353        if (key->expiry && now.tv_sec >= key->expiry)
354            goto error_2;
355        key_ref = ERR_PTR(key->type_data.reject_error);
356        if (kflags & (1 << KEY_FLAG_NEGATIVE))
357            goto error_2;
358        goto found;
359    }
360
361    /* otherwise, the top keyring must not be revoked, expired, or
362     * negatively instantiated if we are to search it */
363    key_ref = ERR_PTR(-EAGAIN);
364    if (kflags & ((1 << KEY_FLAG_REVOKED) | (1 << KEY_FLAG_NEGATIVE)) ||
365        (keyring->expiry && now.tv_sec >= keyring->expiry))
366        goto error_2;
367
368    /* start processing a new keyring */
369descend:
370    if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
371        goto not_this_keyring;
372
373    keylist = rcu_dereference(keyring->payload.subscriptions);
374    if (!keylist)
375        goto not_this_keyring;
376
377    /* iterate through the keys in this keyring first */
378    for (kix = 0; kix < keylist->nkeys; kix++) {
379        key = keylist->keys[kix];
380        kflags = key->flags;
381
382        /* ignore keys not of this type */
383        if (key->type != type)
384            continue;
385
386        /* skip revoked keys and expired keys */
387        if (kflags & (1 << KEY_FLAG_REVOKED))
388            continue;
389
390        if (key->expiry && now.tv_sec >= key->expiry)
391            continue;
392
393        /* keys that don't match */
394        if (!match(key, description))
395            continue;
396
397        /* key must have search permissions */
398        if (key_task_permission(make_key_ref(key, possessed),
399                    cred, KEY_SEARCH) < 0)
400            continue;
401
402        /* we set a different error code if we pass a negative key */
403        if (kflags & (1 << KEY_FLAG_NEGATIVE)) {
404            err = key->type_data.reject_error;
405            continue;
406        }
407
408        goto found;
409    }
410
411    /* search through the keyrings nested in this one */
412    kix = 0;
413ascend:
414    for (; kix < keylist->nkeys; kix++) {
415        key = keylist->keys[kix];
416        if (key->type != &key_type_keyring)
417            continue;
418
419        /* recursively search nested keyrings
420         * - only search keyrings for which we have search permission
421         */
422        if (sp >= KEYRING_SEARCH_MAX_DEPTH)
423            continue;
424
425        if (key_task_permission(make_key_ref(key, possessed),
426                    cred, KEY_SEARCH) < 0)
427            continue;
428
429        /* stack the current position */
430        stack[sp].keylist = keylist;
431        stack[sp].kix = kix;
432        sp++;
433
434        /* begin again with the new keyring */
435        keyring = key;
436        goto descend;
437    }
438
439    /* the keyring we're looking at was disqualified or didn't contain a
440     * matching key */
441not_this_keyring:
442    if (sp > 0) {
443        /* resume the processing of a keyring higher up in the tree */
444        sp--;
445        keylist = stack[sp].keylist;
446        kix = stack[sp].kix + 1;
447        goto ascend;
448    }
449
450    key_ref = ERR_PTR(err);
451    goto error_2;
452
453    /* we found a viable match */
454found:
455    atomic_inc(&key->usage);
456    key_check(key);
457    key_ref = make_key_ref(key, possessed);
458error_2:
459    rcu_read_unlock();
460error:
461    return key_ref;
462}
463
464/**
465 * keyring_search - Search the supplied keyring tree for a matching key
466 * @keyring: The root of the keyring tree to be searched.
467 * @type: The type of keyring we want to find.
468 * @description: The name of the keyring we want to find.
469 *
470 * As keyring_search_aux() above, but using the current task's credentials and
471 * type's default matching function.
472 */
473key_ref_t keyring_search(key_ref_t keyring,
474             struct key_type *type,
475             const char *description)
476{
477    if (!type->match)
478        return ERR_PTR(-ENOKEY);
479
480    return keyring_search_aux(keyring, current->cred,
481                  type, description, type->match);
482}
483EXPORT_SYMBOL(keyring_search);
484
485/*
486 * Search the given keyring only (no recursion).
