1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Request a key from userspace
4 * Copyright (C) 2004-2007 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
7 * See Documentation/security/keys/request-key.rst
10 #include <linux/export.h>
11 #include <linux/sched.h>
12 #include <linux/kmod.h>
13 #include <linux/err.h>
14 #include <linux/keyctl.h>
15 #include <linux/slab.h>
16 #include <net/net_namespace.h>
18 #include <keys/request_key_auth-type.h>
20 #define key_negative_timeout 60 /* default timeout on a negative key's existence */
22 static struct key
*check_cached_key(struct keyring_search_context
*ctx
)
24 #ifdef CONFIG_KEYS_REQUEST_CACHE
25 struct key
*key
= current
->cached_requested_key
;
28 ctx
->match_data
.cmp(key
, &ctx
->match_data
) &&
29 !(key
->flags
& ((1 << KEY_FLAG_INVALIDATED
) |
30 (1 << KEY_FLAG_REVOKED
))))
36 static void cache_requested_key(struct key
*key
)
38 #ifdef CONFIG_KEYS_REQUEST_CACHE
39 struct task_struct
*t
= current
;
41 key_put(t
->cached_requested_key
);
42 t
->cached_requested_key
= key_get(key
);
43 set_tsk_thread_flag(t
, TIF_NOTIFY_RESUME
);
48 * complete_request_key - Complete the construction of a key.
49 * @authkey: The authorisation key.
50 * @error: The success or failute of the construction.
52 * Complete the attempt to construct a key. The key will be negated
53 * if an error is indicated. The authorisation key will be revoked
56 void complete_request_key(struct key
*authkey
, int error
)
58 struct request_key_auth
*rka
= get_request_key_auth(authkey
);
59 struct key
*key
= rka
->target_key
;
61 kenter("%d{%d},%d", authkey
->serial
, key
->serial
, error
);
64 key_negate_and_link(key
, key_negative_timeout
, NULL
, authkey
);
68 EXPORT_SYMBOL(complete_request_key
);
71 * Initialise a usermode helper that is going to have a specific session
74 * This is called in context of freshly forked kthread before kernel_execve(),
75 * so we can simply install the desired session_keyring at this point.
77 static int umh_keys_init(struct subprocess_info
*info
, struct cred
*cred
)
79 struct key
*keyring
= info
->data
;
81 return install_session_keyring_to_cred(cred
, keyring
);
85 * Clean up a usermode helper with session keyring.
87 static void umh_keys_cleanup(struct subprocess_info
*info
)
89 struct key
*keyring
= info
->data
;
94 * Call a usermode helper with a specific session keyring.
96 static int call_usermodehelper_keys(const char *path
, char **argv
, char **envp
,
97 struct key
*session_keyring
, int wait
)
99 struct subprocess_info
*info
;
101 info
= call_usermodehelper_setup(path
, argv
, envp
, GFP_KERNEL
,
102 umh_keys_init
, umh_keys_cleanup
,
107 key_get(session_keyring
);
108 return call_usermodehelper_exec(info
, wait
);
112 * Request userspace finish the construction of a key
113 * - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring>"
115 static int call_sbin_request_key(struct key
*authkey
, void *aux
)
117 static char const request_key
[] = "/sbin/request-key";
118 struct request_key_auth
*rka
= get_request_key_auth(authkey
);
119 const struct cred
*cred
= current_cred();
120 key_serial_t prkey
, sskey
;
121 struct key
*key
= rka
->target_key
, *keyring
, *session
, *user_session
;
122 char *argv
[9], *envp
[3], uid_str
[12], gid_str
[12];
123 char key_str
[12], keyring_str
[3][12];
127 kenter("{%d},{%d},%s", key
->serial
, authkey
->serial
, rka
->op
);
129 ret
= look_up_user_keyrings(NULL
, &user_session
);
133 /* allocate a new session keyring */
134 sprintf(desc
, "_req.%u", key
->serial
);
136 cred
= get_current_cred();
137 keyring
= keyring_alloc(desc
, cred
->fsuid
, cred
->fsgid
, cred
,
138 KEY_POS_ALL
| KEY_USR_VIEW
| KEY_USR_READ
,
139 KEY_ALLOC_QUOTA_OVERRUN
, NULL
, NULL
);
141 if (IS_ERR(keyring
)) {
142 ret
= PTR_ERR(keyring
);
146 /* attach the auth key to the session keyring */
147 ret
= key_link(keyring
, authkey
);
151 /* record the UID and GID */
152 sprintf(uid_str
, "%d", from_kuid(&init_user_ns
