]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blame - security/keys/process_keys.c
projects / mirror_ubuntu-hirsute-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
KEYS: Alter use of key instantiation link-to-keyring argument
[mirror_ubuntu-hirsute-kernel.git] / security / keys / process_keys.c
CommitLineData
69664cf1 1/* Management of a process's keyrings
1da177e4 2 *
69664cf1 3 * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
1da177e4
LT		 4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 */
11
12#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/sched.h>
15#include <linux/slab.h>
16#include <linux/keyctl.h>
17#include <linux/fs.h>
18#include <linux/err.h>
bb003079 19#include <linux/mutex.h>
1da177e4
LT		 20#include <asm/uaccess.h>
21#include "internal.h"
22
23/* session keyring create vs join semaphore */
bb003079 24static DEFINE_MUTEX(key_session_mutex);
1da177e4 25
69664cf1
DH		 26/* user keyring creation semaphore */
27static DEFINE_MUTEX(key_user_keyring_mutex);
28
1da177e4
LT		 29/* the root user's tracking struct */
30struct key_user root_key_user = {
31 .usage = ATOMIC_INIT(3),
76181c13 32 .cons_lock = __MUTEX_INITIALIZER(root_key_user.cons_lock),
6cfd76a2 33 .lock = __SPIN_LOCK_UNLOCKED(root_key_user.lock),
1da177e4
LT		 34 .nkeys = ATOMIC_INIT(2),
35 .nikeys = ATOMIC_INIT(2),
36 .uid = 0,
37};
38
1da177e4
LT		 39/*****************************************************************************/
40/*
69664cf1 41 * install user and user session keyrings for a particular UID
1da177e4 42 */
8bbf4976 43int install_user_keyrings(void)
1da177e4 44{
8bbf4976 45 struct user_struct *user = current->user;
1da177e4
LT		 46 struct key *uid_keyring, *session_keyring;
47 char buf[20];
48 int ret;
49
69664cf1 50 kenter("%p{%u}", user, user->uid);
1da177e4 51
69664cf1
DH		 52 if (user->uid_keyring) {
53 kleave(" = 0 [exist]");
54 return 0;
1da177e4
LT		 55 }
56
69664cf1
DH		 57 mutex_lock(&key_user_keyring_mutex);
58 ret = 0;
1da177e4 59
69664cf1
DH		 60 if (!user->uid_keyring) {
61 /* get the UID-specific keyring
62 * - there may be one in existence already as it may have been
63 * pinned by a session, but the user_struct pointing to it
64 * may have been destroyed by setuid */
65 sprintf(buf, "_uid.%u", user->uid);
66
67 uid_keyring = find_keyring_by_name(buf, true);
68 if (IS_ERR(uid_keyring)) {
69 uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
8bbf4976 70 current, KEY_ALLOC_IN_QUOTA,
69664cf1
DH		 71 NULL);
72 if (IS_ERR(uid_keyring)) {
73 ret = PTR_ERR(uid_keyring);
74 goto error;
75 }
76 }
77
78 /* get a default session keyring (which might also exist
79 * already) */
80 sprintf(buf, "_uid_ses.%u", user->uid);
81
82 session_keyring = find_keyring_by_name(buf, true);
83 if (IS_ERR(session_keyring)) {
84 session_keyring =
85 keyring_alloc(buf, user->uid, (gid_t) -1,
8bbf4976
DH		 86 current, KEY_ALLOC_IN_QUOTA,
87 NULL);
69664cf1
DH		 88 if (IS_ERR(session_keyring)) {
89 ret = PTR_ERR(session_keyring);
90 goto error_release;
91 }
92
93 /* we install a link from the user session keyring to
94 * the user keyring */
95 ret = key_link(session_keyring, uid_keyring);
96 if (ret < 0)
97 goto error_release_both;
98 }
99
100 /* install the keyrings */
101 user->uid_keyring = uid_keyring;
102 user->session_keyring = session_keyring;
1da177e4
LT		 103 }
104
69664cf1
DH		 105 mutex_unlock(&key_user_keyring_mutex);
106 kleave(" = 0");
107 return 0;
1da177e4 108