487 *
488 * The caller must guarantee that the keyring is a keyring and that the
489 * permission is granted to search the keyring as no check is made here.
490 *
491 * RCU is used to make it unnecessary to lock the keyring key list here.
492 *
493 * Returns a pointer to the found key with usage count incremented if
494 * successful and returns -ENOKEY if not found. Revoked keys and keys not
495 * providing the requested permission are skipped over.
496 *
497 * If successful, the possession indicator is propagated from the keyring ref
498 * to the returned key reference.
499 */
500key_ref_t __keyring_search_one(key_ref_t keyring_ref,
501                   const struct key_type *ktype,
502                   const char *description,
503                   key_perm_t perm)
504{
505    struct keyring_list *klist;
506    unsigned long possessed;
507    struct key *keyring, *key;
508    int loop;
509
510    keyring = key_ref_to_ptr(keyring_ref);
511    possessed = is_key_possessed(keyring_ref);
512
513    rcu_read_lock();
514
515    klist = rcu_dereference(keyring->payload.subscriptions);
516    if (klist) {
517        for (loop = 0; loop < klist->nkeys; loop++) {
518            key = klist->keys[loop];
519
520            if (key->type == ktype &&
521                (!key->type->match ||
522                 key->type->match(key, description)) &&
523                key_permission(make_key_ref(key, possessed),
524                       perm) == 0 &&
525                !test_bit(KEY_FLAG_REVOKED, &key->flags)
526                )
527                goto found;
528        }
529    }
530
531    rcu_read_unlock();
532    return ERR_PTR(-ENOKEY);
533
534found:
535    atomic_inc(&key->usage);
536    rcu_read_unlock();
537    return make_key_ref(key, possessed);
538}
539
540/*
541 * Find a keyring with the specified name.
542 *
543 * All named keyrings in the current user namespace are searched, provided they
544 * grant Search permission directly to the caller (unless this check is
545 * skipped). Keyrings whose usage points have reached zero or who have been
546 * revoked are skipped.
547 *
548 * Returns a pointer to the keyring with the keyring's refcount having being
549 * incremented on success. -ENOKEY is returned if a key could not be found.
550 */
551struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
552{
553    struct key *keyring;
554    int bucket;
555
556    if (!name)
557        return ERR_PTR(-EINVAL);
558
559    bucket = keyring_hash(name);
560
561    read_lock(&keyring_name_lock);
562
563    if (keyring_name_hash[bucket].next) {
564        /* search this hash bucket for a keyring with a matching name
565         * that's readable and that hasn't been revoked */
566        list_for_each_entry(keyring,
567                    &keyring_name_hash[bucket],
568                    type_data.link
569                    ) {
570            if (keyring->user->user_ns != current_user_ns())
571                continue;
572
573            if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
574                continue;
575
576            if (strcmp(keyring->description, name) != 0)
577                continue;
578
579            if (!skip_perm_check &&
580                key_permission(make_key_ref(keyring, 0),
581                       KEY_SEARCH) < 0)
582                continue;
583
584            /* we've got a match but we might end up racing with
585             * key_cleanup() if the keyring is currently 'dead'
586             * (ie. it has a zero usage count) */
587            if (!atomic_inc_not_zero(&keyring->usage))
588                continue;
589            goto out;
590        }
591    }
592
593    keyring = ERR_PTR(-ENOKEY);
594out:
595    read_unlock(&keyring_name_lock);
596    return keyring;
597}
598
599/*
600 * See if a cycle will will be created by inserting acyclic tree B in acyclic
601 * tree A at the topmost level (ie: as a direct child of A).
602 *
603 * Since we are adding B to A at the top level, checking for cycles should just
604 * be a matter of seeing if node A is somewhere in tree B.