, cred
->fsuid
));
153 sprintf(gid_str
, "%d", from_kgid(&init_user_ns
, cred
->fsgid
));
155 /* we say which key is under construction */
156 sprintf(key_str
, "%d", key
->serial
);
158 /* we specify the process's default keyrings */
159 sprintf(keyring_str
[0], "%d",
160 cred
->thread_keyring
? cred
->thread_keyring
->serial
: 0);
163 if (cred
->process_keyring
)
164 prkey
= cred
->process_keyring
->serial
;
165 sprintf(keyring_str
[1], "%d", prkey
);
167 session
= cred
->session_keyring
;
169 session
= user_session
;
170 sskey
= session
->serial
;
172 sprintf(keyring_str
[2], "%d", sskey
);
174 /* set up a minimal environment */
176 envp
[i
++] = "HOME=/";
177 envp
[i
++] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
180 /* set up the argument list */
182 argv
[i
++] = (char *)request_key
;
183 argv
[i
++] = (char *)rka
->op
;
187 argv
[i
++] = keyring_str
[0];
188 argv
[i
++] = keyring_str
[1];
189 argv
[i
++] = keyring_str
[2];
193 ret
= call_usermodehelper_keys(request_key
, argv
, envp
, keyring
,
195 kdebug("usermode -> 0x%x", ret
);
197 /* ret is the exit/wait code */
198 if (test_bit(KEY_FLAG_USER_CONSTRUCT
, &key
->flags
) ||
199 key_validate(key
) < 0)
202 /* ignore any errors from userspace if the key was
211 key_put(user_session
);
213 complete_request_key(authkey
, ret
);
214 kleave(" = %d", ret
);
219 * Call out to userspace for key construction.
221 * Program failure is ignored in favour of key status.
223 static int construct_key(struct key
*key
, const void *callout_info
,
224 size_t callout_len
, void *aux
,
225 struct key
*dest_keyring
)
227 request_key_actor_t actor
;
231 kenter("%d,%p,%zu,%p", key
->serial
, callout_info
, callout_len
, aux
);
233 /* allocate an authorisation key */
234 authkey
= request_key_auth_new(key
, "create", callout_info
, callout_len
,
237 return PTR_ERR(authkey
);
240 actor
= call_sbin_request_key
;
241 if (key
->type
->request_key
)
242 actor
= key
->type
->request_key
;
244 ret
= actor(authkey
, aux
);
246 /* check that the actor called complete_request_key() prior to
247 * returning an error */
249 !test_bit(KEY_FLAG_INVALIDATED
, &authkey
->flags
));
252 kleave(" = %d", ret
);
257 * Get the appropriate destination keyring for the request.
259 * The keyring selected is returned with an extra reference upon it which the
260 * caller must release.
262 static int construct_get_dest_keyring(struct key
**_dest_keyring
)
264 struct request_key_auth
*rka
;
265 const struct cred
*cred
= current_cred();
266 struct key
*dest_keyring
= *_dest_keyring
, *authkey
;
269 kenter("%p", dest_keyring
);
271 /* find the appropriate keyring */
273 /* the caller supplied one */
274 key_get(dest_keyring
);
276 bool do_perm_check
= true;
278 /* use a default keyring; falling through the cases until we
279 * find one that we actually have */
280 switch (cred
->jit_keyring
) {
281 case KEY_REQKEY_DEFL_DEFAULT
:
282 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING
:
283 if (cred
->request_key_auth
) {
284 authkey
= cred
->request_key_auth
;
285 down_read(&authkey
->sem
);
286 rka
= get_request_key_auth(authkey
);
287 if (!test_bit(KEY_FLAG_REVOKED
,
290 key_get(rka
->dest_keyring
);
291 up_read(&authkey
->sem
);
293 do_perm_check
= false;
299 case KEY_REQKEY_DEFL_THREAD_KEYRING
:
300 dest_keyring
= key_get(cred
->thread_keyring
);
305 case KEY_REQKEY_DEFL_PROCESS_KEYRING
:
306 dest_keyring
= key_get(cred
->process_keyring
);
311 case KEY_REQKEY_DEFL_SESSION_KEYRING
:
312 dest_keyring
= key_get(cred
->session_keyring
);
318 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING
:
319 ret
= look_up_user_keyrings(NULL
, &dest_keyring
);
324 case KEY_REQKEY_DEFL_USER_KEYRING
:
325 ret
= look_up_user_keyrings(&dest_keyring
, NULL
);
330 case KEY_REQKEY_DEFL_GROUP_KEYRING
:
336 * Require Write permission on the keyring. This is essential
337 * because the default keyring may be the session keyring, and
338 * joining a keyring only requires Search permission.