69664cf1
DH		 109error_release_both:
110 key_put(session_keyring);
111error_release:
112 key_put(uid_keyring);
664cceb0 113error:
69664cf1
DH		 114 mutex_unlock(&key_user_keyring_mutex);
115 kleave(" = %d", ret);
1da177e4 116 return ret;
69664cf1 117}
1da177e4
LT		 118
119/*****************************************************************************/
120/*
121 * deal with the UID changing
122 */
123void switch_uid_keyring(struct user_struct *new_user)
124{
125#if 0 /* do nothing for now */
126 struct key *old;
127
128 /* switch to the new user's session keyring if we were running under
129 * root's default session keyring */
130 if (new_user->uid != 0 &&
131 current->session_keyring == &root_session_keyring
132 ) {
133 atomic_inc(&new_user->session_keyring->usage);
134
135 task_lock(current);
136 old = current->session_keyring;
137 current->session_keyring = new_user->session_keyring;
138 task_unlock(current);
139
140 key_put(old);
141 }
142#endif
143
144} /* end switch_uid_keyring() */
145
146/*****************************************************************************/
147/*
148 * install a fresh thread keyring, discarding the old one
149 */
8bbf4976 150int install_thread_keyring(void)
1da177e4 151{
8bbf4976 152 struct task_struct *tsk = current;
1da177e4
LT		 153 struct key *keyring, *old;
154 char buf[20];
155 int ret;
156
157 sprintf(buf, "_tid.%u", tsk->pid);
158
7e047ef5
DH		 159 keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk,
160 KEY_ALLOC_QUOTA_OVERRUN, NULL);
1da177e4
LT		 161 if (IS_ERR(keyring)) {
162 ret = PTR_ERR(keyring);
163 goto error;
164 }
165
166 task_lock(tsk);
167 old = tsk->thread_keyring;
168 tsk->thread_keyring = keyring;
169 task_unlock(tsk);
170
171 ret = 0;
172
173 key_put(old);
664cceb0 174error:
1da177e4
LT		 175 return ret;
176
177} /* end install_thread_keyring() */
178
179/*****************************************************************************/
180/*
181 * make sure a process keyring is installed
182 */
8bbf4976 183int install_process_keyring(void)
1da177e4 184{
8bbf4976 185 struct task_struct *tsk = current;
1da177e4
LT		 186 struct key *keyring;
187 char buf[20];
188 int ret;
189
1a26feb9
DH		 190 might_sleep();
191
1da177e4
LT		 192 if (!tsk->signal->process_keyring) {
193 sprintf(buf, "_pid.%u", tsk->tgid);
194
7e047ef5
DH		 195 keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk,
196 KEY_ALLOC_QUOTA_OVERRUN, NULL);
1da177e4
LT		 197 if (IS_ERR(keyring)) {
198 ret = PTR_ERR(keyring);
199 goto error;
200 }
201
8589b4e0 202 /* attach keyring */
1a26feb9 203 spin_lock_irq(&tsk->sighand->siglock);
1da177e4
LT		 204 if (!tsk->signal->process_keyring) {
205 tsk->signal->process_keyring = keyring;
206 keyring = NULL;
207 }
1a26feb9 208 spin_unlock_irq(&tsk->sighand->siglock);
1da177e4
LT		 209
210 key_put(keyring);
211 }
212
213 ret = 0;
664cceb0 214error:
1da177e4
LT		 215 return ret;
216
217} /* end install_process_keyring() */
218
219/*****************************************************************************/
220/*
221 * install a session keyring, discarding the old one
222 * - if a keyring is not supplied, an empty one is invented
223 */
8bbf4976 224static int install_session_keyring(struct key *keyring)
1da177e4 225{
8bbf4976 226 struct task_struct *tsk = current;
7e047ef5 227 unsigned long flags;
1da177e4
LT		 228 struct key *old;
229 char buf[20];
1a26feb9
DH		 230
231 might_sleep();
1da177e4
LT		 232
233 /* create an empty session keyring */
