| 1 | // SPDX-License-Identifier: GPL-2.0-or-later |
|---|---|
| 2 | /* Basic authentication token and access key management |
| 3 | * |
| 4 | * Copyright (C) 2004-2008 Red Hat, Inc. All Rights Reserved. |
| 5 | * Written by David Howells (dhowells@redhat.com) |
| 6 | */ |
| 7 | |
| 8 | #include <linux/export.h> |
| 9 | #include <linux/init.h> |
| 10 | #include <linux/poison.h> |
| 11 | #include <linux/sched.h> |
| 12 | #include <linux/slab.h> |
| 13 | #include <linux/security.h> |
| 14 | #include <linux/workqueue.h> |
| 15 | #include <linux/random.h> |
| 16 | #include <linux/err.h> |
| 17 | #include "internal.h" |
| 18 | |
| 19 | struct kmem_cache *key_jar; |
| 20 | struct rb_root key_serial_tree; /* tree of keys indexed by serial */ |
| 21 | DEFINE_SPINLOCK(key_serial_lock); |
| 22 | |
| 23 | struct rb_root key_user_tree; /* tree of quota records indexed by UID */ |
| 24 | DEFINE_SPINLOCK(key_user_lock); |
| 25 | |
| 26 | unsigned int key_quota_root_maxkeys = 1000000; /* root's key count quota */ |
| 27 | unsigned int key_quota_root_maxbytes = 25000000; /* root's key space quota */ |
| 28 | unsigned int key_quota_maxkeys = 200; /* general key count quota */ |
| 29 | unsigned int key_quota_maxbytes = 20000; /* general key space quota */ |
| 30 | |
| 31 | static LIST_HEAD(key_types_list); |
| 32 | static DECLARE_RWSEM(key_types_sem); |
| 33 | |
| 34 | /* We serialise key instantiation and link */ |
| 35 | DEFINE_MUTEX(key_construction_mutex); |
| 36 | |
| 37 | #ifdef KEY_DEBUGGING |
| 38 | void __key_check(const struct key *key) |
| 39 | { |
| 40 | printk("__key_check: key %p {%08x} should be {%08x}\n", |
| 41 | key, key->magic, KEY_DEBUG_MAGIC); |
| 42 | BUG(); |
| 43 | } |
| 44 | #endif |
| 45 | |
| 46 | /* |
| 47 | * Get the key quota record for a user, allocating a new record if one doesn't |
| 48 | * already exist. |
| 49 | */ |
| 50 | struct key_user *key_user_lookup(kuid_t uid) |
| 51 | { |
| 52 | struct key_user *candidate = NULL, *user; |
| 53 | struct rb_node *parent, **p; |
| 54 | |
| 55 | try_again: |
| 56 | parent = NULL; |
| 57 | p = &key_user_tree.rb_node; |
| 58 | spin_lock(lock: &key_user_lock); |
| 59 | |
| 60 | /* search the tree for a user record with a matching UID */ |
| 61 | while (*p) { |
| 62 | parent = *p; |
| 63 | user = rb_entry(parent, struct key_user, node); |
| 64 | |
| 65 | if (uid_lt(left: uid, right: user->uid)) |
| 66 | p = &(*p)->rb_left; |
| 67 | else if (uid_gt(left: uid, right: user->uid)) |
| 68 | p = &(*p)->rb_right; |
| 69 | else |
| 70 | goto found; |
| 71 | } |
| 72 | |
| 73 | /* if we get here, we failed to find a match in the tree */ |
| 74 | if (!candidate) { |
| 75 | /* allocate a candidate user record if we don't already have |
| 76 | * one */ |
| 77 | spin_unlock(lock: &key_user_lock); |
| 78 | |
| 79 | user = NULL; |
| 80 | candidate = kmalloc(sizeof(struct key_user), GFP_KERNEL); |
| 81 | if (unlikely(!candidate)) |
| 82 | goto out; |
| 83 | |
| 84 | /* the allocation may have scheduled, so we need to repeat the |
| 85 | * search lest someone else added the record whilst we were |
| 86 | * asleep */ |
| 87 | goto try_again; |
| 88 | } |
| 89 | |
| 90 | /* if we get here, then the user record still hadn't appeared on the |
| 91 | * second pass - so we use the candidate record */ |
| 92 | refcount_set(r: &candidate->usage, n: 1); |
| 93 | atomic_set(v: &candidate->nkeys, i: 0); |
| 94 | atomic_set(v: &candidate->nikeys, i: 0); |
| 95 | candidate->uid = uid; |
| 96 | candidate->qnkeys = 0; |
| 97 | candidate->qnbytes = 0; |
| 98 | spin_lock_init(&candidate->lock); |
| 99 | mutex_init(&candidate->cons_lock); |
| 100 | |
| 101 | rb_link_node(node: &candidate->node, parent, rb_link: p); |
| 102 | rb_insert_color(&candidate->node, &key_user_tree); |
| 103 | spin_unlock(lock: &key_user_lock); |
| 104 | user = candidate; |
| 105 | goto out; |
| 106 | |
| 107 | /* okay - we found a user record for this UID */ |
| 108 | found: |
| 109 | refcount_inc(r: &user->usage); |
| 110 | spin_unlock(lock: &key_user_lock); |
| 111 | kfree(objp: candidate); |
| 112 | out: |
| 113 | return user; |
| 114 | } |
| 115 | |
| 116 | /* |
| 117 | * Dispose of a user structure |
| 118 | */ |
| 119 | void key_user_put(struct key_user *user) |
| 120 | { |
| 121 | if (refcount_dec_and_lock(r: &user->usage, lock: &key_user_lock)) { |
| 122 | rb_erase(&user->node, &key_user_tree); |
| 123 | spin_unlock(lock: &key_user_lock); |
| 124 | |
| 125 | kfree(objp: user); |
| 126 | } |
| 127 | } |
| 128 | |
| 129 | /* |
| 130 | * Allocate a serial number for a key. These are assigned randomly to avoid |
| 131 | * security issues through covert channel problems. |
| 132 | */ |
| 133 | static inline void key_alloc_serial(struct key *key) |
| 134 | { |
| 135 | struct rb_node *parent, **p; |
| 136 | struct key *xkey; |
| 137 | |
| 138 | /* propose a random serial number and look for a hole for it in the |
| 139 | * serial number tree */ |
| 140 | do { |
| 141 | get_random_bytes(buf: &key->serial, len: sizeof(key->serial)); |
| 142 | |
| 143 | key->serial >>= 1; /* negative numbers are not permitted */ |
| 144 | } while (key->serial < 3); |
| 145 | |
| 146 | spin_lock(lock: &key_serial_lock); |
| 147 | |
| 148 | attempt_insertion: |
| 149 | parent = NULL; |
| 150 | p = &key_serial_tree.rb_node; |
| 151 | |
| 152 | while (*p) { |
| 153 | parent = *p; |
| 154 | xkey = rb_entry(parent, struct key, serial_node); |
| 155 | |
| 156 | if (key->serial < xkey->serial) |
| 157 | p = &(*p)->rb_left; |
| 158 | else if (key->serial > xkey->serial) |
| 159 | p = &(*p)->rb_right; |
| 160 | else |
| 161 | goto serial_exists; |
| 162 | } |
| 163 | |
| 164 | /* we've found a suitable hole - arrange for this key to occupy it */ |
| 165 | rb_link_node(node: &key->serial_node, parent, rb_link: p); |
| 166 | rb_insert_color(&key->serial_node, &key_serial_tree); |
| 167 | |
| 168 | spin_unlock(lock: &key_serial_lock); |
| 169 | return; |
| 170 | |
