projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
KEYS: Fix up comments in key management code
[deliverable/linux.git] / security / keys / keyring.c
1 /* Keyring handling
2 *
3 * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 */
11
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/sched.h>
15 #include <linux/slab.h>
16 #include <linux/security.h>
17 #include <linux/seq_file.h>
18 #include <linux/err.h>
19 #include <keys/keyring-type.h>
20 #include <linux/uaccess.h>
21 #include "internal.h"
22
23 #define rcu_dereference_locked_keyring(keyring) \
24 (rcu_dereference_protected( \
25 (keyring)->payload.subscriptions, \
26 rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem)))
27
28 /*
29 * When plumbing the depths of the key tree, this sets a hard limit
30 * set on how deep we're willing to go.
31 */
32 #define KEYRING_SEARCH_MAX_DEPTH 6
33
34 /*
35 * We keep all named keyrings in a hash to speed looking them up.
36 */
37 #define KEYRING_NAME_HASH_SIZE (1 << 5)
38
39 static struct list_head keyring_name_hash[KEYRING_NAME_HASH_SIZE];
40 static DEFINE_RWLOCK(keyring_name_lock);
41
42 static inline unsigned keyring_hash(const char *desc)
43 {
44 unsigned bucket = 0;
45
46 for (; *desc; desc++)
47 bucket += (unsigned char)*desc;
48
49 return bucket & (KEYRING_NAME_HASH_SIZE - 1);
50 }
51
52 /*
53 * The keyring key type definition. Keyrings are simply keys of this type and
54 * can be treated as ordinary keys in addition to having their own special
55 * operations.
56 */
57 static int keyring_instantiate(struct key *keyring,
58 const void *data, size_t datalen);
59 static int keyring_match(const struct key *keyring, const void *criterion);
60 static void keyring_revoke(struct key *keyring);
61 static void keyring_destroy(struct key *keyring);
62 static void keyring_describe(const struct key *keyring, struct seq_file *m);
63 static long keyring_read(const struct key *keyring,
64 char __user *buffer, size_t buflen);
65
66 struct key_type key_type_keyring = {
67 .name = "keyring",
68 .def_datalen = sizeof(struct keyring_list),
69 .instantiate = keyring_instantiate,
70 .match = keyring_match,
71 .revoke = keyring_revoke,
72 .destroy = keyring_destroy,
73 .describe = keyring_describe,
74 .read = keyring_read,
75 };
76 EXPORT_SYMBOL(key_type_keyring);
77
78 /*
79 * Semaphore to serialise link/link calls to prevent two link calls in parallel
80 * introducing a cycle.
81 */
82 static DECLARE_RWSEM(keyring_serialise_link_sem);
83
84 /*
85 * Publish the name of a keyring so that it can be found by name (if it has
86 * one).
87 */
88 static void keyring_publish_name(struct key *keyring)
89 {
90 int bucket;
91
92 if (keyring->description) {
93 bucket = keyring_hash(keyring->description);
94
95 write_lock(&keyring_name_lock);
96
97 if (!keyring_name_hash[bucket].next)
98 INIT_LIST_HEAD(&keyring_name_hash[bucket]);
99
100 list_add_tail(&keyring->type_data.link,
101 &keyring_name_hash[bucket]);
102
103 write_unlock(&keyring_name_lock);
104 }
105 }
106
107 /*
108 * Initialise a keyring.
109 *
110 * Returns 0 on success, -EINVAL if given any data.
111 */
112 static int keyring_instantiate(struct key *keyring,
113 const void *data, size_t datalen)
114 {
115 int ret;
116
117 ret = -EINVAL;
118 if (datalen == 0) {
119 /* make the keyring available by name if it has one */
120 keyring_publish_name(keyring);
121 ret = 0;
122 }
123
124 return ret;
125 }
126
127 /*
128 * Match keyrings on their name
129 */
130 static int keyring_match(const struct key *keyring, const void *description)
131 {
132 return keyring->description &&
133 strcmp(keyring->description, description) == 0;
134 }
135
136 /*
137 * Clean up a keyring when it is destroyed. Unpublish its name if it had one
138 * and dispose of its data.