340 * However, this check is skipped for the "requestor keyring" so
341 * that /sbin/request-key can itself use request_key() to add
342 * keys to the original requestor's destination keyring.
344 if (dest_keyring
&& do_perm_check
) {
345 ret
= key_permission(make_key_ref(dest_keyring
, 1),
348 key_put(dest_keyring
);
354 *_dest_keyring
= dest_keyring
;
355 kleave(" [dk %d]", key_serial(dest_keyring
));
360 * Allocate a new key in under-construction state and attempt to link it in to
361 * the requested keyring.
363 * May return a key that's already under construction instead if there was a
364 * race between two thread calling request_key().
366 static int construct_alloc_key(struct keyring_search_context
*ctx
,
367 struct key
*dest_keyring
,
369 struct key_user
*user
,
372 struct assoc_array_edit
*edit
= NULL
;
379 ctx
->index_key
.type
->name
, ctx
->index_key
.description
);
382 mutex_lock(&user
->cons_lock
);
384 perm
= KEY_POS_VIEW
| KEY_POS_SEARCH
| KEY_POS_LINK
| KEY_POS_SETATTR
;
385 perm
|= KEY_USR_VIEW
;
386 if (ctx
->index_key
.type
->read
)
387 perm
|= KEY_POS_READ
;
388 if (ctx
->index_key
.type
== &key_type_keyring
||
389 ctx
->index_key
.type
->update
)
390 perm
|= KEY_POS_WRITE
;
392 key
= key_alloc(ctx
->index_key
.type
, ctx
->index_key
.description
,
393 ctx
->cred
->fsuid
, ctx
->cred
->fsgid
, ctx
->cred
,
398 set_bit(KEY_FLAG_USER_CONSTRUCT
, &key
->flags
);
401 ret
= __key_link_lock(dest_keyring
, &ctx
->index_key
);
403 goto link_lock_failed
;
404 ret
= __key_link_begin(dest_keyring
, &ctx
->index_key
, &edit
);
406 goto link_prealloc_failed
;
409 /* attach the key to the destination keyring under lock, but we do need
410 * to do another check just in case someone beat us to it whilst we
411 * waited for locks */
412 mutex_lock(&key_construction_mutex
);
415 key_ref
= search_process_keyrings_rcu(ctx
);
417 if (!IS_ERR(key_ref
))
418 goto key_already_present
;
421 __key_link(dest_keyring
, key
, &edit
);
423 mutex_unlock(&key_construction_mutex
);
425 __key_link_end(dest_keyring
, &ctx
->index_key
, edit
);
426 mutex_unlock(&user
->cons_lock
);
428 kleave(" = 0 [%d]", key_serial(key
));
431 /* the key is now present - we tell the caller that we found it by
432 * returning -EINPROGRESS */
435 mutex_unlock(&key_construction_mutex
);
436 key
= key_ref_to_ptr(key_ref
);
438 ret
= __key_link_check_live_key(dest_keyring
, key
);
440 __key_link(dest_keyring
, key
, &edit
);
441 __key_link_end(dest_keyring
, &ctx
->index_key
, edit
);
443 goto link_check_failed
;
445 mutex_unlock(&user
->cons_lock
);
447 kleave(" = -EINPROGRESS [%d]", key_serial(key
));
451 mutex_unlock(&user
->cons_lock
);
453 kleave(" = %d [linkcheck]", ret
);
456 link_prealloc_failed
:
457 __key_link_end(dest_keyring
, &ctx
->index_key
, edit
);
459 mutex_unlock(&user
->cons_lock
);
461 kleave(" = %d [prelink]", ret
);
465 mutex_unlock(&user
->cons_lock
);
466 kleave(" = %ld", PTR_ERR(key
));
471 * Commence key construction.
473 static struct key
*construct_key_and_link(struct keyring_search_context
*ctx
,
474 const char *callout_info
,
477 struct key
*dest_keyring
,
480 struct key_user
*user
;
486 if (ctx
->index_key
.type
== &key_type_keyring
)
487 return ERR_PTR(-EPERM
);
489 ret
= construct_get_dest_keyring(&dest_keyring
);
493 user
= key_user_lookup(current_fsuid());
496 goto error_put_dest_keyring
;
499 ret
= construct_alloc_key(ctx
, dest_keyring
, flags
, user
, &key
);
503 ret
= construct_key(key
, callout_info
, callout_len
, aux
,
506 kdebug("cons failed");
507 goto construction_failed
;
509 } else if (ret
== -EINPROGRESS
) {
512 goto error_put_dest_keyring
;
515 key_put(dest_keyring
);
516 kleave(" = key %d", key_serial(key
));
520 key_negate_and_link(key
, key_negative_timeout
, NULL
, NULL
);
522 error_put_dest_keyring
:
523 key_put(dest_keyring
);
525 kleave(" = %d", ret
);
530 * request_key_and_link - Request a key and cache it in a keyring.
