]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - security/keys/proc.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
x86/pti: Unbreak EFI old_memmap
[mirror_ubuntu-artful-kernel.git] / security / keys / proc.c
1 /* procfs files for key database enumeration
2 *
3 * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 */
11
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/sched.h>
15 #include <linux/fs.h>
16 #include <linux/proc_fs.h>
17 #include <linux/seq_file.h>
18 #include <asm/errno.h>
19 #include "internal.h"
20
21 static int proc_keys_open(struct inode *inode, struct file *file);
22 static void *proc_keys_start(struct seq_file *p, loff_t *_pos);
23 static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos);
24 static void proc_keys_stop(struct seq_file *p, void *v);
25 static int proc_keys_show(struct seq_file *m, void *v);
26
27 static const struct seq_operations proc_keys_ops = {
28 .start = proc_keys_start,
29 .next = proc_keys_next,
30 .stop = proc_keys_stop,
31 .show = proc_keys_show,
32 };
33
34 static const struct file_operations proc_keys_fops = {
35 .open = proc_keys_open,
36 .read = seq_read,
37 .llseek = seq_lseek,
38 .release = seq_release,
39 };
40
41 static int proc_key_users_open(struct inode *inode, struct file *file);
42 static void *proc_key_users_start(struct seq_file *p, loff_t *_pos);
43 static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos);
44 static void proc_key_users_stop(struct seq_file *p, void *v);
45 static int proc_key_users_show(struct seq_file *m, void *v);
46
47 static const struct seq_operations proc_key_users_ops = {
48 .start = proc_key_users_start,
49 .next = proc_key_users_next,
50 .stop = proc_key_users_stop,
51 .show = proc_key_users_show,
52 };
53
54 static const struct file_operations proc_key_users_fops = {
55 .open = proc_key_users_open,
56 .read = seq_read,
57 .llseek = seq_lseek,
58 .release = seq_release,
59 };
60
61 /*
62 * Declare the /proc files.
63 */
64 static int __init key_proc_init(void)
65 {
66 struct proc_dir_entry *p;
67
68 p = proc_create("keys", 0, NULL, &proc_keys_fops);
69 if (!p)
70 panic("Cannot create /proc/keys\n");
71
72 p = proc_create("key-users", 0, NULL, &proc_key_users_fops);
73 if (!p)
74 panic("Cannot create /proc/key-users\n");
75
76 return 0;
77 }
78
79 __initcall(key_proc_init);
80
81 /*
82 * Implement "/proc/keys" to provide a list of the keys on the system that
83 * grant View permission to the caller.
84 */
85 static struct rb_node *key_serial_next(struct seq_file *p, struct rb_node *n)
86 {
87 struct user_namespace *user_ns = seq_user_ns(p);
88
89 n = rb_next(n);
90 while (n) {
91 struct key *key = rb_entry(n, struct key, serial_node);
92 if (kuid_has_mapping(user_ns, key->user->uid))
93 break;
94 n = rb_next(n);
95 }
96 return n;
97 }
98
99 static int proc_keys_open(struct inode *inode, struct file *file)
100 {
101 return seq_open(file, &proc_keys_ops);
102 }
103
104 static struct key *find_ge_key(struct seq_file *p, key_serial_t id)
105 {
106 struct user_namespace *user_ns = seq_user_ns(p);
107 struct rb_node *n = key_serial_tree.rb_node;
108 struct key *minkey = NULL;
109
110 while (n) {
111 struct key *key = rb_entry(n, struct key, serial_node);
112 if (id < key->serial) {
113 if (!minkey || minkey->serial > key->serial)
114 minkey = key;
115 n = n->rb_left;
116 } else if (id > key->serial) {
117 n = n->rb_right;
118 } else {
119 minkey = key;
120 break;
121 }
122 key = NULL;
123 }
124
125 if (!minkey)
126 return NULL;
127
128 for (;;) {
129 if (kuid_has_mapping(user_ns, minkey->user->uid))
130 return minkey;
131 n = rb_next(&minkey->serial_node);
132 if (!n)
133 return NULL;
134 minkey = rb_entry(n, struct key, serial_node);
135 }
136 }
137
138 static void *proc_keys_start(struct seq_file *p, loff_t *_pos)
139 __acquires(key_serial_lock)
140 {
141 key_serial_t pos = *_pos;
142 struct key *key;
143
144 spin_lock(&key_serial_lock);
145
146 if (*_pos > INT_MAX)
147 return NULL;
148 key = find_ge_key(p, pos);
149 if (!key)
150 return NULL;
151 *_pos = key->serial;
152 return &key->serial_node;
153 }
154
155 static inline key_serial_t key_node_serial(struct rb_node *n)
156 {
157 struct key *key = rb_entry(n, struct key, serial_node);
158 return key->serial;
159 }
160
161 static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos)
162 {
163 struct rb_node *n;
164
165 n = key_serial_next(p, v);
166 if (n)
167 *_pos = key_node_serial(n);
168 return n;
169 }
170
171 static void proc_keys_stop(struct seq_file *p, void *v)
172 __releases(key_serial_lock)
173 {
174 spin_unlock(&key_serial_lock);
175 }
176
177 static int proc_keys_show(struct seq_file *m, void *v)
178 {
179 struct rb_node *_p = v;
180 struct key *key = rb_entry(_p, struct key, serial_node);
181 struct timespec now;
182 unsigned long timo;
183 key_ref_t key_ref, skey_ref;