| 171 | /* we found a key with the proposed serial number - walk the tree from |
| 172 | * that point looking for the next unused serial number */ |
| 173 | serial_exists: |
| 174 | for (;;) { |
| 175 | key->serial++; |
| 176 | if (key->serial < 3) { |
| 177 | key->serial = 3; |
| 178 | goto attempt_insertion; |
| 179 | } |
| 180 | |
| 181 | parent = rb_next(parent); |
| 182 | if (!parent) |
| 183 | goto attempt_insertion; |
| 184 | |
| 185 | xkey = rb_entry(parent, struct key, serial_node); |
| 186 | if (key->serial < xkey->serial) |
| 187 | goto attempt_insertion; |
| 188 | } |
| 189 | } |
| 190 | |
| 191 | /** |
| 192 | * key_alloc - Allocate a key of the specified type. |
| 193 | * @type: The type of key to allocate. |
| 194 | * @desc: The key description to allow the key to be searched out. |
| 195 | * @uid: The owner of the new key. |
| 196 | * @gid: The group ID for the new key's group permissions. |
| 197 | * @cred: The credentials specifying UID namespace. |
| 198 | * @perm: The permissions mask of the new key. |
| 199 | * @flags: Flags specifying quota properties. |
| 200 | * @restrict_link: Optional link restriction for new keyrings. |
| 201 | * |
| 202 | * Allocate a key of the specified type with the attributes given. The key is |
| 203 | * returned in an uninstantiated state and the caller needs to instantiate the |
| 204 | * key before returning. |
| 205 | * |
| 206 | * The restrict_link structure (if not NULL) will be freed when the |
| 207 | * keyring is destroyed, so it must be dynamically allocated. |
| 208 | * |
| 209 | * The user's key count quota is updated to reflect the creation of the key and |
| 210 | * the user's key data quota has the default for the key type reserved. The |
| 211 | * instantiation function should amend this as necessary. If insufficient |
| 212 | * quota is available, -EDQUOT will be returned. |
| 213 | * |
| 214 | * The LSM security modules can prevent a key being created, in which case |
| 215 | * -EACCES will be returned. |
| 216 | * |
| 217 | * Returns a pointer to the new key if successful and an error code otherwise. |
| 218 | * |
| 219 | * Note that the caller needs to ensure the key type isn't uninstantiated. |
| 220 | * Internally this can be done by locking key_types_sem. Externally, this can |
| 221 | * be done by either never unregistering the key type, or making sure |
| 222 | * key_alloc() calls don't race with module unloading. |
| 223 | */ |
| 224 | struct key *key_alloc(struct key_type *type, const char *desc, |
| 225 | kuid_t uid, kgid_t gid, const struct cred *cred, |
| 226 | key_perm_t perm, unsigned long flags, |
| 227 | struct key_restriction *restrict_link) |
| 228 | { |
| 229 | struct key_user *user = NULL; |
| 230 | struct key *key; |
| 231 | size_t desclen, quotalen; |
| 232 | int ret; |
| 233 | unsigned long irqflags; |
| 234 | |
| 235 | key = ERR_PTR(error: -EINVAL); |
| 236 | if (!desc || !*desc) |
| 237 | goto error; |
| 238 | |
| 239 | if (type->vet_description) { |
| 240 | ret = type->vet_description(desc); |
| 241 | if (ret < 0) { |
| 242 | key = ERR_PTR(error: ret); |
| 243 | goto error; |
| 244 | } |
| 245 | } |
| 246 | |
| 247 | desclen = strlen(desc); |
| 248 | quotalen = desclen + 1 + type->def_datalen; |
| 249 | |
| 250 | /* get hold of the key tracking for this user */ |
| 251 | user = key_user_lookup(uid); |
| 252 | if (!user) |
| 253 | goto no_memory_1; |
| 254 | |
| 255 | /* check that the user's quota permits allocation of another key and |
| 256 | * its description */ |
| 257 | if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { |
| 258 | unsigned maxkeys = uid_eq(left: uid, GLOBAL_ROOT_UID) ? |
| 259 | key_quota_root_maxkeys : key_quota_maxkeys; |
| 260 | unsigned maxbytes = uid_eq(left: uid, GLOBAL_ROOT_UID) ? |
| 261 | key_quota_root_maxbytes : key_quota_maxbytes; |
| 262 | |
| 263 | spin_lock_irqsave(&user->lock, irqflags); |
| 264 | if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) { |
| 265 | if (user->qnkeys + 1 > maxkeys || |
| 266 | user->qnbytes + quotalen > maxbytes || |
| 267 | user->qnbytes + quotalen < user->qnbytes) |
| 268 | goto no_quota; |
| 269 | } |
| 270 | |
| 271 | user->qnkeys++; |
| 272 | user->qnbytes += quotalen; |
| 273 | spin_unlock_irqrestore(lock: &user->lock, flags: irqflags); |
| 274 | } |
| 275 | |
| 276 | /* allocate and initialise the key and its description */ |
| 277 | key = kmem_cache_zalloc(key_jar, GFP_KERNEL); |
| 278 | if (!key) |
| 279 | goto no_memory_2; |
| 280 | |
| 281 | key->index_key.desc_len = desclen; |
| 282 | key->index_key.description = kmemdup(desc, desclen + 1, GFP_KERNEL); |
| 283 | if (!key->index_key.description) |
| 284 | goto no_memory_3; |
| 285 | key->index_key.type = type; |
| 286 | key_set_index_key(index_key: &key->index_key); |
| 287 | |
| 288 | refcount_set(r: &key->usage, n: 1); |
| 289 | init_rwsem(&key->sem); |
| 290 | lockdep_set_class(&key->sem, &type->lock_class); |
| 291 | key->user = user; |
| 292 | key->quotalen = quotalen; |
| 293 | key->datalen = type->def_datalen; |
| 294 | key->uid = uid; |
| 295 | key->gid = gid; |
| 296 | key->perm = perm; |
| 297 | key->expiry = TIME64_MAX; |
| 298 | key->restrict_link = restrict_link; |
| 299 | key->last_used_at = ktime_get_real_seconds(); |
| 300 | |
| 301 | key->flags |= 1 << KEY_FLAG_USER_ALIVE; |
| 302 | if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) |
| 303 | key->flags |= 1 << KEY_FLAG_IN_QUOTA; |
| 304 | if (flags & KEY_ALLOC_BUILT_IN) |
| 305 | key->flags |= 1 << KEY_FLAG_BUILTIN; |
| 306 | if (flags & KEY_ALLOC_UID_KEYRING) |
| 307 | key->flags |= 1 << KEY_FLAG_UID_KEYRING; |
| 308 | if (flags & KEY_ALLOC_SET_KEEP) |
| 309 | key->flags |= 1 << KEY_FLAG_KEEP; |
| 310 | |
| 311 | #ifdef KEY_DEBUGGING |
| 312 | key->magic = KEY_DEBUG_MAGIC; |
| 313 | #endif |
| 314 | |
| 315 | /* let the security module know about the key */ |
| 316 | ret = security_key_alloc(key, cred, flags); |
| 317 | if (ret < 0) |
| 318 | goto security_error; |