139 */
140 static void keyring_destroy(struct key *keyring)
141 {
142 struct keyring_list *klist;
143 int loop;
144
145 if (keyring->description) {
146 write_lock(&keyring_name_lock);
147
148 if (keyring->type_data.link.next != NULL &&
149 !list_empty(&keyring->type_data.link))
150 list_del(&keyring->type_data.link);
151
152 write_unlock(&keyring_name_lock);
153 }
154
155 klist = rcu_dereference_check(keyring->payload.subscriptions,
156 rcu_read_lock_held() ||
157 atomic_read(&keyring->usage) == 0);
158 if (klist) {
159 for (loop = klist->nkeys - 1; loop >= 0; loop--)
160 key_put(klist->keys[loop]);
161 kfree(klist);
162 }
163 }
164
165 /*
166 * Describe a keyring for /proc.
167 */
168 static void keyring_describe(const struct key *keyring, struct seq_file *m)
169 {
170 struct keyring_list *klist;
171
172 if (keyring->description)
173 seq_puts(m, keyring->description);
174 else
175 seq_puts(m, "[anon]");
176
177 rcu_read_lock();
178 klist = rcu_dereference(keyring->payload.subscriptions);
179 if (klist)
180 seq_printf(m, ": %u/%u", klist->nkeys, klist->maxkeys);
181 else
182 seq_puts(m, ": empty");
183 rcu_read_unlock();
184 }
185
186 /*
187 * Read a list of key IDs from the keyring's contents in binary form
188 *
189 * The keyring's semaphore is read-locked by the caller.
190 */
191 static long keyring_read(const struct key *keyring,
192 char __user *buffer, size_t buflen)
193 {
194 struct keyring_list *klist;
195 struct key *key;
196 size_t qty, tmp;
197 int loop, ret;
198
199 ret = 0;
200 klist = rcu_dereference_locked_keyring(keyring);
201 if (klist) {
202 /* calculate how much data we could return */
203 qty = klist->nkeys * sizeof(key_serial_t);
204
205 if (buffer && buflen > 0) {
206 if (buflen > qty)
207 buflen = qty;
208
209 /* copy the IDs of the subscribed keys into the
210 * buffer */
211 ret = -EFAULT;
212
213 for (loop = 0; loop < klist->nkeys; loop++) {
214 key = klist->keys[loop];
215
216 tmp = sizeof(key_serial_t);
217 if (tmp > buflen)
218 tmp = buflen;
219
220 if (copy_to_user(buffer,
221 &key->serial,
222 tmp) != 0)
223 goto error;
224
225 buflen -= tmp;
226 if (buflen == 0)
227 break;
228 buffer += tmp;
229 }
230 }
231
232 ret = qty;
233 }
234
235 error:
236 return ret;
237 }
238
239 /*
240 * Allocate a keyring and link into the destination keyring.
241 */
242 struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
243 const struct cred *cred, unsigned long flags,
244 struct key *dest)
245 {
246 struct key *keyring;
247 int ret;
248
249 keyring = key_alloc(&key_type_keyring, description,
250 uid, gid, cred,
251 (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL,
252 flags);
253
254 if (!IS_ERR(keyring)) {
255 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
256 if (ret < 0) {
257 key_put(keyring);
258 keyring = ERR_PTR(ret);
259 }
260 }
261
262 return keyring;
263 }
264
265 /**
266 * keyring_search_aux - Search a keyring tree for a key matching some criteria
267 * @keyring_ref: A pointer to the keyring with possession indicator.
268 * @cred: The credentials to use for permissions checks.
269 * @type: The type of key to search for.
270 * @description: Parameter for @match.
271 * @match: Function to rule on whether or not a key is the one required.