605 */
606static int keyring_detect_cycle(struct key *A, struct key *B)
607{
608    struct {
609        struct keyring_list *keylist;
610        int kix;
611    } stack[KEYRING_SEARCH_MAX_DEPTH];
612
613    struct keyring_list *keylist;
614    struct key *subtree, *key;
615    int sp, kix, ret;
616
617    rcu_read_lock();
618
619    ret = -EDEADLK;
620    if (A == B)
621        goto cycle_detected;
622
623    subtree = B;
624    sp = 0;
625
626    /* start processing a new keyring */
627descend:
628    if (test_bit(KEY_FLAG_REVOKED, &subtree->flags))
629        goto not_this_keyring;
630
631    keylist = rcu_dereference(subtree->payload.subscriptions);
632    if (!keylist)
633        goto not_this_keyring;
634    kix = 0;
635
636ascend:
637    /* iterate through the remaining keys in this keyring */
638    for (; kix < keylist->nkeys; kix++) {
639        key = keylist->keys[kix];
640
641        if (key == A)
642            goto cycle_detected;
643
644        /* recursively check nested keyrings */
645        if (key->type == &key_type_keyring) {
646            if (sp >= KEYRING_SEARCH_MAX_DEPTH)
647                goto too_deep;
648
649            /* stack the current position */
650            stack[sp].keylist = keylist;
651            stack[sp].kix = kix;
652            sp++;
653
654            /* begin again with the new keyring */
655            subtree = key;
656            goto descend;
657        }
658    }
659
660    /* the keyring we're looking at was disqualified or didn't contain a
661     * matching key */
662not_this_keyring:
663    if (sp > 0) {
664        /* resume the checking of a keyring higher up in the tree */
665        sp--;
666        keylist = stack[sp].keylist;
667        kix = stack[sp].kix + 1;
668        goto ascend;
669    }
670
671    ret = 0; /* no cycles detected */
672
673error:
674    rcu_read_unlock();
675    return ret;
676
677too_deep:
678    ret = -ELOOP;
679    goto error;
680
681cycle_detected:
682    ret = -EDEADLK;
683    goto error;
684}
685
686/*
687 * Dispose of a keyring list after the RCU grace period, freeing the unlinked
688 * key
689 */
690static void keyring_unlink_rcu_disposal(struct rcu_head *rcu)
691{
692    struct keyring_list *klist =
693        container_of(rcu, struct keyring_list, rcu);
694
695    if (klist->delkey != USHRT_MAX)
696        key_put(klist->keys[klist->delkey]);
697    kfree(klist);
698}
699
700/*
701 * Preallocate memory so that a key can be linked into to a keyring.
702 */
703int __key_link_begin(struct key *keyring, const struct key_type *type,
704             const char *description, unsigned long *_prealloc)
705    __acquires(&keyring->sem)
706{
707    struct keyring_list *klist, *nklist;
708    unsigned long prealloc;
709    unsigned max;
710    size_t size;
711    int loop, ret;
712
713    kenter("%d,%s,%s,", key_serial(keyring), type->name, description);
714
715    if (keyring->type != &key_type_keyring)
716        return -ENOTDIR;
717
718    down_write(&keyring->sem);
719
720    ret = -EKEYREVOKED;
721    if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
722        goto error_krsem;
723
724    /* serialise link/link calls to prevent parallel calls causing a cycle
725     * when linking two keyring in opposite orders */
726    if (type == &key_type_keyring)
727        down_write(&keyring_serialise_link_sem);
728
729    klist = rcu_dereference_locked_keyring(keyring);
730
731    /* see if there's a matching key we can displace */
732    if (klist && klist->nkeys > 0) {
733        for (loop = klist->nkeys - 1; loop >= 0; loop--) {