| 319 | |
| 320 | /* publish the key by giving it a serial number */ |
| 321 | refcount_inc(r: &key->domain_tag->usage); |
| 322 | atomic_inc(v: &user->nkeys); |
| 323 | key_alloc_serial(key); |
| 324 | |
| 325 | error: |
| 326 | return key; |
| 327 | |
| 328 | security_error: |
| 329 | kfree(objp: key->description); |
| 330 | kmem_cache_free(s: key_jar, objp: key); |
| 331 | if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { |
| 332 | spin_lock_irqsave(&user->lock, irqflags); |
| 333 | user->qnkeys--; |
| 334 | user->qnbytes -= quotalen; |
| 335 | spin_unlock_irqrestore(lock: &user->lock, flags: irqflags); |
| 336 | } |
| 337 | key_user_put(user); |
| 338 | key = ERR_PTR(error: ret); |
| 339 | goto error; |
| 340 | |
| 341 | no_memory_3: |
| 342 | kmem_cache_free(s: key_jar, objp: key); |
| 343 | no_memory_2: |
| 344 | if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { |
| 345 | spin_lock_irqsave(&user->lock, irqflags); |
| 346 | user->qnkeys--; |
| 347 | user->qnbytes -= quotalen; |
| 348 | spin_unlock_irqrestore(lock: &user->lock, flags: irqflags); |
| 349 | } |
| 350 | key_user_put(user); |
| 351 | no_memory_1: |
| 352 | key = ERR_PTR(error: -ENOMEM); |
| 353 | goto error; |
| 354 | |
| 355 | no_quota: |
| 356 | spin_unlock_irqrestore(lock: &user->lock, flags: irqflags); |
| 357 | key_user_put(user); |
| 358 | key = ERR_PTR(error: -EDQUOT); |
| 359 | goto error; |
| 360 | } |
| 361 | EXPORT_SYMBOL(key_alloc); |
| 362 | |
| 363 | /** |
| 364 | * key_payload_reserve - Adjust data quota reservation for the key's payload |
| 365 | * @key: The key to make the reservation for. |
| 366 | * @datalen: The amount of data payload the caller now wants. |
| 367 | * |
| 368 | * Adjust the amount of the owning user's key data quota that a key reserves. |
| 369 | * If the amount is increased, then -EDQUOT may be returned if there isn't |
| 370 | * enough free quota available. |
| 371 | * |
| 372 | * If successful, 0 is returned. |
| 373 | */ |
| 374 | int key_payload_reserve(struct key *key, size_t datalen) |
| 375 | { |
| 376 | int delta = (int)datalen - key->datalen; |
| 377 | int ret = 0; |
| 378 | |
| 379 | key_check(key); |
| 380 | |
| 381 | /* contemplate the quota adjustment */ |
| 382 | if (delta != 0 && test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { |
| 383 | unsigned maxbytes = uid_eq(left: key->user->uid, GLOBAL_ROOT_UID) ? |
| 384 | key_quota_root_maxbytes : key_quota_maxbytes; |
| 385 | unsigned long flags; |
| 386 | |
| 387 | spin_lock_irqsave(&key->user->lock, flags); |
| 388 | |
| 389 | if (delta > 0 && |
| 390 | (key->user->qnbytes + delta > maxbytes || |
| 391 | key->user->qnbytes + delta < key->user->qnbytes)) { |
| 392 | ret = -EDQUOT; |
| 393 | } |
| 394 | else { |
| 395 | key->user->qnbytes += delta; |
| 396 | key->quotalen += delta; |
| 397 | } |
| 398 | spin_unlock_irqrestore(lock: &key->user->lock, flags); |
| 399 | } |
| 400 | |
| 401 | /* change the recorded data length if that didn't generate an error */ |
| 402 | if (ret == 0) |
| 403 | key->datalen = datalen; |
| 404 | |
| 405 | return ret; |
| 406 | } |
| 407 | EXPORT_SYMBOL(key_payload_reserve); |
| 408 | |
| 409 | /* |
| 410 | * Change the key state to being instantiated. |
| 411 | */ |
| 412 | static void mark_key_instantiated(struct key *key, int reject_error) |
| 413 | { |
| 414 | /* Commit the payload before setting the state; barrier versus |
| 415 | * key_read_state(). |
| 416 | */ |
| 417 | smp_store_release(&key->state, |
| 418 | (reject_error < 0) ? reject_error : KEY_IS_POSITIVE); |
| 419 | } |
| 420 | |
| 421 | /* |
| 422 | * Instantiate a key and link it into the target keyring atomically. Must be |
| 423 | * called with the target keyring's semaphore writelocked. The target key's |
| 424 | * semaphore need not be locked as instantiation is serialised by |
| 425 | * key_construction_mutex. |
| 426 | */ |
| 427 | static int __key_instantiate_and_link(struct key *key, |
| 428 | struct key_preparsed_payload *prep, |
| 429 | struct key *keyring, |
| 430 | struct key *authkey, |
| 431 | struct assoc_array_edit **_edit) |
| 432 | { |
| 433 | int ret, awaken; |
| 434 | |
| 435 | key_check(key); |
| 436 | key_check(keyring); |
| 437 | |
| 438 | awaken = 0; |
| 439 | ret = -EBUSY; |
| 440 | |
| 441 | mutex_lock(lock: &key_construction_mutex); |
| 442 | |
| 443 | /* can't instantiate twice */ |
| 444 | if (key->state == KEY_IS_UNINSTANTIATED) { |
| 445 | /* instantiate the key */ |
| 446 | ret = key->type->instantiate(key, prep); |
| 447 | |
| 448 | if (ret == 0) { |
| 449 | /* mark the key as being instantiated */ |
| 450 | atomic_inc(v: &key->user->nikeys); |
| 451 | mark_key_instantiated(key, reject_error: 0); |
| 452 | notify_key(key, subtype: NOTIFY_KEY_INSTANTIATED, aux: 0); |
| 453 | |
| 454 | if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, addr: &key->flags)) |
| 455 | awaken = 1; |
| 456 | |
| 457 | /* and link it into the destination keyring */ |
| 458 | if (keyring) { |
| 459 | if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) |
| 460 | set_bit(KEY_FLAG_KEEP, addr: &key->flags); |
| 461 | |
| 462 | __key_link(keyring, key, _edit); |
| 463 | } |
| 464 | |
| 465 | /* disable the authorisation key */ |
| 466 | if (authkey) |
| 467 | key_invalidate(key: authkey); |
| 468 | |
| 469 | if (prep->expiry != TIME64_MAX) |
| 470 | key_set_expiry(key, expiry: prep->expiry); |
| 471 | } |
| 472 | } |
| 473 | |
| 474 | mutex_unlock(lock: &key_construction_mutex); |
| 475 | |
| 476 | /* wake up anyone waiting for a key to be constructed */ |
| 477 | if (awaken) |
| 478 | wake_up_bit(word: &key->flags, KEY_FLAG_USER_CONSTRUCT); |
| 479 | |
| 480 | return ret; |
| 481 | } |
| 482 | |
| 483 | /** |
| 484 | * key_instantiate_and_link - Instantiate a key and link it into the keyring. |
| 485 | * @key: The key to instantiate. |
| 486 | * @data: The data to use to instantiate the keyring. |
| 487 | * @datalen: The length of @data. |
