1 /* keyctl.c: userspace keyctl operations
3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/sched.h>
15 #include <linux/slab.h>
16 #include <linux/syscalls.h>
17 #include <linux/keyctl.h>
19 #include <linux/err.h>
20 #include <asm/uaccess.h>
23 /*****************************************************************************/
25 * extract the description of a new key from userspace and either add it as a
26 * new key to the specified keyring or update a matching key in that keyring
27 * - the keyring must be writable
28 * - returns the new key's serial number
29 * - implements add_key()
31 asmlinkage
long sys_add_key(const char __user
*_type
,
32 const char __user
*_description
,
33 const void __user
*_payload
,
37 struct key
*keyring
, *key
;
38 char type
[32], *description
;
46 /* draw all the data into kernel space */
47 ret
= strncpy_from_user(type
, _type
, sizeof(type
) - 1);
57 dlen
= strnlen_user(_description
, PAGE_SIZE
- 1);
62 if (dlen
> PAGE_SIZE
- 1)
66 description
= kmalloc(dlen
+ 1, GFP_KERNEL
);
71 if (copy_from_user(description
, _description
, dlen
+ 1) != 0)
74 /* pull the payload in if one was supplied */
79 payload
= kmalloc(plen
, GFP_KERNEL
);
84 if (copy_from_user(payload
, _payload
, plen
) != 0)
88 /* find the target keyring (which must be writable) */
89 keyring
= lookup_user_key(NULL
, ringid
, 1, 0, KEY_WRITE
);
90 if (IS_ERR(keyring
)) {
91 ret
= PTR_ERR(keyring
);
95 /* create or update the requested key and add it to the target
97 key
= key_create_or_update(keyring
, type
, description
,
115 } /* end sys_add_key() */
117 /*****************************************************************************/
119 * search the process keyrings for a matching key
120 * - nested keyrings may also be searched if they have Search permission
121 * - if a key is found, it will be attached to the destination keyring if
122 * there's one specified
123 * - /sbin/request-key will be invoked if _callout_info is non-NULL
124 * - the _callout_info string will be passed to /sbin/request-key
125 * - if the _callout_info string is empty, it will be rendered as "-"
126 * - implements request_key()
128 asmlinkage
long sys_request_key(const char __user
*_type
,
129 const char __user
*_description
,
130 const char __user
*_callout_info
,
131 key_serial_t destringid
)
133 struct key_type
*ktype
;
134 struct key
*key
, *dest
;
135 char type
[32], *description
, *callout_info
;
138 /* pull the type into kernel space */
139 ret
= strncpy_from_user(type
, _type
, sizeof(type
) - 1);
148 /* pull the description into kernel space */
150 dlen
= strnlen_user(_description
, PAGE_SIZE
- 1);
155 if (dlen
> PAGE_SIZE
- 1)
159 description
= kmalloc(dlen
+ 1, GFP_KERNEL
);
164 if (copy_from_user(description
, _description
, dlen
+ 1) != 0)
167 /* pull the callout info into kernel space */
171 dlen
= strnlen_user(_callout_info
, PAGE_SIZE
- 1);
176 if (dlen
> PAGE_SIZE
- 1)
180 callout_info
= kmalloc(dlen
+ 1, GFP_KERNEL
);
185 if (copy_from_user(callout_info
, _callout_info
, dlen
+ 1) != 0)
189 /* get the destination keyring if specified */
192 dest
= lookup_user_key(NULL
, destringid
, 1, 0, KEY_WRITE
);
199 /* find the key type */
200 ktype
= key_type_lookup(type
);
202 ret
= PTR_ERR(ktype
);
207 key
= request_key_and_link(ktype
, description
, callout_info
, dest
);
227 } /* end sys_request_key() */
229 /*****************************************************************************/
231 * get the ID of the specified process keyring
232 * - the keyring must have search permission to be found