272 *
273 * Search the supplied keyring tree for a key that matches the criteria given.
274 * The root keyring and any linked keyrings must grant Search permission to the
275 * caller to be searchable and keys can only be found if they too grant Search
276 * to the caller. The possession flag on the root keyring pointer controls use
277 * of the possessor bits in permissions checking of the entire tree. In
278 * addition, the LSM gets to forbid keyring searches and key matches.
279 *
280 * The search is performed as a breadth-then-depth search up to the prescribed
281 * limit (KEYRING_SEARCH_MAX_DEPTH).
282 *
283 * Keys are matched to the type provided and are then filtered by the match
284 * function, which is given the description to use in any way it sees fit. The
285 * match function may use any attributes of a key that it wishes to to
286 * determine the match. Normally the match function from the key type would be
287 * used.
288 *
289 * RCU is used to prevent the keyring key lists from disappearing without the
290 * need to take lots of locks.
291 *
292 * Returns a pointer to the found key and increments the key usage count if
293 * successful; -EAGAIN if no matching keys were found, or if expired or revoked
294 * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the
295 * specified keyring wasn't a keyring.
296 *
297 * In the case of a successful return, the possession attribute from
298 * @keyring_ref is propagated to the returned key reference.
299 */
300 key_ref_t keyring_search_aux(key_ref_t keyring_ref,
301 const struct cred *cred,
302 struct key_type *type,
303 const void *description,
304 key_match_func_t match)
305 {
306 struct {
307 struct keyring_list *keylist;
308 int kix;
309 } stack[KEYRING_SEARCH_MAX_DEPTH];
310
311 struct keyring_list *keylist;
312 struct timespec now;
313 unsigned long possessed, kflags;
314 struct key *keyring, *key;
315 key_ref_t key_ref;
316 long err;
317 int sp, kix;
318
319 keyring = key_ref_to_ptr(keyring_ref);
320 possessed = is_key_possessed(keyring_ref);
321 key_check(keyring);
322
323 /* top keyring must have search permission to begin the search */
324 err = key_task_permission(keyring_ref, cred, KEY_SEARCH);
325 if (err < 0) {
326 key_ref = ERR_PTR(err);
327 goto error;
328 }
329
330 key_ref = ERR_PTR(-ENOTDIR);
331 if (keyring->type != &key_type_keyring)
332 goto error;
333
334 rcu_read_lock();
335
336 now = current_kernel_time();
337 err = -EAGAIN;
338 sp = 0;
339
340 /* firstly we should check to see if this top-level keyring is what we
341 * are looking for */
342 key_ref = ERR_PTR(-EAGAIN);
343 kflags = keyring->flags;
344 if (keyring->type == type && match(keyring, description)) {
345 key = keyring;
346
347 /* check it isn't negative and hasn't expired or been
348 * revoked */
349 if (kflags & (1 << KEY_FLAG_REVOKED))
350 goto error_2;
351 if (key->expiry && now.tv_sec >= key->expiry)
352 goto error_2;
353 key_ref = ERR_PTR(-ENOKEY);
354 if (kflags & (1 << KEY_FLAG_NEGATIVE))
355 goto error_2;
356 goto found;
357 }
358
359 /* otherwise, the top keyring must not be revoked, expired, or
360 * negatively instantiated if we are to search it */
361 key_ref = ERR_PTR(-EAGAIN);
362 if (kflags & ((1 << KEY_FLAG_REVOKED) | (1 << KEY_FLAG_NEGATIVE)) ||
363 (keyring->expiry && now.tv_sec >= keyring->expiry))
364 goto error_2;
365
366 /* start processing a new keyring */
367 descend:
368 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
369 goto not_this_keyring;
370