734            if (klist->keys[loop]->type == type &&
735                strcmp(klist->keys[loop]->description,
736                   description) == 0
737                ) {
738                /* found a match - we'll replace this one with
739                 * the new key */
740                size = sizeof(struct key *) * klist->maxkeys;
741                size += sizeof(*klist);
742                BUG_ON(size > PAGE_SIZE);
743
744                ret = -ENOMEM;
745                nklist = kmemdup(klist, size, GFP_KERNEL);
746                if (!nklist)
747                    goto error_sem;
748
749                /* note replacement slot */
750                klist->delkey = nklist->delkey = loop;
751                prealloc = (unsigned long)nklist;
752                goto done;
753            }
754        }
755    }
756
757    /* check that we aren't going to overrun the user's quota */
758    ret = key_payload_reserve(keyring,
759                  keyring->datalen + KEYQUOTA_LINK_BYTES);
760    if (ret < 0)
761        goto error_sem;
762
763    if (klist && klist->nkeys < klist->maxkeys) {
764        /* there's sufficient slack space to append directly */
765        nklist = NULL;
766        prealloc = KEY_LINK_FIXQUOTA;
767    } else {
768        /* grow the key list */
769        max = 4;
770        if (klist)
771            max += klist->maxkeys;
772
773        ret = -ENFILE;
774        if (max > USHRT_MAX - 1)
775            goto error_quota;
776        size = sizeof(*klist) + sizeof(struct key *) * max;
777        if (size > PAGE_SIZE)
778            goto error_quota;
779
780        ret = -ENOMEM;
781        nklist = kmalloc(size, GFP_KERNEL);
782        if (!nklist)
783            goto error_quota;
784
785        nklist->maxkeys = max;
786        if (klist) {
787            memcpy(nklist->keys, klist->keys,
788                   sizeof(struct key *) * klist->nkeys);
789            nklist->delkey = klist->nkeys;
790            nklist->nkeys = klist->nkeys + 1;
791            klist->delkey = USHRT_MAX;
792        } else {
793            nklist->nkeys = 1;
794            nklist->delkey = 0;
795        }
796
797        /* add the key into the new space */
798        nklist->keys[nklist->delkey] = NULL;
799    }
800
801    prealloc = (unsigned long)nklist | KEY_LINK_FIXQUOTA;
802done:
803    *_prealloc = prealloc;
804    kleave(" = 0");
805    return 0;
806
807error_quota:
808    /* undo the quota changes */
809    key_payload_reserve(keyring,
810                keyring->datalen - KEYQUOTA_LINK_BYTES);
811error_sem:
812    if (type == &key_type_keyring)
813        up_write(&keyring_serialise_link_sem);
814error_krsem:
815    up_write(&keyring->sem);
816    kleave(" = %d", ret);
817    return ret;
818}
819
820/*
821 * Check already instantiated keys aren't going to be a problem.
822 *
823 * The caller must have called __key_link_begin(). Don't need to call this for
824 * keys that were created since __key_link_begin() was called.
825 */
826int __key_link_check_live_key(struct key *keyring, struct key *key)
827{
828    if (key->type == &key_type_keyring)
829        /* check that we aren't going to create a cycle by linking one
830         * keyring to another */
831        return keyring_detect_cycle(keyring, key);
832    return 0;
833}
834
835/*
836 * Link a key into to a keyring.
837 *
838 * Must be called with __key_link_begin() having being called. Discards any
839 * already extant link to matching key if there is one, so that each keyring
840 * holds at most one link to any given key of a particular type+description
841 * combination.