233 * - implements keyctl(KEYCTL_GET_KEYRING_ID)
235 long keyctl_get_keyring_ID(key_serial_t id
, int create
)
240 key
= lookup_user_key(NULL
, id
, create
, 0, KEY_SEARCH
);
251 } /* end keyctl_get_keyring_ID() */
253 /*****************************************************************************/
255 * join the session keyring
256 * - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING)
258 long keyctl_join_session_keyring(const char __user
*_name
)
263 /* fetch the name from userspace */
267 nlen
= strnlen_user(_name
, PAGE_SIZE
- 1);
272 if (nlen
> PAGE_SIZE
- 1)
276 name
= kmalloc(nlen
+ 1, GFP_KERNEL
);
281 if (copy_from_user(name
, _name
, nlen
+ 1) != 0)
285 /* join the session */
286 ret
= join_session_keyring(name
);
293 } /* end keyctl_join_session_keyring() */
295 /*****************************************************************************/
297 * update a key's data payload
298 * - the key must be writable
299 * - implements keyctl(KEYCTL_UPDATE)
301 long keyctl_update_key(key_serial_t id
,
302 const void __user
*_payload
,
310 if (plen
> PAGE_SIZE
)
313 /* pull the payload in if one was supplied */
317 payload
= kmalloc(plen
, GFP_KERNEL
);
322 if (copy_from_user(payload
, _payload
, plen
) != 0)
326 /* find the target key (which must be writable) */
327 key
= lookup_user_key(NULL
, id
, 0, 0, KEY_WRITE
);
334 ret
= key_update(key
, payload
, plen
);
342 } /* end keyctl_update_key() */
344 /*****************************************************************************/
347 * - the key must be writable
348 * - implements keyctl(KEYCTL_REVOKE)
350 long keyctl_revoke_key(key_serial_t id
)
355 key
= lookup_user_key(NULL
, id
, 0, 0, KEY_WRITE
);
368 } /* end keyctl_revoke_key() */
370 /*****************************************************************************/
372 * clear the specified process keyring
373 * - the keyring must be writable
374 * - implements keyctl(KEYCTL_CLEAR)
376 long keyctl_keyring_clear(key_serial_t ringid
)
381 keyring
= lookup_user_key(NULL
, ringid
, 1, 0, KEY_WRITE
);
382 if (IS_ERR(keyring
)) {
383 ret
= PTR_ERR(keyring
);
387 ret
= keyring_clear(keyring
);
393 } /* end keyctl_keyring_clear() */
395 /*****************************************************************************/
397 * link a key into a keyring
398 * - the keyring must be writable
399 * - the key must be linkable
400 * - implements keyctl(KEYCTL_LINK)
402 long keyctl_keyring_link(key_serial_t id
, key_serial_t ringid
)
404 struct key
*keyring
, *key
;
407 keyring
= lookup_user_key(NULL
, ringid
, 1, 0, KEY_WRITE
);
408 if (IS_ERR(keyring
)) {
409 ret
= PTR_ERR(keyring
);
413 key
= lookup_user_key(NULL
, id
, 1, 0, KEY_LINK
);
419 ret
= key_link(keyring
, key
);
427 } /* end keyctl_keyring_link() */
429 /*****************************************************************************/
431 * unlink the first attachment of a key from a keyring
432 * - the keyring must be writable
433 * - we don't need any permissions on the key
434 * - implements keyctl(KEYCTL_UNLINK)
436 long keyctl_keyring_unlink(key_serial_t id
, key_serial_t ringid
)
438 struct key
*keyring
, *key
;
441 keyring
= lookup_user_key(NULL
, ringid
, 0, 0, KEY_WRITE
);
442 if (IS_ERR(keyring
)) {
443 ret
= PTR_ERR(keyring
);
447 key
= lookup_user_key(NULL
, id
, 0, 0, 0);
453 ret
= key_unlink(keyring
, key
);
461 } /* end keyctl_keyring_unlink() */
463 /*****************************************************************************/
465 * describe a user key
466 * - the key must have view permission