371 keylist = rcu_dereference(keyring->payload.subscriptions);
372 if (!keylist)
373 goto not_this_keyring;
374
375 /* iterate through the keys in this keyring first */
376 for (kix = 0; kix < keylist->nkeys; kix++) {
377 key = keylist->keys[kix];
378 kflags = key->flags;
379
380 /* ignore keys not of this type */
381 if (key->type != type)
382 continue;
383
384 /* skip revoked keys and expired keys */
385 if (kflags & (1 << KEY_FLAG_REVOKED))
386 continue;
387
388 if (key->expiry && now.tv_sec >= key->expiry)
389 continue;
390
391 /* keys that don't match */
392 if (!match(key, description))
393 continue;
394
395 /* key must have search permissions */
396 if (key_task_permission(make_key_ref(key, possessed),
397 cred, KEY_SEARCH) < 0)
398 continue;
399
400 /* we set a different error code if we pass a negative key */
401 if (kflags & (1 << KEY_FLAG_NEGATIVE)) {
402 err = -ENOKEY;
403 continue;
404 }
405
406 goto found;
407 }
408
409 /* search through the keyrings nested in this one */
410 kix = 0;
411 ascend:
412 for (; kix < keylist->nkeys; kix++) {
413 key = keylist->keys[kix];
414 if (key->type != &key_type_keyring)
415 continue;
416
417 /* recursively search nested keyrings
418 * - only search keyrings for which we have search permission
419 */
420 if (sp >= KEYRING_SEARCH_MAX_DEPTH)
421 continue;
422
423 if (key_task_permission(make_key_ref(key, possessed),
424 cred, KEY_SEARCH) < 0)
425 continue;
426
427 /* stack the current position */
428 stack[sp].keylist = keylist;
429 stack[sp].kix = kix;
430 sp++;
431
432 /* begin again with the new keyring */
433 keyring = key;
434 goto descend;
435 }
436
437 /* the keyring we're looking at was disqualified or didn't contain a
438 * matching key */
439 not_this_keyring:
440 if (sp > 0) {
441 /* resume the processing of a keyring higher up in the tree */
442 sp--;
443 keylist = stack[sp].keylist;
444 kix = stack[sp].kix + 1;
445 goto ascend;
446 }
447
448 key_ref = ERR_PTR(err);
449 goto error_2;
450
451 /* we found a viable match */
452 found:
453 atomic_inc(&key->usage);
454 key_check(key);
455 key_ref = make_key_ref(key, possessed);
456 error_2:
457 rcu_read_unlock();
458 error:
459 return key_ref;
460 }
461
462 /**
463 * keyring_search - Search the supplied keyring tree for a matching key
464 * @keyring: The root of the keyring tree to be searched.
465 * @type: The type of keyring we want to find.
466 * @description: The name of the keyring we want to find.
467 *
468 * As keyring_search_aux() above, but using the current task's credentials and
469 * type's default matching function.
470 */
471 key_ref_t keyring_search(key_ref_t keyring,
472 struct key_type *type,
473 const char *description)
474 {
475 if (!type->match)
476 return ERR_PTR(-ENOKEY);
477
478 return keyring_search_aux(keyring, current->cred,
479 type, description, type->match);
480 }
481 EXPORT_SYMBOL(keyring_search);
482
483 /*
484 * Search the given keyring only (no recursion).
485 *
486 * The caller must guarantee that the keyring is a keyring and that the
487 * permission is granted to search the keyring as no check is made here.
488 *
489 * RCU is used to make it unnecessary to lock the keyring key list here.
490 *
491 * Returns a pointer to the found key with usage count incremented if
492 * successful and returns -ENOKEY if not found. Revoked keys and keys not
493 * providing the requested permission are skipped over.
494 *
495 * If successful, the possession indicator is propagated from the keyring ref
496 * to the returned key reference.