531 * @type: The type of key we want.
532 * @description: The searchable description of the key.
533 * @domain_tag: The domain in which the key operates.
534 * @callout_info: The data to pass to the instantiation upcall (or NULL).
535 * @callout_len: The length of callout_info.
536 * @aux: Auxiliary data for the upcall.
537 * @dest_keyring: Where to cache the key.
538 * @flags: Flags to key_alloc().
540 * A key matching the specified criteria (type, description, domain_tag) is
541 * searched for in the process's keyrings and returned with its usage count
542 * incremented if found. Otherwise, if callout_info is not NULL, a key will be
543 * allocated and some service (probably in userspace) will be asked to
546 * If successfully found or created, the key will be linked to the destination
547 * keyring if one is provided.
549 * Returns a pointer to the key if successful; -EACCES, -ENOKEY, -EKEYREVOKED
550 * or -EKEYEXPIRED if an inaccessible, negative, revoked or expired key was
551 * found; -ENOKEY if no key was found and no @callout_info was given; -EDQUOT
552 * if insufficient key quota was available to create a new key; or -ENOMEM if
553 * insufficient memory was available.
555 * If the returned key was created, then it may still be under construction,
556 * and wait_for_key_construction() should be used to wait for that to complete.
558 struct key
*request_key_and_link(struct key_type
*type
,
559 const char *description
,
560 struct key_tag
*domain_tag
,
561 const void *callout_info
,
564 struct key
*dest_keyring
,
567 struct keyring_search_context ctx
= {
568 .index_key
.type
= type
,
569 .index_key
.domain_tag
= domain_tag
,
570 .index_key
.description
= description
,
571 .index_key
.desc_len
= strlen(description
),
572 .cred
= current_cred(),
573 .match_data
.cmp
= key_default_cmp
,
574 .match_data
.raw_data
= description
,
575 .match_data
.lookup_type
= KEYRING_SEARCH_LOOKUP_DIRECT
,
576 .flags
= (KEYRING_SEARCH_DO_STATE_CHECK
|
577 KEYRING_SEARCH_SKIP_EXPIRED
|
578 KEYRING_SEARCH_RECURSE
),
584 kenter("%s,%s,%p,%zu,%p,%p,%lx",
585 ctx
.index_key
.type
->name
, ctx
.index_key
.description
,
586 callout_info
, callout_len
, aux
, dest_keyring
, flags
);
588 if (type
->match_preparse
) {
589 ret
= type
->match_preparse(&ctx
.match_data
);
596 key
= check_cached_key(&ctx
);
600 /* search all the process keyrings for a key */
602 key_ref
= search_process_keyrings_rcu(&ctx
);
605 if (!IS_ERR(key_ref
)) {
607 ret
= key_task_permission(key_ref
, current_cred(),
610 key_ref_put(key_ref
);
616 key
= key_ref_to_ptr(key_ref
);
618 ret
= key_link(dest_keyring
, key
);
626 /* Only cache the key on immediate success */
627 cache_requested_key(key
);
628 } else if (PTR_ERR(key_ref
) != -EAGAIN
) {
629 key
= ERR_CAST(key_ref
);
631 /* the search failed, but the keyrings were searchable, so we
632 * should consult userspace if we can */
633 key
= ERR_PTR(-ENOKEY
);
637 key
= construct_key_and_link(&ctx
, callout_info
, callout_len
,
638 aux
, dest_keyring
, flags
);
642 if (type
->match_free
)
643 type
->match_free(&ctx
.match_data
);
645 kleave(" = %p", key
);
650 * wait_for_key_construction - Wait for construction of a key to complete
651 * @key: The key being waited for.
652 * @intr: Whether to wait interruptibly.
654 * Wait for a key to finish being constructed.
656 * Returns 0 if successful; -ERESTARTSYS if the wait was interrupted; -ENOKEY
657 * if the key was negated; or -EKEYREVOKED or -EKEYEXPIRED if the key was
658 * revoked or expired.