467 * - if there's a buffer, we place up to buflen bytes of data into it
468 * - unless there's an error, we return the amount of description available,
469 * irrespective of how much we may have copied
470 * - the description is formatted thus:
471 * type;uid;gid;perm;description<NUL>
472 * - implements keyctl(KEYCTL_DESCRIBE)
474 long keyctl_describe_key(key_serial_t keyid
,
478 struct key
*key
, *instkey
;
482 key
= lookup_user_key(NULL
, keyid
, 0, 1, KEY_VIEW
);
484 /* viewing a key under construction is permitted if we have the
485 * authorisation token handy */
486 if (PTR_ERR(key
) == -EACCES
) {
487 instkey
= key_get_instantiation_authkey(keyid
);
488 if (!IS_ERR(instkey
)) {
490 key
= lookup_user_key(NULL
, keyid
, 0, 1, 0);
501 /* calculate how much description we're going to return */
503 tmpbuf
= kmalloc(PAGE_SIZE
, GFP_KERNEL
);
507 ret
= snprintf(tmpbuf
, PAGE_SIZE
- 1,
513 key
->description
? key
->description
:""
516 /* include a NUL char at the end of the data */
517 if (ret
> PAGE_SIZE
- 1)
522 /* consider returning the data */
523 if (buffer
&& buflen
> 0) {
527 if (copy_to_user(buffer
, tmpbuf
, buflen
) != 0)
537 } /* end keyctl_describe_key() */
539 /*****************************************************************************/
541 * search the specified keyring for a matching key
542 * - the start keyring must be searchable
543 * - nested keyrings may also be searched if they are searchable
544 * - only keys with search permission may be found
545 * - if a key is found, it will be attached to the destination keyring if
546 * there's one specified
547 * - implements keyctl(KEYCTL_SEARCH)
549 long keyctl_keyring_search(key_serial_t ringid
,
550 const char __user
*_type
,
551 const char __user
*_description
,
552 key_serial_t destringid
)
554 struct key_type
*ktype
;
555 struct key
*keyring
, *key
, *dest
;
556 char type
[32], *description
;
559 /* pull the type and description into kernel space */
560 ret
= strncpy_from_user(type
, _type
, sizeof(type
) - 1);
566 dlen
= strnlen_user(_description
, PAGE_SIZE
- 1);
571 if (dlen
> PAGE_SIZE
- 1)
575 description
= kmalloc(dlen
+ 1, GFP_KERNEL
);
580 if (copy_from_user(description
, _description
, dlen
+ 1) != 0)
583 /* get the keyring at which to begin the search */
584 keyring
= lookup_user_key(NULL
, ringid
, 0, 0, KEY_SEARCH
);
585 if (IS_ERR(keyring
)) {
586 ret
= PTR_ERR(keyring
);
590 /* get the destination keyring if specified */
593 dest
= lookup_user_key(NULL
, destringid
, 1, 0, KEY_WRITE
);
600 /* find the key type */
601 ktype
= key_type_lookup(type
);
603 ret
= PTR_ERR(ktype
);
608 key
= keyring_search(keyring
, ktype
, description
);
612 /* treat lack or presence of a negative key the same */
618 /* link the resulting key to the destination keyring if we can */
621 if (!key_permission(key
, KEY_LINK
))
624 ret
= key_link(dest
, key
);
644 } /* end keyctl_keyring_search() */
646 /*****************************************************************************/
648 * see if the key we're looking at is the target key
650 static int keyctl_read_key_same(const struct key
*key
, const void *target
)
652 return key
== target
;
654 } /* end keyctl_read_key_same() */
656 /*****************************************************************************/
658 * read a user key's payload
659 * - the keyring must be readable or the key must be searchable from the
661 * - if there's a buffer, we place up to buflen bytes of data into it
662 * - unless there's an error, we return the amount of data in the key,