842 */
843void __key_link(struct key *keyring, struct key *key,
844        unsigned long *_prealloc)
845{
846    struct keyring_list *klist, *nklist;
847
848    nklist = (struct keyring_list *)(*_prealloc & ~KEY_LINK_FIXQUOTA);
849    *_prealloc = 0;
850
851    kenter("%d,%d,%p", keyring->serial, key->serial, nklist);
852
853    klist = rcu_dereference_protected(keyring->payload.subscriptions,
854                      rwsem_is_locked(&keyring->sem));
855
856    atomic_inc(&key->usage);
857
858    /* there's a matching key we can displace or an empty slot in a newly
859     * allocated list we can fill */
860    if (nklist) {
861        kdebug("replace %hu/%hu/%hu",
862               nklist->delkey, nklist->nkeys, nklist->maxkeys);
863
864        nklist->keys[nklist->delkey] = key;
865
866        rcu_assign_pointer(keyring->payload.subscriptions, nklist);
867
868        /* dispose of the old keyring list and, if there was one, the
869         * displaced key */
870        if (klist) {
871            kdebug("dispose %hu/%hu/%hu",
872                   klist->delkey, klist->nkeys, klist->maxkeys);
873            call_rcu(&klist->rcu, keyring_unlink_rcu_disposal);
874        }
875    } else {
876        /* there's sufficient slack space to append directly */
877        klist->keys[klist->nkeys] = key;
878        smp_wmb();
879        klist->nkeys++;
880    }
881}
882
883/*
884 * Finish linking a key into to a keyring.
885 *
886 * Must be called with __key_link_begin() having being called.
887 */
888void __key_link_end(struct key *keyring, struct key_type *type,
889            unsigned long prealloc)
890    __releases(&keyring->sem)
891{
892    BUG_ON(type == NULL);
893    BUG_ON(type->name == NULL);
894    kenter("%d,%s,%lx", keyring->serial, type->name, prealloc);
895
896    if (type == &key_type_keyring)
897        up_write(&keyring_serialise_link_sem);
898
899    if (prealloc) {
900        if (prealloc & KEY_LINK_FIXQUOTA)
901            key_payload_reserve(keyring,
902                        keyring->datalen -
903                        KEYQUOTA_LINK_BYTES);
904        kfree((struct keyring_list *)(prealloc & ~KEY_LINK_FIXQUOTA));
905    }
906    up_write(&keyring->sem);
907}
908
909/**
910 * key_link - Link a key to a keyring
911 * @keyring: The keyring to make the link in.
912 * @key: The key to link to.
913 *
914 * Make a link in a keyring to a key, such that the keyring holds a reference
915 * on that key and the key can potentially be found by searching that keyring.
916 *
917 * This function will write-lock the keyring's semaphore and will consume some
918 * of the user's key data quota to hold the link.
919 *
920 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring,
921 * -EKEYREVOKED if the keyring has been revoked, -ENFILE if the keyring is
922 * full, -EDQUOT if there is insufficient key data quota remaining to add
923 * another link or -ENOMEM if there's insufficient memory.
924 *
925 * It is assumed that the caller has checked that it is permitted for a link to
926 * be made (the keyring should have Write permission and the key Link
927 * permission).
928 */
929int key_link(struct key *keyring, struct key *key)
930{
931    unsigned long prealloc;
932    int ret;
933
934    key_check(keyring);
935    key_check(key);
936
937    ret = __key_link_begin(keyring, key->type, key->description, &prealloc);
938    if (ret == 0) {
939        ret = __key_link_check_live_key(keyring, key);
940        if (ret == 0)
941            __key_link(keyring, key, &prealloc);
942        __key_link_end(keyring, key->type, prealloc);
943    }
944
945    return ret;
946}
947EXPORT_SYMBOL(key_link);
948
949/**
950 * key_unlink - Unlink the first link to a key from a keyring.
951 * @keyring: The keyring to remove the link from.
952 * @key: The key the link is to.
953 *
954 * Remove a link from a keyring to a key.
955 *
956 * This function will write-lock the keyring's semaphore.
957 *
958 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, -ENOENT if
959 * the key isn't linked to by the keyring or -ENOMEM if there's insufficient
960 * memory.
961 *
962 * It is assumed that the caller has checked that it is permitted for a link to
963 * be removed (the keyring should have Write permission; no permissions are
964 * required on the key).