497 */
498 key_ref_t __keyring_search_one(key_ref_t keyring_ref,
499 const struct key_type *ktype,
500 const char *description,
501 key_perm_t perm)
502 {
503 struct keyring_list *klist;
504 unsigned long possessed;
505 struct key *keyring, *key;
506 int loop;
507
508 keyring = key_ref_to_ptr(keyring_ref);
509 possessed = is_key_possessed(keyring_ref);
510
511 rcu_read_lock();
512
513 klist = rcu_dereference(keyring->payload.subscriptions);
514 if (klist) {
515 for (loop = 0; loop < klist->nkeys; loop++) {
516 key = klist->keys[loop];
517
518 if (key->type == ktype &&
519 (!key->type->match ||
520 key->type->match(key, description)) &&
521 key_permission(make_key_ref(key, possessed),
522 perm) == 0 &&
523 !test_bit(KEY_FLAG_REVOKED, &key->flags)
524 )
525 goto found;
526 }
527 }
528
529 rcu_read_unlock();
530 return ERR_PTR(-ENOKEY);
531
532 found:
533 atomic_inc(&key->usage);
534 rcu_read_unlock();
535 return make_key_ref(key, possessed);
536 }
537
538 /*
539 * Find a keyring with the specified name.
540 *
541 * All named keyrings in the current user namespace are searched, provided they
542 * grant Search permission directly to the caller (unless this check is
543 * skipped). Keyrings whose usage points have reached zero or who have been
544 * revoked are skipped.
545 *
546 * Returns a pointer to the keyring with the keyring's refcount having being
547 * incremented on success. -ENOKEY is returned if a key could not be found.
548 */
549 struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
550 {
551 struct key *keyring;
552 int bucket;
553
554 if (!name)
555 return ERR_PTR(-EINVAL);
556
557 bucket = keyring_hash(name);
558
559 read_lock(&keyring_name_lock);
560
561 if (keyring_name_hash[bucket].next) {
562 /* search this hash bucket for a keyring with a matching name
563 * that's readable and that hasn't been revoked */
564 list_for_each_entry(keyring,
565 &keyring_name_hash[bucket],
566 type_data.link
567 ) {
568 if (keyring->user->user_ns != current_user_ns())
569 continue;
570
571 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
572 continue;
573
574 if (strcmp(keyring->description, name) != 0)
575 continue;
576
577 if (!skip_perm_check &&
578 key_permission(make_key_ref(keyring, 0),
579 KEY_SEARCH) < 0)
580 continue;
581
582 /* we've got a match but we might end up racing with
583 * key_cleanup() if the keyring is currently 'dead'
584 * (ie. it has a zero usage count) */
585 if (!atomic_inc_not_zero(&keyring->usage))
586 continue;
587 goto out;
588 }
589 }
590
591 keyring = ERR_PTR(-ENOKEY);
592 out:
593 read_unlock(&keyring_name_lock);
594 return keyring;
595 }
596
597 /*
598 * See if a cycle will will be created by inserting acyclic tree B in acyclic
599 * tree A at the topmost level (ie: as a direct child of A).
600 *
601 * Since we are adding B to A at the top level, checking for cycles should just
602 * be a matter of seeing if node A is somewhere in tree B.