| 488 | * @keyring: Keyring to create a link in on success (or NULL). |
| 489 | * @authkey: The authorisation token permitting instantiation. |
| 490 | * |
| 491 | * Instantiate a key that's in the uninstantiated state using the provided data |
| 492 | * and, if successful, link it in to the destination keyring if one is |
| 493 | * supplied. |
| 494 | * |
| 495 | * If successful, 0 is returned, the authorisation token is revoked and anyone |
| 496 | * waiting for the key is woken up. If the key was already instantiated, |
| 497 | * -EBUSY will be returned. |
| 498 | */ |
| 499 | int key_instantiate_and_link(struct key *key, |
| 500 | const void *data, |
| 501 | size_t datalen, |
| 502 | struct key *keyring, |
| 503 | struct key *authkey) |
| 504 | { |
| 505 | struct key_preparsed_payload prep; |
| 506 | struct assoc_array_edit *edit = NULL; |
| 507 | int ret; |
| 508 | |
| 509 | memset(s: &prep, c: 0, n: sizeof(prep)); |
| 510 | prep.orig_description = key->description; |
| 511 | prep.data = data; |
| 512 | prep.datalen = datalen; |
| 513 | prep.quotalen = key->type->def_datalen; |
| 514 | prep.expiry = TIME64_MAX; |
| 515 | if (key->type->preparse) { |
| 516 | ret = key->type->preparse(&prep); |
| 517 | if (ret < 0) |
| 518 | goto error; |
| 519 | } |
| 520 | |
| 521 | if (keyring) { |
| 522 | ret = __key_link_lock(keyring, index_key: &key->index_key); |
| 523 | if (ret < 0) |
| 524 | goto error; |
| 525 | |
| 526 | ret = __key_link_begin(keyring, index_key: &key->index_key, edit: &edit); |
| 527 | if (ret < 0) |
| 528 | goto error_link_end; |
| 529 | |
| 530 | if (keyring->restrict_link && keyring->restrict_link->check) { |
| 531 | struct key_restriction *keyres = keyring->restrict_link; |
| 532 | |
| 533 | ret = keyres->check(keyring, key->type, &prep.payload, |
| 534 | keyres->key); |
| 535 | if (ret < 0) |
| 536 | goto error_link_end; |
| 537 | } |
| 538 | } |
| 539 | |
| 540 | ret = __key_instantiate_and_link(key, prep: &prep, keyring, authkey, edit: &edit); |
| 541 | |
| 542 | error_link_end: |
| 543 | if (keyring) |
| 544 | __key_link_end(keyring, index_key: &key->index_key, edit); |
| 545 | |
| 546 | error: |
| 547 | if (key->type->preparse) |
| 548 | key->type->free_preparse(&prep); |
| 549 | return ret; |
| 550 | } |
| 551 | |
| 552 | EXPORT_SYMBOL(key_instantiate_and_link); |
| 553 | |
| 554 | /** |
| 555 | * key_reject_and_link - Negatively instantiate a key and link it into the keyring. |
| 556 | * @key: The key to instantiate. |
| 557 | * @timeout: The timeout on the negative key. |
| 558 | * @error: The error to return when the key is hit. |
| 559 | * @keyring: Keyring to create a link in on success (or NULL). |
| 560 | * @authkey: The authorisation token permitting instantiation. |
| 561 | * |
| 562 | * Negatively instantiate a key that's in the uninstantiated state and, if |
| 563 | * successful, set its timeout and stored error and link it in to the |
| 564 | * destination keyring if one is supplied. The key and any links to the key |
| 565 | * will be automatically garbage collected after the timeout expires. |
| 566 | * |
| 567 | * Negative keys are used to rate limit repeated request_key() calls by causing |
| 568 | * them to return the stored error code (typically ENOKEY) until the negative |
| 569 | * key expires. |
| 570 | * |
| 571 | * If successful, 0 is returned, the authorisation token is revoked and anyone |
| 572 | * waiting for the key is woken up. If the key was already instantiated, |
| 573 | * -EBUSY will be returned. |
| 574 | */ |
| 575 | int key_reject_and_link(struct key *key, |
| 576 | unsigned timeout, |
| 577 | unsigned error, |
| 578 | struct key *keyring, |
| 579 | struct key *authkey) |
| 580 | { |
| 581 | struct assoc_array_edit *edit = NULL; |
| 582 | int ret, awaken, link_ret = 0; |
| 583 | |
| 584 | key_check(key); |
| 585 | key_check(keyring); |
| 586 | |
| 587 | awaken = 0; |
| 588 | ret = -EBUSY; |
| 589 | |
| 590 | if (keyring) { |
| 591 | if (keyring->restrict_link) |
| 592 | return -EPERM; |
| 593 | |
| 594 | link_ret = __key_link_lock(keyring, index_key: &key->index_key); |
| 595 | if (link_ret == 0) { |
| 596 | link_ret = __key_link_begin(keyring, index_key: &key->index_key, edit: &edit); |
| 597 | if (link_ret < 0) |
| 598 | __key_link_end(keyring, index_key: &key->index_key, edit); |
| 599 | } |
| 600 | } |
| 601 | |
| 602 | mutex_lock(lock: &key_construction_mutex); |
| 603 | |
| 604 | /* can't instantiate twice */ |
| 605 | if (key->state == KEY_IS_UNINSTANTIATED) { |
| 606 | /* mark the key as being negatively instantiated */ |
| 607 | atomic_inc(v: &key->user->nikeys); |
| 608 | mark_key_instantiated(key, reject_error: -error); |
| 609 | notify_key(key, subtype: NOTIFY_KEY_INSTANTIATED, aux: -error); |
| 610 | key_set_expiry(key, expiry: ktime_get_real_seconds() + timeout); |
| 611 | |
| 612 | if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, addr: &key->flags)) |
| 613 | awaken = 1; |
| 614 | |
| 615 | ret = 0; |
| 616 | |
| 617 | /* and link it into the destination keyring */ |
| 618 | if (keyring && link_ret == 0) |
| 619 | __key_link(keyring, key, edit: &edit); |
| 620 | |
| 621 | /* disable the authorisation key */ |
| 622 | if (authkey) |
| 623 | key_invalidate(key: authkey); |
| 624 | } |
| 625 | |
| 626 | mutex_unlock(lock: &key_construction_mutex); |
| 627 | |
| 628 | if (keyring && link_ret == 0) |
| 629 | __key_link_end(keyring, index_key: &key->index_key, edit); |
| 630 | |
| 631 | /* wake up anyone waiting for a key to be constructed */ |
| 632 | if (awaken) |
| 633 | wake_up_bit(word: &key->flags, KEY_FLAG_USER_CONSTRUCT); |
| 634 | |
| 635 | return ret == 0 ? link_ret : ret; |
| 636 | } |
| 637 | EXPORT_SYMBOL(key_reject_and_link); |
| 638 | |
| 639 | /** |
| 640 | * key_put - Discard a reference to a key. |
| 641 | * @key: The key to discard a reference from. |
| 642 | * |
| 643 | * Discard a reference to a key, and when all the references are gone, we |