965 */
966int key_unlink(struct key *keyring, struct key *key)
967{
968    struct keyring_list *klist, *nklist;
969    int loop, ret;
970
971    key_check(keyring);
972    key_check(key);
973
974    ret = -ENOTDIR;
975    if (keyring->type != &key_type_keyring)
976        goto error;
977
978    down_write(&keyring->sem);
979
980    klist = rcu_dereference_locked_keyring(keyring);
981    if (klist) {
982        /* search the keyring for the key */
983        for (loop = 0; loop < klist->nkeys; loop++)
984            if (klist->keys[loop] == key)
985                goto key_is_present;
986    }
987
988    up_write(&keyring->sem);
989    ret = -ENOENT;
990    goto error;
991
992key_is_present:
993    /* we need to copy the key list for RCU purposes */
994    nklist = kmalloc(sizeof(*klist) +
995             sizeof(struct key *) * klist->maxkeys,
996             GFP_KERNEL);
997    if (!nklist)
998        goto nomem;
999    nklist->maxkeys = klist->maxkeys;
1000    nklist->nkeys = klist->nkeys - 1;
1001
1002    if (loop > 0)
1003        memcpy(&nklist->keys[0],
1004               &klist->keys[0],
1005               loop * sizeof(struct key *));
1006
1007    if (loop < nklist->nkeys)
1008        memcpy(&nklist->keys[loop],
1009               &klist->keys[loop + 1],
1010               (nklist->nkeys - loop) * sizeof(struct key *));
1011
1012    /* adjust the user's quota */
1013    key_payload_reserve(keyring,
1014                keyring->datalen - KEYQUOTA_LINK_BYTES);
1015
1016    rcu_assign_pointer(keyring->payload.subscriptions, nklist);
1017
1018    up_write(&keyring->sem);
1019
1020    /* schedule for later cleanup */
1021    klist->delkey = loop;
1022    call_rcu(&klist->rcu, keyring_unlink_rcu_disposal);
1023
1024    ret = 0;
1025
1026error:
1027    return ret;
1028nomem:
1029    ret = -ENOMEM;
1030    up_write(&keyring->sem);
1031    goto error;
1032}
1033EXPORT_SYMBOL(key_unlink);
1034
1035/*
1036 * Dispose of a keyring list after the RCU grace period, releasing the keys it
1037 * links to.
1038 */
1039static void keyring_clear_rcu_disposal(struct rcu_head *rcu)
1040{
1041    struct keyring_list *klist;
1042    int loop;
1043
1044    klist = container_of(rcu, struct keyring_list, rcu);
1045
1046    for (loop = klist->nkeys - 1; loop >= 0; loop--)
1047        key_put(klist->keys[loop]);
1048
1049    kfree(klist);
1050}
1051
1052/**
1053 * keyring_clear - Clear a keyring
1054 * @keyring: The keyring to clear.
1055 *
1056 * Clear the contents of the specified keyring.
1057 *
1058 * Returns 0 if successful or -ENOTDIR if the keyring isn't a keyring.
1059 */
1060int keyring_clear(struct key *keyring)
1061{
1062    struct keyring_list *klist;
1063    int ret;
1064
1065    ret = -ENOTDIR;
1066    if (keyring->type == &key_type_keyring) {
1067        /* detach the pointer block with the locks held */
1068        down_write(&keyring->sem);
1069
1070        klist = rcu_dereference_locked_keyring(keyring);
1071        if (klist) {
1072            /* adjust the quota */
1073            key_payload_reserve(keyring,
1074                        sizeof(struct keyring_list));
1075
1076            rcu_assign_pointer(keyring->payload.subscriptions,
1077                       NULL);
1078        }
1079
1080        up_write(&keyring->sem);
1081
1082        /* free the keys after the locks have been dropped */
1083        if (klist)
1084            call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
1085
1086        ret = 0;
1087    }
1088
1089    return ret;
1090}
1091EXPORT_SYMBOL(keyring_clear);
1092
1093/*
1094 * Dispose of the links from a revoked keyring.