234 if (!keyring) {
235 sprintf(buf, "_ses.%u", tsk->tgid);
236
7e047ef5
DH		 237 flags = KEY_ALLOC_QUOTA_OVERRUN;
238 if (tsk->signal->session_keyring)
239 flags = KEY_ALLOC_IN_QUOTA;
240
241 keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk,
242 flags, NULL);
1a26feb9
DH		 243 if (IS_ERR(keyring))
244 return PTR_ERR(keyring);
1da177e4
LT		 245 }
246 else {
247 atomic_inc(&keyring->usage);
248 }
249
250 /* install the keyring */
1a26feb9
DH		 251 spin_lock_irq(&tsk->sighand->siglock);
252 old = tsk->signal->session_keyring;
8589b4e0 253 rcu_assign_pointer(tsk->signal->session_keyring, keyring);
1a26feb9 254 spin_unlock_irq(&tsk->sighand->siglock);
1da177e4 255
1a26feb9
DH		 256 /* we're using RCU on the pointer, but there's no point synchronising
257 * on it if it didn't previously point to anything */
258 if (old) {
259 synchronize_rcu();
260 key_put(old);
261 }
1da177e4 262
1a26feb9 263 return 0;
1da177e4
LT		 264
265} /* end install_session_keyring() */
266
267/*****************************************************************************/
268/*
269 * copy the keys in a thread group for fork without CLONE_THREAD
270 */
271int copy_thread_group_keys(struct task_struct *tsk)
272{
1da177e4
LT		 273 key_check(current->thread_group->session_keyring);
274 key_check(current->thread_group->process_keyring);
275
276 /* no process keyring yet */
277 tsk->signal->process_keyring = NULL;
278
279 /* same session keyring */
8589b4e0 280 rcu_read_lock();
1da177e4 281 tsk->signal->session_keyring =
8589b4e0
DH		 282 key_get(rcu_dereference(current->signal->session_keyring));
283 rcu_read_unlock();
1da177e4
LT		 284
285 return 0;
286
287} /* end copy_thread_group_keys() */
288
289/*****************************************************************************/
290/*
291 * copy the keys for fork
292 */
293int copy_keys(unsigned long clone_flags, struct task_struct *tsk)
294{
295 key_check(tsk->thread_keyring);
b5f545c8 296 key_check(tsk->request_key_auth);
1da177e4
LT		 297
298 /* no thread keyring yet */
299 tsk->thread_keyring = NULL;
b5f545c8
DH		 300
301 /* copy the request_key() authorisation for this thread */
302 key_get(tsk->request_key_auth);
303
1da177e4
LT		 304 return 0;
305
306} /* end copy_keys() */
307
308/*****************************************************************************/
309/*
310 * dispose of thread group keys upon thread group destruction
311 */
312void exit_thread_group_keys(struct signal_struct *tg)
313{
314 key_put(tg->session_keyring);
315 key_put(tg->process_keyring);
316
317} /* end exit_thread_group_keys() */
318
319/*****************************************************************************/
320/*
b5f545c8 321 * dispose of per-thread keys upon thread exit
1da177e4
LT		 322 */
323void exit_keys(struct task_struct *tsk)
324{
325 key_put(tsk->thread_keyring);
b5f545c8 326 key_put(tsk->request_key_auth);
1da177e4
LT		 327
328} /* end exit_keys() */
329
330/*****************************************************************************/
331/*
332 * deal with execve()
333 */
334int exec_keys(struct task_struct *tsk)
335{
1da177e4
LT		 336 struct key *old;
337
338 /* newly exec'd tasks don't get a thread keyring */
339 task_lock(tsk);
340 old = tsk->thread_keyring;
341 tsk->thread_keyring = NULL;
342 task_unlock(tsk);
343
344 key_put(old);
345
346 /* discard the process keyring from a newly exec'd task */
1a26feb9 347 spin_lock_irq(&tsk->sighand->siglock);