603 */
604 static int keyring_detect_cycle(struct key *A, struct key *B)
605 {
606 struct {
607 struct keyring_list *keylist;
608 int kix;
609 } stack[KEYRING_SEARCH_MAX_DEPTH];
610
611 struct keyring_list *keylist;
612 struct key *subtree, *key;
613 int sp, kix, ret;
614
615 rcu_read_lock();
616
617 ret = -EDEADLK;
618 if (A == B)
619 goto cycle_detected;
620
621 subtree = B;
622 sp = 0;
623
624 /* start processing a new keyring */
625 descend:
626 if (test_bit(KEY_FLAG_REVOKED, &subtree->flags))
627 goto not_this_keyring;
628
629 keylist = rcu_dereference(subtree->payload.subscriptions);
630 if (!keylist)
631 goto not_this_keyring;
632 kix = 0;
633
634 ascend:
635 /* iterate through the remaining keys in this keyring */
636 for (; kix < keylist->nkeys; kix++) {
637 key = keylist->keys[kix];
638
639 if (key == A)
640 goto cycle_detected;
641
642 /* recursively check nested keyrings */
643 if (key->type == &key_type_keyring) {
644 if (sp >= KEYRING_SEARCH_MAX_DEPTH)
645 goto too_deep;
646
647 /* stack the current position */
648 stack[sp].keylist = keylist;
649 stack[sp].kix = kix;
650 sp++;
651
652 /* begin again with the new keyring */
653 subtree = key;
654 goto descend;
655 }
656 }
657
658 /* the keyring we're looking at was disqualified or didn't contain a
659 * matching key */
660 not_this_keyring:
661 if (sp > 0) {
662 /* resume the checking of a keyring higher up in the tree */
663 sp--;
664 keylist = stack[sp].keylist;
665 kix = stack[sp].kix + 1;
666 goto ascend;
667 }
668
669 ret = 0; /* no cycles detected */
670
671 error:
672 rcu_read_unlock();
673 return ret;
674
675 too_deep:
676 ret = -ELOOP;
677 goto error;
678
679 cycle_detected:
680 ret = -EDEADLK;
681 goto error;
682 }
683
684 /*
685 * Dispose of a keyring list after the RCU grace period, freeing the unlinked
686 * key
687 */
688 static void keyring_unlink_rcu_disposal(struct rcu_head *rcu)
689 {
690 struct keyring_list *klist =
691 container_of(rcu, struct keyring_list, rcu);
692
693 if (klist->delkey != USHRT_MAX)
694 key_put(klist->keys[klist->delkey]);
695 kfree(klist);
696 }
697
698 /*
699 * Preallocate memory so that a key can be linked into to a keyring.
700 */
701 int __key_link_begin(struct key *keyring, const struct key_type *type,
702 const char *description,
703 struct keyring_list **_prealloc)
704 __acquires(&keyring->sem)
705 {
706 struct keyring_list *klist, *nklist;
707 unsigned max;
708 size_t size;
709 int loop, ret;
710
711 kenter("%d,%s,%s,", key_serial(keyring), type->name, description);
712
713 if (keyring->type != &key_type_keyring)
714 return -ENOTDIR;
715
716 down_write(&keyring->sem);
717
718 ret = -EKEYREVOKED;
719 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
720 goto error_krsem;
721
722 /* serialise link/link calls to prevent parallel calls causing a cycle
723 * when linking two keyring in opposite orders */
724 if (type == &key_type_keyring)
725 down_write(&keyring_serialise_link_sem);
726
727 klist = rcu_dereference_locked_keyring(keyring);
728
729 /* see if there's a matching key we can displace */
730 if (klist && klist->nkeys > 0) {
731 for (loop = klist->nkeys - 1; loop >= 0; loop--) {
732 if (klist->keys[loop]->type == type &&
733 strcmp(klist->keys[loop]->description,
734 description) == 0
735 ) {
736 /* found a match - we'll replace this one with
737 * the new key */
738 size = sizeof(struct key *) * klist->maxkeys;
739 size += sizeof(*klist);
740 BUG_ON(size > PAGE_SIZE);
741
742 ret = -ENOMEM;
743 nklist = kmemdup(klist, size, GFP_KERNEL);
744 if (!nklist)
745 goto error_sem;
746
747 /* note replacement slot */
748 klist->delkey = nklist->delkey = loop;