| 644 | * schedule the cleanup task to come and pull it out of the tree in process |
| 645 | * context at some later time. |
| 646 | */ |
| 647 | void key_put(struct key *key) |
| 648 | { |
| 649 | if (key) { |
| 650 | key_check(key); |
| 651 | |
| 652 | if (refcount_dec_and_test(r: &key->usage)) { |
| 653 | unsigned long flags; |
| 654 | |
| 655 | /* deal with the user's key tracking and quota */ |
| 656 | if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { |
| 657 | spin_lock_irqsave(&key->user->lock, flags); |
| 658 | key->user->qnkeys--; |
| 659 | key->user->qnbytes -= key->quotalen; |
| 660 | spin_unlock_irqrestore(lock: &key->user->lock, flags); |
| 661 | } |
| 662 | /* Mark key as safe for GC after key->user done. */ |
| 663 | clear_bit_unlock(KEY_FLAG_USER_ALIVE, addr: &key->flags); |
| 664 | schedule_work(work: &key_gc_work); |
| 665 | } |
| 666 | } |
| 667 | } |
| 668 | EXPORT_SYMBOL(key_put); |
| 669 | |
| 670 | /* |
| 671 | * Find a key by its serial number. |
| 672 | */ |
| 673 | struct key *key_lookup(key_serial_t id) |
| 674 | { |
| 675 | struct rb_node *n; |
| 676 | struct key *key; |
| 677 | |
| 678 | spin_lock(lock: &key_serial_lock); |
| 679 | |
| 680 | /* search the tree for the specified key */ |
| 681 | n = key_serial_tree.rb_node; |
| 682 | while (n) { |
| 683 | key = rb_entry(n, struct key, serial_node); |
| 684 | |
| 685 | if (id < key->serial) |
| 686 | n = n->rb_left; |
| 687 | else if (id > key->serial) |
| 688 | n = n->rb_right; |
| 689 | else |
| 690 | goto found; |
| 691 | } |
| 692 | |
| 693 | not_found: |
| 694 | key = ERR_PTR(error: -ENOKEY); |
| 695 | goto error; |
| 696 | |
| 697 | found: |
| 698 | /* A key is allowed to be looked up only if someone still owns a |
| 699 | * reference to it - otherwise it's awaiting the gc. |
| 700 | */ |
| 701 | if (!refcount_inc_not_zero(r: &key->usage)) |
| 702 | goto not_found; |
| 703 | |
| 704 | error: |
| 705 | spin_unlock(lock: &key_serial_lock); |
| 706 | return key; |
| 707 | } |
| 708 | EXPORT_SYMBOL(key_lookup); |
| 709 | |
| 710 | /* |
| 711 | * Find and lock the specified key type against removal. |
| 712 | * |
| 713 | * We return with the sem read-locked if successful. If the type wasn't |
| 714 | * available -ENOKEY is returned instead. |
| 715 | */ |
| 716 | struct key_type *key_type_lookup(const char *type) |
| 717 | { |
| 718 | struct key_type *ktype; |
| 719 | |
| 720 | down_read(sem: &key_types_sem); |
| 721 | |
| 722 | /* look up the key type to see if it's one of the registered kernel |
| 723 | * types */ |
| 724 | list_for_each_entry(ktype, &key_types_list, link) { |
| 725 | if (strcmp(ktype->name, type) == 0) |
| 726 | goto found_kernel_type; |
| 727 | } |
| 728 | |
| 729 | up_read(sem: &key_types_sem); |
| 730 | ktype = ERR_PTR(error: -ENOKEY); |
| 731 | |
| 732 | found_kernel_type: |
| 733 | return ktype; |
| 734 | } |
| 735 | |
| 736 | void key_set_timeout(struct key *key, unsigned timeout) |
| 737 | { |
| 738 | time64_t expiry = TIME64_MAX; |
| 739 | |
| 740 | /* make the changes with the locks held to prevent races */ |
| 741 | down_write(sem: &key->sem); |
| 742 | |
| 743 | if (timeout > 0) |
| 744 | expiry = ktime_get_real_seconds() + timeout; |
| 745 | key_set_expiry(key, expiry); |
| 746 | |
| 747 | up_write(sem: &key->sem); |
| 748 | } |
| 749 | EXPORT_SYMBOL_GPL(key_set_timeout); |
| 750 | |
| 751 | /* |
| 752 | * Unlock a key type locked by key_type_lookup(). |
| 753 | */ |
| 754 | void key_type_put(struct key_type *ktype) |
| 755 | { |
| 756 | up_read(sem: &key_types_sem); |
| 757 | } |
| 758 | |
| 759 | /* |
| 760 | * Attempt to update an existing key. |
| 761 | * |
| 762 | * The key is given to us with an incremented refcount that we need to discard |
| 763 | * if we get an error. |
| 764 | */ |
| 765 | static inline key_ref_t __key_update(key_ref_t key_ref, |
| 766 | struct key_preparsed_payload *prep) |
| 767 | { |
| 768 | struct key *key = key_ref_to_ptr(key_ref); |
| 769 | int ret; |
| 770 | |
| 771 | /* need write permission on the key to update it */ |
| 772 | ret = key_permission(key_ref, need_perm: KEY_NEED_WRITE); |
| 773 | if (ret < 0) |
| 774 | goto error; |
| 775 | |
| 776 | ret = -EEXIST; |
| 777 | if (!key->type->update) |
| 778 | goto error; |
| 779 | |
| 780 | down_write(sem: &key->sem); |
| 781 | |
| 782 | ret = key->type->update(key, prep); |
| 783 | if (ret == 0) { |
| 784 | /* Updating a negative key positively instantiates it */ |
| 785 | mark_key_instantiated(key, reject_error: 0); |
| 786 | notify_key(key, subtype: NOTIFY_KEY_UPDATED, aux: 0); |
| 787 | } |
| 788 | |
| 789 | up_write(sem: &key->sem); |
| 790 | |
| 791 | if (ret < 0) |
| 792 | goto error; |
| 793 | out: |
| 794 | return key_ref; |
| 795 | |
| 796 | error: |
| 797 | key_put(key); |
| 798 | key_ref = ERR_PTR(error: ret); |
| 799 | goto out; |
| 800 | } |
| 801 | |
| 802 | /* |
| 803 | * Create or potentially update a key. The combined logic behind |
| 804 | * key_create_or_update() and key_create() |
| 805 | */ |
| 806 | static key_ref_t __key_create_or_update(key_ref_t keyring_ref, |
| 807 | const char *type, |
| 808 | const char *description, |
| 809 | const void *payload, |
| 810 | size_t plen, |
| 811 | key_perm_t perm, |
| 812 | unsigned long flags, |
| 813 | bool allow_update) |
| 814 | { |
| 815 | struct keyring_index_key index_key = { |
| 816 | .description = description, |
| 817 | }; |
| 818 | struct key_preparsed_payload prep; |
| 819 | struct assoc_array_edit *edit = NULL; |
| 820 | const struct cred *cred = current_cred(); |
| 821 | struct key *keyring, *key = NULL; |
| 822 | key_ref_t key_ref; |
| 823 | int ret; |
| 824 | struct key_restriction *restrict_link = NULL; |
| 825 | |
| 826 | /* look up the key type to see if it's one of the registered kernel |
| 827 | * types */ |
| 828 | index_key.type = key_type_lookup(type); |
| 829 | if (IS_ERR(ptr: index_key.type)) { |
| 830 | key_ref = ERR_PTR(error: -ENODEV); |
| 831 | goto error; |