1da177e4
LT		 348 old = tsk->signal->process_keyring;
349 tsk->signal->process_keyring = NULL;
1a26feb9 350 spin_unlock_irq(&tsk->sighand->siglock);
1da177e4
LT		 351
352 key_put(old);
353
354 return 0;
355
356} /* end exec_keys() */
357
358/*****************************************************************************/
359/*
360 * deal with SUID programs
361 * - we might want to make this invent a new session keyring
362 */
363int suid_keys(struct task_struct *tsk)
364{
365 return 0;
366
367} /* end suid_keys() */
368
369/*****************************************************************************/
370/*
371 * the filesystem user ID changed
372 */
373void key_fsuid_changed(struct task_struct *tsk)
374{
375 /* update the ownership of the thread keyring */
376 if (tsk->thread_keyring) {
377 down_write(&tsk->thread_keyring->sem);
1da177e4 378 tsk->thread_keyring->uid = tsk->fsuid;
1da177e4
LT		 379 up_write(&tsk->thread_keyring->sem);
380 }
381
382} /* end key_fsuid_changed() */
383
384/*****************************************************************************/
385/*
386 * the filesystem group ID changed
387 */
388void key_fsgid_changed(struct task_struct *tsk)
389{
390 /* update the ownership of the thread keyring */
391 if (tsk->thread_keyring) {
392 down_write(&tsk->thread_keyring->sem);
1da177e4 393 tsk->thread_keyring->gid = tsk->fsgid;
1da177e4
LT		 394 up_write(&tsk->thread_keyring->sem);
395 }
396
397} /* end key_fsgid_changed() */
398
399/*****************************************************************************/
400/*
401 * search the process keyrings for the first matching key
402 * - we use the supplied match function to see if the description (or other
403 * feature of interest) matches
404 * - we return -EAGAIN if we didn't find any matching key
405 * - we return -ENOKEY if we found only negative matching keys
406 */
664cceb0
DH		 407key_ref_t search_process_keyrings(struct key_type *type,
408 const void *description,
409 key_match_func_t match,
410 struct task_struct *context)
1da177e4 411{
3e30148c 412 struct request_key_auth *rka;
b5f545c8 413 key_ref_t key_ref, ret, err;
1da177e4 414
04c567d9
DH		 415 might_sleep();
416
1da177e4
LT		 417 /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
418 * searchable, but we failed to find a key or we found a negative key;
419 * otherwise we want to return a sample error (probably -EACCES) if
420 * none of the keyrings were searchable
421 *
422 * in terms of priority: success > -ENOKEY > -EAGAIN > other error
423 */
664cceb0 424 key_ref = NULL;
1da177e4
LT		 425 ret = NULL;
426 err = ERR_PTR(-EAGAIN);
427
428 /* search the thread keyring first */
3e30148c 429 if (context->thread_keyring) {
664cceb0
DH		 430 key_ref = keyring_search_aux(
431 make_key_ref(context->thread_keyring, 1),
432 context, type, description, match);
433 if (!IS_ERR(key_ref))
1da177e4
LT		 434 goto found;
435
664cceb0 436 switch (PTR_ERR(key_ref)) {
1da177e4
LT		 437 case -EAGAIN: /* no key */
438 if (ret)
439 break;
440 case -ENOKEY: /* negative key */
664cceb0 441 ret = key_ref;
1da177e4
LT		 442 break;
443 default:
664cceb0 444 err = key_ref;
1da177e4
LT		 445 break;
446 }
447 }
448
449 /* search the process keyring second */
3e30148c 450 if (context->signal->process_keyring) {
664cceb0
DH		 451 key_ref = keyring_search_aux(
452 make_key_ref(context->signal->process_keyring, 1),
453 context, type, description, match);
454 if (!IS_ERR(key_ref))