660 int wait_for_key_construction(struct key
*key
, bool intr
)
664 ret
= wait_on_bit(&key
->flags
, KEY_FLAG_USER_CONSTRUCT
,
665 intr
? TASK_INTERRUPTIBLE
: TASK_UNINTERRUPTIBLE
);
668 ret
= key_read_state(key
);
671 return key_validate(key
);
673 EXPORT_SYMBOL(wait_for_key_construction
);
676 * request_key_tag - Request a key and wait for construction
677 * @type: Type of key.
678 * @description: The searchable description of the key.
679 * @domain_tag: The domain in which the key operates.
680 * @callout_info: The data to pass to the instantiation upcall (or NULL).
682 * As for request_key_and_link() except that it does not add the returned key
683 * to a keyring if found, new keys are always allocated in the user's quota,
684 * the callout_info must be a NUL-terminated string and no auxiliary data can
687 * Furthermore, it then works as wait_for_key_construction() to wait for the
688 * completion of keys undergoing construction with a non-interruptible wait.
690 struct key
*request_key_tag(struct key_type
*type
,
691 const char *description
,
692 struct key_tag
*domain_tag
,
693 const char *callout_info
)
696 size_t callout_len
= 0;
700 callout_len
= strlen(callout_info
);
701 key
= request_key_and_link(type
, description
, domain_tag
,
702 callout_info
, callout_len
,
703 NULL
, NULL
, KEY_ALLOC_IN_QUOTA
);
705 ret
= wait_for_key_construction(key
, false);
713 EXPORT_SYMBOL(request_key_tag
);
716 * request_key_with_auxdata - Request a key with auxiliary data for the upcaller
717 * @type: The type of key we want.
718 * @description: The searchable description of the key.
719 * @domain_tag: The domain in which the key operates.
720 * @callout_info: The data to pass to the instantiation upcall (or NULL).
721 * @callout_len: The length of callout_info.
722 * @aux: Auxiliary data for the upcall.
724 * As for request_key_and_link() except that it does not add the returned key
725 * to a keyring if found and new keys are always allocated in the user's quota.
727 * Furthermore, it then works as wait_for_key_construction() to wait for the
728 * completion of keys undergoing construction with a non-interruptible wait.
730 struct key
*request_key_with_auxdata(struct key_type
*type
,
731 const char *description
,
732 struct key_tag
*domain_tag
,
733 const void *callout_info
,
740 key
= request_key_and_link(type
, description
, domain_tag
,
741 callout_info
, callout_len
,
742 aux
, NULL
, KEY_ALLOC_IN_QUOTA
);
744 ret
= wait_for_key_construction(key
, false);
752 EXPORT_SYMBOL(request_key_with_auxdata
);
755 * request_key_rcu - Request key from RCU-read-locked context
756 * @type: The type of key we want.
757 * @description: The name of the key we want.
758 * @domain_tag: The domain in which the key operates.
760 * Request a key from a context that we may not sleep in (such as RCU-mode
761 * pathwalk). Keys under construction are ignored.
763 * Return a pointer to the found key if successful, -ENOKEY if we couldn't find
764 * a key or some other error if the key found was unsuitable or inaccessible.
766 struct key
*request_key_rcu(struct key_type
*type
,
767 const char *description
,
768 struct key_tag
*domain_tag
)
770 struct keyring_search_context ctx
= {
771 .index_key
.type
= type
,
772 .index_key
.domain_tag
= domain_tag
,
773 .index_key
.description
= description
,
774 .index_key
.desc_len
= strlen(description
),
775 .cred
= current_cred(),
776 .match_data
.cmp
= key_default_cmp
,
777 .match_data
.raw_data
= description
,
778 .match_data
.lookup_type
= KEYRING_SEARCH_LOOKUP_DIRECT
,
779 .flags
= (KEYRING_SEARCH_DO_STATE_CHECK
|
780 KEYRING_SEARCH_SKIP_EXPIRED
),
785 kenter("%s,%s", type
->name
, description
);
787 key
= check_cached_key(&ctx
);
791 /* search all the process keyrings for a key */
792 key_ref
= search_process_keyrings_rcu(&ctx
);
793 if (IS_ERR(key_ref
)) {
794 key
= ERR_CAST(key_ref
);
795 if (PTR_ERR(key_ref
) == -EAGAIN
)
796 key
= ERR_PTR(-ENOKEY
);
798 key
= key_ref_to_ptr(key_ref
);
799 cache_requested_key(key
);
802 kleave(" = %p", key
);
805 EXPORT_SYMBOL(request_key_rcu
);