| 832 | } |
| 833 | |
| 834 | key_ref = ERR_PTR(error: -EINVAL); |
| 835 | if (!index_key.type->instantiate || |
| 836 | (!index_key.description && !index_key.type->preparse)) |
| 837 | goto error_put_type; |
| 838 | |
| 839 | keyring = key_ref_to_ptr(key_ref: keyring_ref); |
| 840 | |
| 841 | key_check(keyring); |
| 842 | |
| 843 | if (!(flags & KEY_ALLOC_BYPASS_RESTRICTION)) |
| 844 | restrict_link = keyring->restrict_link; |
| 845 | |
| 846 | key_ref = ERR_PTR(error: -ENOTDIR); |
| 847 | if (keyring->type != &key_type_keyring) |
| 848 | goto error_put_type; |
| 849 | |
| 850 | memset(s: &prep, c: 0, n: sizeof(prep)); |
| 851 | prep.orig_description = description; |
| 852 | prep.data = payload; |
| 853 | prep.datalen = plen; |
| 854 | prep.quotalen = index_key.type->def_datalen; |
| 855 | prep.expiry = TIME64_MAX; |
| 856 | if (index_key.type->preparse) { |
| 857 | ret = index_key.type->preparse(&prep); |
| 858 | if (ret < 0) { |
| 859 | key_ref = ERR_PTR(error: ret); |
| 860 | goto error_free_prep; |
| 861 | } |
| 862 | if (!index_key.description) |
| 863 | index_key.description = prep.description; |
| 864 | key_ref = ERR_PTR(error: -EINVAL); |
| 865 | if (!index_key.description) |
| 866 | goto error_free_prep; |
| 867 | } |
| 868 | index_key.desc_len = strlen(index_key.description); |
| 869 | key_set_index_key(index_key: &index_key); |
| 870 | |
| 871 | ret = __key_link_lock(keyring, index_key: &index_key); |
| 872 | if (ret < 0) { |
| 873 | key_ref = ERR_PTR(error: ret); |
| 874 | goto error_free_prep; |
| 875 | } |
| 876 | |
| 877 | ret = __key_link_begin(keyring, index_key: &index_key, edit: &edit); |
| 878 | if (ret < 0) { |
| 879 | key_ref = ERR_PTR(error: ret); |
| 880 | goto error_link_end; |
| 881 | } |
| 882 | |
| 883 | if (restrict_link && restrict_link->check) { |
| 884 | ret = restrict_link->check(keyring, index_key.type, |
| 885 | &prep.payload, restrict_link->key); |
| 886 | if (ret < 0) { |
| 887 | key_ref = ERR_PTR(error: ret); |
| 888 | goto error_link_end; |
| 889 | } |
| 890 | } |
| 891 | |
| 892 | /* if we're going to allocate a new key, we're going to have |
| 893 | * to modify the keyring */ |
| 894 | ret = key_permission(key_ref: keyring_ref, need_perm: KEY_NEED_WRITE); |
| 895 | if (ret < 0) { |
| 896 | key_ref = ERR_PTR(error: ret); |
| 897 | goto error_link_end; |
| 898 | } |
| 899 | |
| 900 | /* if it's requested and possible to update this type of key, search |
| 901 | * for an existing key of the same type and description in the |
| 902 | * destination keyring and update that instead if possible |
| 903 | */ |
| 904 | if (allow_update) { |
| 905 | if (index_key.type->update) { |
| 906 | key_ref = find_key_to_update(keyring_ref, index_key: &index_key); |
| 907 | if (key_ref) |
| 908 | goto found_matching_key; |
| 909 | } |
| 910 | } else { |
| 911 | key_ref = find_key_to_update(keyring_ref, index_key: &index_key); |
| 912 | if (key_ref) { |
| 913 | key_ref_put(key_ref); |
| 914 | key_ref = ERR_PTR(error: -EEXIST); |
| 915 | goto error_link_end; |
| 916 | } |
| 917 | } |
| 918 | |
| 919 | /* if the client doesn't provide, decide on the permissions we want */ |
| 920 | if (perm == KEY_PERM_UNDEF) { |
| 921 | perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR; |
| 922 | perm |= KEY_USR_VIEW; |
| 923 | |
| 924 | if (index_key.type->read) |
| 925 | perm |= KEY_POS_READ; |
| 926 | |
| 927 | if (index_key.type == &key_type_keyring || |
| 928 | index_key.type->update) |
| 929 | perm |= KEY_POS_WRITE; |
| 930 | } |
| 931 | |
| 932 | /* allocate a new key */ |
| 933 | key = key_alloc(index_key.type, index_key.description, |
| 934 | cred->fsuid, cred->fsgid, cred, perm, flags, NULL); |
| 935 | if (IS_ERR(ptr: key)) { |
| 936 | key_ref = ERR_CAST(ptr: key); |
| 937 | goto error_link_end; |
| 938 | } |
| 939 | |
| 940 | /* instantiate it and link it into the target keyring */ |
| 941 | ret = __key_instantiate_and_link(key, prep: &prep, keyring, NULL, edit: &edit); |
| 942 | if (ret < 0) { |
| 943 | key_put(key); |
| 944 | key_ref = ERR_PTR(error: ret); |
| 945 | goto error_link_end; |
| 946 | } |
| 947 | |
| 948 | security_key_post_create_or_update(keyring, key, payload, payload_len: plen, flags, |
| 949 | create: true); |
| 950 | |
| 951 | key_ref = make_key_ref(key, possession: is_key_possessed(key_ref: keyring_ref)); |
| 952 | |
| 953 | error_link_end: |
| 954 | __key_link_end(keyring, index_key: &index_key, edit); |
| 955 | error_free_prep: |
| 956 | if (index_key.type->preparse) |
| 957 | index_key.type->free_preparse(&prep); |
| 958 | error_put_type: |
| 959 | key_type_put(ktype: index_key.type); |
| 960 | error: |
| 961 | return key_ref; |
| 962 | |
| 963 | found_matching_key: |
| 964 | /* we found a matching key, so we're going to try to update it |
| 965 | * - we can drop the locks first as we have the key pinned |
| 966 | */ |
| 967 | __key_link_end(keyring, index_key: &index_key, edit); |
| 968 | |
| 969 | key = key_ref_to_ptr(key_ref); |
| 970 | if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) { |
| 971 | ret = wait_for_key_construction(key, intr: true); |
| 972 | if (ret < 0) { |
| 973 | key_ref_put(key_ref); |
| 974 | key_ref = ERR_PTR(error: ret); |
| 975 | goto error_free_prep; |
| 976 | } |
| 977 | } |
| 978 | |
| 979 | key_ref = __key_update(key_ref, prep: &prep); |
| 980 | |
| 981 | if (!IS_ERR(ptr: key_ref)) |
| 982 | security_key_post_create_or_update(keyring, key, payload, payload_len: plen, |
| 983 | flags, create: false); |
| 984 | |
| 985 | goto error_free_prep; |
| 986 | } |
| 987 | |
| 988 | /** |
| 989 | * key_create_or_update - Update or create and instantiate a key. |
| 990 | * @keyring_ref: A pointer to the destination keyring with possession flag. |
| 991 | * @type: The type of key. |
| 992 | * @description: The searchable description for the key. |
| 993 | * @payload: The data to use to instantiate or update the key. |
| 994 | * @plen: The length of @payload. |