1da177e4
LT		 455 goto found;
456
664cceb0 457 switch (PTR_ERR(key_ref)) {
1da177e4
LT		 458 case -EAGAIN: /* no key */
459 if (ret)
460 break;
461 case -ENOKEY: /* negative key */
664cceb0 462 ret = key_ref;
1da177e4
LT		 463 break;
464 default:
664cceb0 465 err = key_ref;
1da177e4
LT		 466 break;
467 }
468 }
469
3e30148c
DH		 470 /* search the session keyring */
471 if (context->signal->session_keyring) {
8589b4e0 472 rcu_read_lock();
664cceb0
DH		 473 key_ref = keyring_search_aux(
474 make_key_ref(rcu_dereference(
475 context->signal->session_keyring),
476 1),
3e30148c 477 context, type, description, match);
8589b4e0 478 rcu_read_unlock();
3e30148c 479
664cceb0 480 if (!IS_ERR(key_ref))
3e30148c
DH		 481 goto found;
482
664cceb0 483 switch (PTR_ERR(key_ref)) {
3e30148c
DH		 484 case -EAGAIN: /* no key */
485 if (ret)
486 break;
487 case -ENOKEY: /* negative key */
664cceb0 488 ret = key_ref;
3e30148c
DH		 489 break;
490 default:
664cceb0 491 err = key_ref;
3e30148c
DH		 492 break;
493 }
b5f545c8
DH		 494 }
495 /* or search the user-session keyring */
69664cf1 496 else if (context->user->session_keyring) {
b5f545c8
DH		 497 key_ref = keyring_search_aux(
498 make_key_ref(context->user->session_keyring, 1),
499 context, type, description, match);
664cceb0 500 if (!IS_ERR(key_ref))
3e30148c
DH		 501 goto found;
502
664cceb0 503 switch (PTR_ERR(key_ref)) {
3e30148c
DH		 504 case -EAGAIN: /* no key */
505 if (ret)
506 break;
507 case -ENOKEY: /* negative key */
664cceb0 508 ret = key_ref;
3e30148c
DH		 509 break;
510 default:
664cceb0 511 err = key_ref;
3e30148c
DH		 512 break;
513 }
8589b4e0 514 }
b5f545c8
DH		 515
516 /* if this process has an instantiation authorisation key, then we also
517 * search the keyrings of the process mentioned there
518 * - we don't permit access to request_key auth keys via this method
519 */
520 if (context->request_key_auth &&
521 context == current &&
04c567d9 522 type != &key_type_request_key_auth
b5f545c8 523 ) {
04c567d9
DH		 524 /* defend against the auth key being revoked */
525 down_read(&context->request_key_auth->sem);
b5f545c8 526
04c567d9
DH		 527 if (key_validate(context->request_key_auth) == 0) {
528 rka = context->request_key_auth->payload.data;
b5f545c8 529
04c567d9
DH		 530 key_ref = search_process_keyrings(type, description,
531 match, rka->context);
1da177e4 532
04c567d9
DH		 533 up_read(&context->request_key_auth->sem);
534
535 if (!IS_ERR(key_ref))
536 goto found;
537
538 switch (PTR_ERR(key_ref)) {
539 case -EAGAIN: /* no key */
540 if (ret)
541 break;
542 case -ENOKEY: /* negative key */
543 ret = key_ref;
3e30148c 544 break;
04c567d9
DH		 545 default:
546 err = key_ref;
547 break;
548 }
549 } else {
550 up_read(&context->request_key_auth->sem);
3e30148c 551 }
1da177e4
LT		 552 }
553
554 /* no key - decide on the error we're going to go for */
664cceb0 555 key_ref = ret ? ret : err;
1da177e4 556
3e30148c 557found:
664cceb0 558 return key_ref;
1da177e4 559
1da177e4
LT		 560} /* end search_process_keyrings() */
561
664cceb0
DH		 562/*****************************************************************************/
563/*
564 * see if the key we're looking at is the target key
565 */
566static int lookup_user_key_possessed(const struct key *key, const void *target)
567{
568 return key == target;
569
570} /* end lookup_user_key_possessed() */
571
1da177e4
LT		 572/*****************************************************************************/