663 * irrespective of how much we may have copied
664 * - implements keyctl(KEYCTL_READ)
666 long keyctl_read_key(key_serial_t keyid
, char __user
*buffer
, size_t buflen
)
668 struct key
*key
, *skey
;
671 /* find the key first */
672 key
= lookup_user_key(NULL
, keyid
, 0, 0, 0);
674 /* see if we can read it directly */
675 if (key_permission(key
, KEY_READ
))
678 /* we can't; see if it's searchable from this process's
680 * - we automatically take account of the fact that it may be
681 * dangling off an instantiation key
683 skey
= search_process_keyrings(key
->type
, key
,
684 keyctl_read_key_same
, current
);
697 /* the key is probably readable - now try to read it */
701 ret
= key_validate(key
);
704 if (key
->type
->read
) {
705 /* read the data with the semaphore held (since we
707 down_read(&key
->sem
);
708 ret
= key
->type
->read(key
, buffer
, buflen
);
718 } /* end keyctl_read_key() */
720 /*****************************************************************************/
722 * change the ownership of a key
723 * - the keyring owned by the changer
724 * - if the uid or gid is -1, then that parameter is not changed
725 * - implements keyctl(KEYCTL_CHOWN)
727 long keyctl_chown_key(key_serial_t id
, uid_t uid
, gid_t gid
)
733 if (uid
== (uid_t
) -1 && gid
== (gid_t
) -1)
736 key
= lookup_user_key(NULL
, id
, 1, 1, 0);
742 /* make the changes with the locks held to prevent chown/chown races */
744 down_write(&key
->sem
);
746 if (!capable(CAP_SYS_ADMIN
)) {
747 /* only the sysadmin can chown a key to some other UID */
748 if (uid
!= (uid_t
) -1 && key
->uid
!= uid
)
751 /* only the sysadmin can set the key's GID to a group other
752 * than one of those that the current process subscribes to */
753 if (gid
!= (gid_t
) -1 && gid
!= key
->gid
&& !in_group_p(gid
))
757 /* change the UID (have to update the quotas) */
758 if (uid
!= (uid_t
) -1 && uid
!= key
->uid
) {
759 /* don't support UID changing yet */
765 if (gid
!= (gid_t
) -1)
776 } /* end keyctl_chown_key() */
778 /*****************************************************************************/
780 * change the permission mask on a key
781 * - the keyring owned by the changer
782 * - implements keyctl(KEYCTL_SETPERM)
784 long keyctl_setperm_key(key_serial_t id
, key_perm_t perm
)
790 if (perm
& ~(KEY_USR_ALL
| KEY_GRP_ALL
| KEY_OTH_ALL
))
793 key
= lookup_user_key(NULL
, id
, 1, 1, 0);
799 /* make the changes with the locks held to prevent chown/chmod races */
801 down_write(&key
->sem
);
803 /* if we're not the sysadmin, we can only change a key that we own */
804 if (capable(CAP_SYS_ADMIN
) || key
->uid
== current
->fsuid
) {
814 } /* end keyctl_setperm_key() */
816 /*****************************************************************************/
818 * instantiate the key with the specified payload, and, if one is given, link
819 * the key into the keyring
821 long keyctl_instantiate_key(key_serial_t id
,
822 const void __user
*_payload
,
826 struct request_key_auth
*rka
;
827 struct key
*instkey
, *keyring
;
835 /* pull the payload in if one was supplied */
840 payload
= kmalloc(plen
, GFP_KERNEL
);
845 if (copy_from_user(payload
, _payload
, plen
) != 0)
849 /* find the instantiation authorisation key */
850 instkey
= key_get_instantiation_authkey(id
);
851 if (IS_ERR(instkey
)) {
852 ret
= PTR_ERR(instkey
);
856 rka
= instkey
->payload
.data
;
858 /* find the destination keyring amongst those belonging to the
862 keyring
= lookup_user_key(rka
->context
, ringid
, 1, 0,
864 if (IS_ERR(keyring
)) {
865 ret
= PTR_ERR(keyring
);