1095 *
1096 * This is called with the key sem write-locked.
1097 */
1098static void keyring_revoke(struct key *keyring)
1099{
1100    struct keyring_list *klist;
1101
1102    klist = rcu_dereference_locked_keyring(keyring);
1103
1104    /* adjust the quota */
1105    key_payload_reserve(keyring, 0);
1106
1107    if (klist) {
1108        rcu_assign_pointer(keyring->payload.subscriptions, NULL);
1109        call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
1110    }
1111}
1112
1113/*
1114 * Determine whether a key is dead.
1115 */
1116static bool key_is_dead(struct key *key, time_t limit)
1117{
1118    return test_bit(KEY_FLAG_DEAD, &key->flags) ||
1119        (key->expiry > 0 && key->expiry <= limit);
1120}
1121
1122/*
1123 * Collect garbage from the contents of a keyring, replacing the old list with
1124 * a new one with the pointers all shuffled down.
1125 *
1126 * Dead keys are classed as oned that are flagged as being dead or are revoked,
1127 * expired or negative keys that were revoked or expired before the specified
1128 * limit.
1129 */
1130void keyring_gc(struct key *keyring, time_t limit)
1131{
1132    struct keyring_list *klist, *new;
1133    struct key *key;
1134    int loop, keep, max;
1135
1136    kenter("{%x,%s}", key_serial(keyring), keyring->description);
1137
1138    down_write(&keyring->sem);
1139
1140    klist = rcu_dereference_locked_keyring(keyring);
1141    if (!klist)
1142        goto no_klist;
1143
1144    /* work out how many subscriptions we're keeping */
1145    keep = 0;
1146    for (loop = klist->nkeys - 1; loop >= 0; loop--)
1147        if (!key_is_dead(klist->keys[loop], limit))
1148            keep++;
1149
1150    if (keep == klist->nkeys)
1151        goto just_return;
1152
1153    /* allocate a new keyring payload */
1154    max = roundup(keep, 4);
1155    new = kmalloc(sizeof(struct keyring_list) + max * sizeof(struct key *),
1156              GFP_KERNEL);
1157    if (!new)
1158        goto nomem;
1159    new->maxkeys = max;
1160    new->nkeys = 0;
1161    new->delkey = 0;
1162
1163    /* install the live keys
1164     * - must take care as expired keys may be updated back to life
1165     */
1166    keep = 0;
1167    for (loop = klist->nkeys - 1; loop >= 0; loop--) {
1168        key = klist->keys[loop];
1169        if (!key_is_dead(key, limit)) {
1170            if (keep >= max)
1171                goto discard_new;
1172            new->keys[keep++] = key_get(key);
1173        }
1174    }
1175    new->nkeys = keep;
1176
1177    /* adjust the quota */
1178    key_payload_reserve(keyring,
1179                sizeof(struct keyring_list) +
1180                KEYQUOTA_LINK_BYTES * keep);
1181
1182    if (keep == 0) {
1183        rcu_assign_pointer(keyring->payload.subscriptions, NULL);
1184        kfree(new);
1185    } else {
1186        rcu_assign_pointer(keyring->payload.subscriptions, new);
1187    }
1188
1189    up_write(&keyring->sem);
1190
1191    call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
1192    kleave(" [yes]");
1193    return;
1194
1195discard_new:
1196    new->nkeys = keep;
1197    keyring_clear_rcu_disposal(&new->rcu);
1198    up_write(&keyring->sem);
1199    kleave(" [discard]");
1200    return;
1201
1202just_return:
1203    up_write(&keyring->sem);
1204    kleave(" [no dead]");
1205    return;
1206
1207no_klist:
1208    up_write(&keyring->sem);
1209    kleave(" [no_klist]");
1210    return;
1211
1212nomem:
1213    up_write(&keyring->sem);
1214    kleave(" [oom]");
1215}
1216

Archive Download this file



interactive