749 goto done;
750 }
751 }
752 }
753
754 /* check that we aren't going to overrun the user's quota */
755 ret = key_payload_reserve(keyring,
756 keyring->datalen + KEYQUOTA_LINK_BYTES);
757 if (ret < 0)
758 goto error_sem;
759
760 if (klist && klist->nkeys < klist->maxkeys) {
761 /* there's sufficient slack space to append directly */
762 nklist = NULL;
763 } else {
764 /* grow the key list */
765 max = 4;
766 if (klist)
767 max += klist->maxkeys;
768
769 ret = -ENFILE;
770 if (max > USHRT_MAX - 1)
771 goto error_quota;
772 size = sizeof(*klist) + sizeof(struct key *) * max;
773 if (size > PAGE_SIZE)
774 goto error_quota;
775
776 ret = -ENOMEM;
777 nklist = kmalloc(size, GFP_KERNEL);
778 if (!nklist)
779 goto error_quota;
780
781 nklist->maxkeys = max;
782 if (klist) {
783 memcpy(nklist->keys, klist->keys,
784 sizeof(struct key *) * klist->nkeys);
785 nklist->delkey = klist->nkeys;
786 nklist->nkeys = klist->nkeys + 1;
787 klist->delkey = USHRT_MAX;
788 } else {
789 nklist->nkeys = 1;
790 nklist->delkey = 0;
791 }
792
793 /* add the key into the new space */
794 nklist->keys[nklist->delkey] = NULL;
795 }
796
797 done:
798 *_prealloc = nklist;
799 kleave(" = 0");
800 return 0;
801
802 error_quota:
803 /* undo the quota changes */
804 key_payload_reserve(keyring,
805 keyring->datalen - KEYQUOTA_LINK_BYTES);
806 error_sem:
807 if (type == &key_type_keyring)
808 up_write(&keyring_serialise_link_sem);
809 error_krsem:
810 up_write(&keyring->sem);
811 kleave(" = %d", ret);
812 return ret;
813 }
814
815 /*
816 * Check already instantiated keys aren't going to be a problem.
817 *
818 * The caller must have called __key_link_begin(). Don't need to call this for
819 * keys that were created since __key_link_begin() was called.
820 */
821 int __key_link_check_live_key(struct key *keyring, struct key *key)
822 {
823 if (key->type == &key_type_keyring)
824 /* check that we aren't going to create a cycle by linking one
825 * keyring to another */
826 return keyring_detect_cycle(keyring, key);
827 return 0;
828 }
829
830 /*
831 * Link a key into to a keyring.
832 *
833 * Must be called with __key_link_begin() having being called. Discards any
834 * already extant link to matching key if there is one, so that each keyring
835 * holds at most one link to any given key of a particular type+description
836 * combination.
837 */
838 void __key_link(struct key *keyring, struct key *key,
839 struct keyring_list **_prealloc)
840 {
841 struct keyring_list *klist, *nklist;
842
843 nklist = *_prealloc;
844 *_prealloc = NULL;
845
846 kenter("%d,%d,%p", keyring->serial, key->serial, nklist);
847
848 klist = rcu_dereference_protected(keyring->payload.subscriptions,
849 rwsem_is_locked(&keyring->sem));
850
851 atomic_inc(&key->usage);
852
853 /* there's a matching key we can displace or an empty slot in a newly
854 * allocated list we can fill */
855 if (nklist) {
856 kdebug("replace %hu/%hu/%hu",
857 nklist->delkey, nklist->nkeys, nklist->maxkeys);
858
859 nklist->keys[nklist->delkey] = key;
860
861 rcu_assign_pointer(keyring->payload.subscriptions, nklist);
862
863 /* dispose of the old keyring list and, if there was one, the
864 * displaced key */
865 if (klist) {
866 kdebug("dispose %hu/%hu/%hu",
867 klist->delkey, klist->nkeys, klist->maxkeys);
868 call_rcu(&klist->rcu, keyring_unlink_rcu_disposal);
869 }
870 } else {
871 /* there's sufficient slack space to append directly */
872 klist->keys[klist->nkeys] = key;
873 smp_wmb();
874 klist->nkeys++;
875 }
876 }
877
878 /*
879 * Finish linking a key into to a keyring.
880 *
881 * Must be called with __key_link_begin() having being called.