870 /* instantiate the key and link it into a keyring */
871 ret
= key_instantiate_and_link(rka
->target_key
, payload
, plen
,
882 } /* end keyctl_instantiate_key() */
884 /*****************************************************************************/
886 * negatively instantiate the key with the given timeout (in seconds), and, if
887 * one is given, link the key into the keyring
889 long keyctl_negate_key(key_serial_t id
, unsigned timeout
, key_serial_t ringid
)
891 struct request_key_auth
*rka
;
892 struct key
*instkey
, *keyring
;
895 /* find the instantiation authorisation key */
896 instkey
= key_get_instantiation_authkey(id
);
897 if (IS_ERR(instkey
)) {
898 ret
= PTR_ERR(instkey
);
902 rka
= instkey
->payload
.data
;
904 /* find the destination keyring if present (which must also be
908 keyring
= lookup_user_key(NULL
, ringid
, 1, 0, KEY_WRITE
);
909 if (IS_ERR(keyring
)) {
910 ret
= PTR_ERR(keyring
);
915 /* instantiate the key and link it into a keyring */
916 ret
= key_negate_and_link(rka
->target_key
, timeout
, keyring
, instkey
);
924 } /* end keyctl_negate_key() */
926 /*****************************************************************************/
928 * set the default keyring in which request_key() will cache keys
929 * - return the old setting
931 long keyctl_set_reqkey_keyring(int reqkey_defl
)
935 switch (reqkey_defl
) {
936 case KEY_REQKEY_DEFL_THREAD_KEYRING
:
937 ret
= install_thread_keyring(current
);
942 case KEY_REQKEY_DEFL_PROCESS_KEYRING
:
943 ret
= install_process_keyring(current
);
947 case KEY_REQKEY_DEFL_DEFAULT
:
948 case KEY_REQKEY_DEFL_SESSION_KEYRING
:
949 case KEY_REQKEY_DEFL_USER_KEYRING
:
950 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING
:
952 current
->jit_keyring
= reqkey_defl
;
954 case KEY_REQKEY_DEFL_NO_CHANGE
:
955 return current
->jit_keyring
;
957 case KEY_REQKEY_DEFL_GROUP_KEYRING
:
962 } /* end keyctl_set_reqkey_keyring() */
964 /*****************************************************************************/
966 * the key control system call
968 asmlinkage
long sys_keyctl(int option
, unsigned long arg2
, unsigned long arg3
,
969 unsigned long arg4
, unsigned long arg5
)
972 case KEYCTL_GET_KEYRING_ID
:
973 return keyctl_get_keyring_ID((key_serial_t
) arg2
,
976 case KEYCTL_JOIN_SESSION_KEYRING
:
977 return keyctl_join_session_keyring((const char __user
*) arg2
);
980 return keyctl_update_key((key_serial_t
) arg2
,
981 (const void __user
*) arg3
,
985 return keyctl_revoke_key((key_serial_t
) arg2
);
987 case KEYCTL_DESCRIBE
:
988 return keyctl_describe_key((key_serial_t
) arg2
,
989 (char __user
*) arg3
,
993 return keyctl_keyring_clear((key_serial_t
) arg2
);
996 return keyctl_keyring_link((key_serial_t
) arg2
,
997 (key_serial_t
) arg3
);
1000 return keyctl_keyring_unlink((key_serial_t
) arg2
,
1001 (key_serial_t
) arg3
);
1004 return keyctl_keyring_search((key_serial_t
) arg2
,
1005 (const char __user
*) arg3
,
1006 (const char __user
*) arg4
,
1007 (key_serial_t
) arg5
);
1010 return keyctl_read_key((key_serial_t
) arg2
,
1011 (char __user
*) arg3
,
1015 return keyctl_chown_key((key_serial_t
) arg2
,
1019 case KEYCTL_SETPERM
:
1020 return keyctl_setperm_key((key_serial_t
) arg2
,
1023 case KEYCTL_INSTANTIATE
:
1024 return keyctl_instantiate_key((key_serial_t
) arg2
,
1025 (const void __user
*) arg3
,
1027 (key_serial_t
) arg5
);
1030 return keyctl_negate_key((key_serial_t
) arg2
,
1032 (key_serial_t
) arg4
);
1034 case KEYCTL_SET_REQKEY_KEYRING
:
1035 return keyctl_set_reqkey_keyring(arg2
);
1041 } /* end sys_keyctl() */