| 995 | * @perm: The permissions mask for a new key. |
| 996 | * @flags: The quota flags for a new key. |
| 997 | * |
| 998 | * Search the destination keyring for a key of the same description and if one |
| 999 | * is found, update it, otherwise create and instantiate a new one and create a |
| 1000 | * link to it from that keyring. |
| 1001 | * |
| 1002 | * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be |
| 1003 | * concocted. |
| 1004 | * |
| 1005 | * Returns a pointer to the new key if successful, -ENODEV if the key type |
| 1006 | * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the |
| 1007 | * caller isn't permitted to modify the keyring or the LSM did not permit |
| 1008 | * creation of the key. |
| 1009 | * |
| 1010 | * On success, the possession flag from the keyring ref will be tacked on to |
| 1011 | * the key ref before it is returned. |
| 1012 | */ |
| 1013 | key_ref_t key_create_or_update(key_ref_t keyring_ref, |
| 1014 | const char *type, |
| 1015 | const char *description, |
| 1016 | const void *payload, |
| 1017 | size_t plen, |
| 1018 | key_perm_t perm, |
| 1019 | unsigned long flags) |
| 1020 | { |
| 1021 | return __key_create_or_update(keyring_ref, type, description, payload, |
| 1022 | plen, perm, flags, allow_update: true); |
| 1023 | } |
| 1024 | EXPORT_SYMBOL(key_create_or_update); |
| 1025 | |
| 1026 | /** |
| 1027 | * key_create - Create and instantiate a key. |
| 1028 | * @keyring_ref: A pointer to the destination keyring with possession flag. |
| 1029 | * @type: The type of key. |
| 1030 | * @description: The searchable description for the key. |
| 1031 | * @payload: The data to use to instantiate or update the key. |
| 1032 | * @plen: The length of @payload. |
| 1033 | * @perm: The permissions mask for a new key. |
| 1034 | * @flags: The quota flags for a new key. |
| 1035 | * |
| 1036 | * Create and instantiate a new key and link to it from the destination keyring. |
| 1037 | * |
| 1038 | * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be |
| 1039 | * concocted. |
| 1040 | * |
| 1041 | * Returns a pointer to the new key if successful, -EEXIST if a key with the |
| 1042 | * same description already exists, -ENODEV if the key type wasn't available, |
| 1043 | * -ENOTDIR if the keyring wasn't a keyring, -EACCES if the caller isn't |
| 1044 | * permitted to modify the keyring or the LSM did not permit creation of the |
| 1045 | * key. |
| 1046 | * |
| 1047 | * On success, the possession flag from the keyring ref will be tacked on to |
| 1048 | * the key ref before it is returned. |
| 1049 | */ |
| 1050 | key_ref_t key_create(key_ref_t keyring_ref, |
| 1051 | const char *type, |
| 1052 | const char *description, |
| 1053 | const void *payload, |
| 1054 | size_t plen, |
| 1055 | key_perm_t perm, |
| 1056 | unsigned long flags) |
| 1057 | { |
| 1058 | return __key_create_or_update(keyring_ref, type, description, payload, |
| 1059 | plen, perm, flags, allow_update: false); |
| 1060 | } |
| 1061 | EXPORT_SYMBOL(key_create); |
| 1062 | |
| 1063 | /** |
| 1064 | * key_update - Update a key's contents. |
| 1065 | * @key_ref: The pointer (plus possession flag) to the key. |
| 1066 | * @payload: The data to be used to update the key. |
| 1067 | * @plen: The length of @payload. |
| 1068 | * |
| 1069 | * Attempt to update the contents of a key with the given payload data. The |
| 1070 | * caller must be granted Write permission on the key. Negative keys can be |
| 1071 | * instantiated by this method. |
| 1072 | * |
| 1073 | * Returns 0 on success, -EACCES if not permitted and -EOPNOTSUPP if the key |
| 1074 | * type does not support updating. The key type may return other errors. |
| 1075 | */ |
| 1076 | int key_update(key_ref_t key_ref, const void *payload, size_t plen) |
| 1077 | { |
| 1078 | struct key_preparsed_payload prep; |
| 1079 | struct key *key = key_ref_to_ptr(key_ref); |
| 1080 | int ret; |
| 1081 | |
| 1082 | key_check(key); |
| 1083 | |
| 1084 | /* the key must be writable */ |
| 1085 | ret = key_permission(key_ref, need_perm: KEY_NEED_WRITE); |
| 1086 | if (ret < 0) |
| 1087 | return ret; |
| 1088 | |
| 1089 | /* attempt to update it if supported */ |
| 1090 | if (!key->type->update) |
| 1091 | return -EOPNOTSUPP; |
| 1092 | |
| 1093 | memset(s: &prep, c: 0, n: sizeof(prep)); |
| 1094 | prep.data = payload; |
| 1095 | prep.datalen = plen; |
| 1096 | prep.quotalen = key->type->def_datalen; |
| 1097 | prep.expiry = TIME64_MAX; |
| 1098 | if (key->type->preparse) { |
| 1099 | ret = key->type->preparse(&prep); |
| 1100 | if (ret < 0) |
| 1101 | goto error; |
| 1102 | } |
| 1103 | |
| 1104 | down_write(sem: &key->sem); |
| 1105 | |
| 1106 | ret = key->type->update(key, &prep); |
| 1107 | if (ret == 0) { |
| 1108 | /* Updating a negative key positively instantiates it */ |
| 1109 | mark_key_instantiated(key, reject_error: 0); |
| 1110 | notify_key(key, subtype: NOTIFY_KEY_UPDATED, aux: 0); |
| 1111 | } |
| 1112 | |
| 1113 | up_write(sem: &key->sem); |
| 1114 | |
| 1115 | error: |
| 1116 | if (key->type->preparse) |
| 1117 | key->type->free_preparse(&prep); |
| 1118 | return ret; |
| 1119 | } |
| 1120 | EXPORT_SYMBOL(key_update); |
| 1121 | |
| 1122 | /** |
| 1123 | * key_revoke - Revoke a key. |
| 1124 | * @key: The key to be revoked. |
| 1125 | * |
| 1126 | * Mark a key as being revoked and ask the type to free up its resources. The |
| 1127 | * revocation timeout is set and the key and all its links will be |
| 1128 | * automatically garbage collected after key_gc_delay amount of time if they |
| 1129 | * are not manually dealt with first. |
| 1130 | */ |
| 1131 | void key_revoke(struct key *key) |
| 1132 | { |
| 1133 | time64_t time; |
| 1134 | |
| 1135 | key_check(key); |
| 1136 | |
| 1137 | /* make sure no one's trying to change or use the key when we mark it |
| 1138 | * - we tell lockdep that we might nest because we might be revoking an |
| 1139 | * authorisation key whilst holding the sem on a key we've just |