184 char xbuf[16];
185 short state;
186 int rc;
187
188 struct keyring_search_context ctx = {
189 .index_key.type = key->type,
190 .index_key.description = key->description,
191 .cred = current_cred(),
192 .match_data.cmp = lookup_user_key_possessed,
193 .match_data.raw_data = key,
194 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
195 .flags = KEYRING_SEARCH_NO_STATE_CHECK,
196 };
197
198 key_ref = make_key_ref(key, 0);
199
200 /* determine if the key is possessed by this process (a test we can
201 * skip if the key does not indicate the possessor can view it
202 */
203 if (key->perm & KEY_POS_VIEW) {
204 skey_ref = search_my_process_keyrings(&ctx);
205 if (!IS_ERR(skey_ref)) {
206 key_ref_put(skey_ref);
207 key_ref = make_key_ref(key, 1);
208 }
209 }
210
211 /* check whether the current task is allowed to view the key (assuming
212 * non-possession)
213 * - the caller holds a spinlock, and thus the RCU read lock, making our
214 * access to __current_cred() safe
215 */
216 rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW);
217 if (rc < 0)
218 return 0;
219
220 now = current_kernel_time();
221
222 rcu_read_lock();
223
224 /* come up with a suitable timeout value */
225 if (key->expiry == 0) {
226 memcpy(xbuf, "perm", 5);
227 } else if (now.tv_sec >= key->expiry) {
228 memcpy(xbuf, "expd", 5);
229 } else {
230 timo = key->expiry - now.tv_sec;
231
232 if (timo < 60)
233 sprintf(xbuf, "%lus", timo);
234 else if (timo < 60*60)
235 sprintf(xbuf, "%lum", timo / 60);
236 else if (timo < 60*60*24)
237 sprintf(xbuf, "%luh", timo / (60*60));
238 else if (timo < 60*60*24*7)
239 sprintf(xbuf, "%lud", timo / (60*60*24));
240 else
241 sprintf(xbuf, "%luw", timo / (60*60*24*7));
242 }
243
244 state = key_read_state(key);
245
246 #define showflag(KEY, LETTER, FLAG) \
247 (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-')
248
249 seq_printf(m, "%08x %c%c%c%c%c%c%c %5d %4s %08x %5d %5d %-9.9s ",
250 key->serial,
251 state != KEY_IS_UNINSTANTIATED ? 'I' : '-',
252 showflag(key, 'R', KEY_FLAG_REVOKED),
253 showflag(key, 'D', KEY_FLAG_DEAD),
254 showflag(key, 'Q', KEY_FLAG_IN_QUOTA),
255 showflag(key, 'U', KEY_FLAG_USER_CONSTRUCT),
256 state < 0 ? 'N' : '-',
257 showflag(key, 'i', KEY_FLAG_INVALIDATED),
258 refcount_read(&key->usage),
259 xbuf,
260 key->perm,
261 from_kuid_munged(seq_user_ns(m), key->uid),
262 from_kgid_munged(seq_user_ns(m), key->gid),
263 key->type->name);
264
265 #undef showflag
266
267 if (key->type->describe)
268 key->type->describe(key, m);
269 seq_putc(m, '\n');
270
271 rcu_read_unlock();
272 return 0;
273 }
274
275 static struct rb_node *__key_user_next(struct user_namespace *user_ns, struct rb_node *n)
276 {
277 while (n) {
278 struct key_user *user = rb_entry(n, struct key_user, node);
279 if (kuid_has_mapping(user_ns, user->uid))
280 break;
281 n = rb_next(n);
282 }
283 return n;
284 }
285
286 static struct rb_node *key_user_next(struct user_namespace *user_ns, struct rb_node *n)
287 {
288 return __key_user_next(user_ns, rb_next(n));
289 }
290
291 static struct rb_node *key_user_first(struct user_namespace *user_ns, struct rb_root *r)
292 {
293 struct rb_node *n = rb_first(r);
294 return __key_user_next(user_ns, n);
295 }
296
297 /*
298 * Implement "/proc/key-users" to provides a list of the key users and their
299 * quotas.
300 */
301 static int proc_key_users_open(struct inode *inode, struct file *file)
302 {
303 return seq_open(file, &proc_key_users_ops);
304 }
305
306 static void *proc_key_users_start(struct seq_file *p, loff_t *_pos)
307 __acquires(key_user_lock)
308 {
309 struct rb_node *_p;
310 loff_t pos = *_pos;
311
312 spin_lock(&key_user_lock);
313
314 _p = key_user_first(seq_user_ns(p), &key_user_tree);
315 while (pos > 0 && _p) {
316 pos--;
317 _p = key_user_next(seq_user_ns(p), _p);
318 }
319
320 return _p;
321 }
322
323 static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos)
324 {
325 (*_pos)++;
326 return key_user_next(seq_user_ns(p), (struct rb_node *)v);
327 }
328
329 static void proc_key_users_stop(struct seq_file *p, void *v)
330 __releases(key_user_lock)
331 {
332 spin_unlock(&key_user_lock);
333 }
334
335 static int proc_key_users_show(struct seq_file *m, void *v)
336 {
337 struct rb_node *_p = v;
338 struct key_user *user = rb_entry(_p, struct key_user, node);
339 unsigned maxkeys = uid_eq(user->uid, GLOBAL_ROOT_UID) ?
340 key_quota_root_maxkeys : key_quota_maxkeys;
341 unsigned maxbytes = uid_eq(user->uid, GLOBAL_ROOT_UID) ?
342 key_quota_root_maxbytes : key_quota_maxbytes;
343
344 seq_printf(m, "%5u: %5d %d/%d %d/%d %d/%d\n",
345 from_kuid_munged(seq_user_ns(m), user->uid),
346 refcount_read(&user->usage),
347 atomic_read(&user->nkeys),
348 atomic_read(&user->nikeys),
349 user->qnkeys,
350 maxkeys,
351 user->qnbytes,
352 maxbytes);
353
354 return 0;
355 }
Ubuntu Artful kernel mirror