573/*
574 * lookup a key given a key ID from userspace with a given permissions mask
575 * - don't create special keyrings unless so requested
576 * - partially constructed keys aren't found unless requested
577 */
8bbf4976
DH		 578key_ref_t lookup_user_key(key_serial_t id, int create, int partial,
579 key_perm_t perm)
1da177e4 580{
8bbf4976
DH		 581 struct request_key_auth *rka;
582 struct task_struct *t = current;
664cceb0 583 key_ref_t key_ref, skey_ref;
1da177e4
LT		 584 struct key *key;
585 int ret;
586
664cceb0 587 key_ref = ERR_PTR(-ENOKEY);
1da177e4
LT		 588
589 switch (id) {
590 case KEY_SPEC_THREAD_KEYRING:
8bbf4976 591 if (!t->thread_keyring) {
1da177e4
LT		 592 if (!create)
593 goto error;
594
8bbf4976 595 ret = install_thread_keyring();
1da177e4
LT		 596 if (ret < 0) {
597 key = ERR_PTR(ret);
598 goto error;
599 }
600 }
601
8bbf4976 602 key = t->thread_keyring;
1da177e4 603 atomic_inc(&key->usage);
664cceb0 604 key_ref = make_key_ref(key, 1);
1da177e4
LT		 605 break;
606
607 case KEY_SPEC_PROCESS_KEYRING:
8bbf4976 608 if (!t->signal->process_keyring) {
1da177e4
LT		 609 if (!create)
610 goto error;
611
8bbf4976 612 ret = install_process_keyring();
1da177e4
LT		 613 if (ret < 0) {
614 key = ERR_PTR(ret);
615 goto error;
616 }
617 }
618
8bbf4976 619 key = t->signal->process_keyring;
1da177e4 620 atomic_inc(&key->usage);
664cceb0 621 key_ref = make_key_ref(key, 1);
1da177e4
LT		 622 break;
623
624 case KEY_SPEC_SESSION_KEYRING:
8bbf4976 625 if (!t->signal->session_keyring) {
1da177e4
LT		 626 /* always install a session keyring upon access if one
627 * doesn't exist yet */
8bbf4976 628 ret = install_user_keyrings();
69664cf1
DH		 629 if (ret < 0)
630 goto error;
8bbf4976 631 ret = install_session_keyring(t->user->session_keyring);
1da177e4
LT		 632 if (ret < 0)
633 goto error;
634 }
635
3e30148c 636 rcu_read_lock();
8bbf4976 637 key = rcu_dereference(t->signal->session_keyring);
1da177e4 638 atomic_inc(&key->usage);
3e30148c 639 rcu_read_unlock();
664cceb0 640 key_ref = make_key_ref(key, 1);
1da177e4
LT		 641 break;
642
643 case KEY_SPEC_USER_KEYRING:
8bbf4976
DH		 644 if (!t->user->uid_keyring) {
645 ret = install_user_keyrings();
69664cf1
DH		 646 if (ret < 0)
647 goto error;
648 }
649
8bbf4976 650 key = t->user->uid_keyring;
1da177e4 651 atomic_inc(&key->usage);
664cceb0 652 key_ref = make_key_ref(key, 1);
1da177e4
LT		 653 break;
654
655 case KEY_SPEC_USER_SESSION_KEYRING:
8bbf4976
DH		 656 if (!t->user->session_keyring) {
657 ret = install_user_keyrings();
69664cf1
DH		 658 if (ret < 0)
659 goto error;
660 }
661
8bbf4976 662 key = t->user->session_keyring;
1da177e4 663 atomic_inc(&key->usage);
664cceb0 664 key_ref = make_key_ref(key, 1);
1da177e4
LT		 665 break;
666
667 case KEY_SPEC_GROUP_KEYRING:
668 /* group keyrings are not yet supported */
669 key = ERR_PTR(-EINVAL);
670 goto error;
671
b5f545c8 672 case KEY_SPEC_REQKEY_AUTH_KEY:
8bbf4976 673 key = t->request_key_auth;
b5f545c8
DH		 674 if (!key)
675 goto error;
676
677 atomic_inc(&key->usage);
678 key_ref = make_key_ref(key, 1);
679 break;
680
8bbf4976
DH		 681 case KEY_SPEC_REQUESTOR_KEYRING:
682 if (!t->request_key_auth)
683 goto error;
684
685 down_read(&t->request_key_auth->sem);
686 if (t->request_key_auth->flags & KEY_FLAG_REVOKED) {
687 key_ref = ERR_PTR(-EKEYREVOKED);
688 key = NULL;
689 } else {
690 rka = t->request_key_auth->payload.data;
691 key = rka->dest_keyring;
692 atomic_inc(&key->usage);