| 1140 | * instantiated |
| 1141 | */ |
| 1142 | down_write_nested(&key->sem, 1); |
| 1143 | if (!test_and_set_bit(KEY_FLAG_REVOKED, addr: &key->flags)) { |
| 1144 | notify_key(key, subtype: NOTIFY_KEY_REVOKED, aux: 0); |
| 1145 | if (key->type->revoke) |
| 1146 | key->type->revoke(key); |
| 1147 | |
| 1148 | /* set the death time to no more than the expiry time */ |
| 1149 | time = ktime_get_real_seconds(); |
| 1150 | if (key->revoked_at == 0 || key->revoked_at > time) { |
| 1151 | key->revoked_at = time; |
| 1152 | key_schedule_gc(gc_at: key->revoked_at + key_gc_delay); |
| 1153 | } |
| 1154 | } |
| 1155 | |
| 1156 | up_write(sem: &key->sem); |
| 1157 | } |
| 1158 | EXPORT_SYMBOL(key_revoke); |
| 1159 | |
| 1160 | /** |
| 1161 | * key_invalidate - Invalidate a key. |
| 1162 | * @key: The key to be invalidated. |
| 1163 | * |
| 1164 | * Mark a key as being invalidated and have it cleaned up immediately. The key |
| 1165 | * is ignored by all searches and other operations from this point. |
| 1166 | */ |
| 1167 | void key_invalidate(struct key *key) |
| 1168 | { |
| 1169 | kenter("%d", key_serial(key)); |
| 1170 | |
| 1171 | key_check(key); |
| 1172 | |
| 1173 | if (!test_bit(KEY_FLAG_INVALIDATED, &key->flags)) { |
| 1174 | down_write_nested(&key->sem, 1); |
| 1175 | if (!test_and_set_bit(KEY_FLAG_INVALIDATED, addr: &key->flags)) { |
| 1176 | notify_key(key, subtype: NOTIFY_KEY_INVALIDATED, aux: 0); |
| 1177 | key_schedule_gc_links(); |
| 1178 | } |
| 1179 | up_write(sem: &key->sem); |
| 1180 | } |
| 1181 | } |
| 1182 | EXPORT_SYMBOL(key_invalidate); |
| 1183 | |
| 1184 | /** |
| 1185 | * generic_key_instantiate - Simple instantiation of a key from preparsed data |
| 1186 | * @key: The key to be instantiated |
| 1187 | * @prep: The preparsed data to load. |
| 1188 | * |
| 1189 | * Instantiate a key from preparsed data. We assume we can just copy the data |
| 1190 | * in directly and clear the old pointers. |
| 1191 | * |
| 1192 | * This can be pointed to directly by the key type instantiate op pointer. |
| 1193 | */ |
| 1194 | int generic_key_instantiate(struct key *key, struct key_preparsed_payload *prep) |
| 1195 | { |
| 1196 | int ret; |
| 1197 | |
| 1198 | pr_devel("==>%s()\n", __func__); |
| 1199 | |
| 1200 | ret = key_payload_reserve(key, prep->quotalen); |
| 1201 | if (ret == 0) { |
| 1202 | rcu_assign_keypointer(key, prep->payload.data[0]); |
| 1203 | key->payload.data[1] = prep->payload.data[1]; |
| 1204 | key->payload.data[2] = prep->payload.data[2]; |
| 1205 | key->payload.data[3] = prep->payload.data[3]; |
| 1206 | prep->payload.data[0] = NULL; |
| 1207 | prep->payload.data[1] = NULL; |
| 1208 | prep->payload.data[2] = NULL; |
| 1209 | prep->payload.data[3] = NULL; |
| 1210 | } |
| 1211 | pr_devel("<==%s() = %d\n", __func__, ret); |
| 1212 | return ret; |
| 1213 | } |
| 1214 | EXPORT_SYMBOL(generic_key_instantiate); |
| 1215 | |
| 1216 | /** |
| 1217 | * register_key_type - Register a type of key. |
| 1218 | * @ktype: The new key type. |
| 1219 | * |
| 1220 | * Register a new key type. |
| 1221 | * |
| 1222 | * Returns 0 on success or -EEXIST if a type of this name already exists. |
| 1223 | */ |
| 1224 | int register_key_type(struct key_type *ktype) |
| 1225 | { |
| 1226 | struct key_type *p; |
| 1227 | int ret; |
| 1228 | |
| 1229 | memset(s: &ktype->lock_class, c: 0, n: sizeof(ktype->lock_class)); |
| 1230 | |
| 1231 | ret = -EEXIST; |
| 1232 | down_write(sem: &key_types_sem); |
| 1233 | |
| 1234 | /* disallow key types with the same name */ |
| 1235 | list_for_each_entry(p, &key_types_list, link) { |
| 1236 | if (strcmp(p->name, ktype->name) == 0) |
| 1237 | goto out; |
| 1238 | } |
| 1239 | |
| 1240 | /* store the type */ |
| 1241 | list_add(new: &ktype->link, head: &key_types_list); |
| 1242 | |
| 1243 | pr_notice("Key type %s registered\n", ktype->name); |
| 1244 | ret = 0; |
| 1245 | |
| 1246 | out: |
| 1247 | up_write(sem: &key_types_sem); |
| 1248 | return ret; |
| 1249 | } |
| 1250 | EXPORT_SYMBOL(register_key_type); |
| 1251 | |
| 1252 | /** |
| 1253 | * unregister_key_type - Unregister a type of key. |
| 1254 | * @ktype: The key type. |
| 1255 | * |
| 1256 | * Unregister a key type and mark all the extant keys of this type as dead. |
| 1257 | * Those keys of this type are then destroyed to get rid of their payloads and |
| 1258 | * they and their links will be garbage collected as soon as possible. |
| 1259 | */ |
| 1260 | void unregister_key_type(struct key_type *ktype) |
| 1261 | { |
| 1262 | down_write(sem: &key_types_sem); |
| 1263 | list_del_init(entry: &ktype->link); |
| 1264 | downgrade_write(sem: &key_types_sem); |
| 1265 | key_gc_keytype(ktype); |
| 1266 | pr_notice("Key type %s unregistered\n", ktype->name); |
| 1267 | up_read(sem: &key_types_sem); |
| 1268 | } |
| 1269 | EXPORT_SYMBOL(unregister_key_type); |
| 1270 | |
| 1271 | /* |
| 1272 | * Initialise the key management state. |
| 1273 | */ |
| 1274 | void __init key_init(void) |
| 1275 | { |
| 1276 | /* allocate a slab in which we can store keys */ |
| 1277 | key_jar = kmem_cache_create("key_jar", sizeof(struct key), |
| 1278 | 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); |
| 1279 | |
| 1280 | /* add the special key types */ |
| 1281 | list_add_tail(new: &key_type_keyring.link, head: &key_types_list); |
| 1282 | list_add_tail(new: &key_type_dead.link, head: &key_types_list); |
| 1283 | list_add_tail(new: &key_type_user.link, head: &key_types_list); |
| 1284 | list_add_tail(new: &key_type_logon.link, head: &key_types_list); |
| 1285 | |
| 1286 | /* record the root user tracking */ |
| 1287 | rb_link_node(node: &root_key_user.node, |
| 1288 | NULL, |
| 1289 | rb_link: &key_user_tree.rb_node); |
| 1290 | |
| 1291 | rb_insert_color(&root_key_user.node, |
| 1292 | &key_user_tree); |
| 1293 | } |
| 1294 |
Generated on 2025-Oct-12 from project Linux revision 6.17.0 (67029a49db6c)
Powered by 
Code Browser 2.1
Generator usage only permitted with license.