693 }
694 up_read(&t->request_key_auth->sem);
695 if (!key)
696 goto error;
697 key_ref = make_key_ref(key, 1);
698 break;
699
1da177e4 700 default:
664cceb0 701 key_ref = ERR_PTR(-EINVAL);
1da177e4
LT		 702 if (id < 1)
703 goto error;
704
705 key = key_lookup(id);
664cceb0 706 if (IS_ERR(key)) {
e231c2ee 707 key_ref = ERR_CAST(key);
1da177e4 708 goto error;
664cceb0
DH		 709 }
710
711 key_ref = make_key_ref(key, 0);
712
713 /* check to see if we possess the key */
714 skey_ref = search_process_keyrings(key->type, key,
715 lookup_user_key_possessed,
716 current);
717
718 if (!IS_ERR(skey_ref)) {
719 key_put(key);
720 key_ref = skey_ref;
721 }
722
1da177e4
LT		 723 break;
724 }
725
76181c13
DH		 726 if (!partial) {
727 ret = wait_for_key_construction(key, true);
728 switch (ret) {
729 case -ERESTARTSYS:
730 goto invalid_key;
731 default:
732 if (perm)
733 goto invalid_key;
734 case 0:
735 break;
736 }
737 } else if (perm) {
1da177e4
LT		 738 ret = key_validate(key);
739 if (ret < 0)
740 goto invalid_key;
741 }
742
743 ret = -EIO;
76d8aeab 744 if (!partial && !test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
1da177e4
LT		 745 goto invalid_key;
746
3e30148c 747 /* check the permissions */
8bbf4976 748 ret = key_task_permission(key_ref, t, perm);
29db9190 749 if (ret < 0)
1da177e4
LT		 750 goto invalid_key;
751
664cceb0
DH		 752error:
753 return key_ref;
1da177e4 754
664cceb0
DH		 755invalid_key:
756 key_ref_put(key_ref);
757 key_ref = ERR_PTR(ret);
1da177e4
LT		 758 goto error;
759
760} /* end lookup_user_key() */
761
762/*****************************************************************************/
763/*
764 * join the named keyring as the session keyring if possible, or attempt to
765 * create a new one of that name if not
766 * - if the name is NULL, an empty anonymous keyring is installed instead
767 * - named session keyring joining is done with a semaphore held
768 */
769long join_session_keyring(const char *name)
770{
771 struct task_struct *tsk = current;
1da177e4
LT		 772 struct key *keyring;
773 long ret;
774
775 /* if no name is provided, install an anonymous keyring */
776 if (!name) {
8bbf4976 777 ret = install_session_keyring(NULL);
1da177e4
LT		 778 if (ret < 0)
779 goto error;
780
3e30148c
DH		 781 rcu_read_lock();
782 ret = rcu_dereference(tsk->signal->session_keyring)->serial;
783 rcu_read_unlock();
1da177e4
LT		 784 goto error;
785 }
786
787 /* allow the user to join or create a named keyring */
bb003079 788 mutex_lock(&key_session_mutex);
1da177e4
LT		 789
790 /* look for an existing keyring of this name */
69664cf1 791 keyring = find_keyring_by_name(name, false);
1da177e4
LT		 792 if (PTR_ERR(keyring) == -ENOKEY) {
793 /* not found - try and create a new one */
7e047ef5
DH		 794 keyring = keyring_alloc(name, tsk->uid, tsk->gid, tsk,
795 KEY_ALLOC_IN_QUOTA, NULL);
1da177e4
LT		 796 if (IS_ERR(keyring)) {
797 ret = PTR_ERR(keyring);
bcf945d3 798 goto error2;
1da177e4
LT		 799 }
800 }
801 else if (IS_ERR(keyring)) {
802 ret = PTR_ERR(keyring);
803 goto error2;
804 }
805
806 /* we've got a keyring - now to install it */
8bbf4976 807 ret = install_session_keyring(keyring);
1da177e4
LT		 808 if (ret < 0)
809 goto error2;
810
811 ret = keyring->serial;
812 key_put(keyring);
813
664cceb0 814error2:
bb003079 815 mutex_unlock(&key_session_mutex);
664cceb0 816error:
1da177e4
LT		 817 return ret;
818
819} /* end join_session_keyring() */
Ubuntu Hirsute Linux kernel mirror