882 */
883 void __key_link_end(struct key *keyring, struct key_type *type,
884 struct keyring_list *prealloc)
885 __releases(&keyring->sem)
886 {
887 BUG_ON(type == NULL);
888 BUG_ON(type->name == NULL);
889 kenter("%d,%s,%p", keyring->serial, type->name, prealloc);
890
891 if (type == &key_type_keyring)
892 up_write(&keyring_serialise_link_sem);
893
894 if (prealloc) {
895 kfree(prealloc);
896 key_payload_reserve(keyring,
897 keyring->datalen - KEYQUOTA_LINK_BYTES);
898 }
899 up_write(&keyring->sem);
900 }
901
902 /**
903 * key_link - Link a key to a keyring
904 * @keyring: The keyring to make the link in.
905 * @key: The key to link to.
906 *
907 * Make a link in a keyring to a key, such that the keyring holds a reference
908 * on that key and the key can potentially be found by searching that keyring.
909 *
910 * This function will write-lock the keyring's semaphore and will consume some
911 * of the user's key data quota to hold the link.
912 *
913 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring,
914 * -EKEYREVOKED if the keyring has been revoked, -ENFILE if the keyring is
915 * full, -EDQUOT if there is insufficient key data quota remaining to add
916 * another link or -ENOMEM if there's insufficient memory.
917 *
918 * It is assumed that the caller has checked that it is permitted for a link to
919 * be made (the keyring should have Write permission and the key Link
920 * permission).
921 */
922 int key_link(struct key *keyring, struct key *key)
923 {
924 struct keyring_list *prealloc;
925 int ret;
926
927 key_check(keyring);
928 key_check(key);
929
930 ret = __key_link_begin(keyring, key->type, key->description, &prealloc);
931 if (ret == 0) {
932 ret = __key_link_check_live_key(keyring, key);
933 if (ret == 0)
934 __key_link(keyring, key, &prealloc);
935 __key_link_end(keyring, key->type, prealloc);
936 }
937
938 return ret;
939 }
940 EXPORT_SYMBOL(key_link);
941
942 /**
943 * key_unlink - Unlink the first link to a key from a keyring.
944 * @keyring: The keyring to remove the link from.
945 * @key: The key the link is to.
946 *
947 * Remove a link from a keyring to a key.
948 *
949 * This function will write-lock the keyring's semaphore.
950 *
951 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, -ENOENT if
952 * the key isn't linked to by the keyring or -ENOMEM if there's insufficient
953 * memory.
954 *
955 * It is assumed that the caller has checked that it is permitted for a link to
956 * be removed (the keyring should have Write permission; no permissions are
957 * required on the key).
958 */
959 int key_unlink(struct key *keyring, struct key *key)
960 {
961 struct keyring_list *klist, *nklist;
962 int loop, ret;
963
964 key_check(keyring);
965 key_check(key);
966
967 ret = -ENOTDIR;
968 if (keyring->type != &key_type_keyring)
969 goto error;
970
971 down_write(&keyring->sem);
972
973 klist = rcu_dereference_locked_keyring(keyring);
974 if (klist) {
975 /* search the keyring for the key */
976 for (loop = 0; loop < klist->nkeys; loop++)
977 if (klist->keys[loop] == key)
978 goto key_is_present;
979 }
980
981 up_write(&keyring->sem);
982 ret = -ENOENT;
983 goto error;
984
985 key_is_present:
986 /* we need to copy the key list for RCU purposes */
987 nklist = kmalloc(sizeof(*klist) +
988 sizeof(struct key *) * klist->maxkeys,
989 GFP_KERNEL);
990 if (!nklist)
991 goto nomem;
992 nklist->maxkeys = klist->maxkeys;
993 nklist->nkeys = klist->nkeys - 1;
994
995 if (loop > 0)
996 memcpy(&nklist->keys[0],
997 &klist->keys[0],
998 loop * sizeof(struct key *));
999
1000 if (loop < nklist->nkeys)
1001 memcpy(&nklist->keys[loop],
1002 &klist->keys[loop + 1],
1003 (nklist->nkeys - loop) * sizeof(struct key *));
1004
1005 /* adjust the user's quota */
1006 key_payload_reserve(keyring,
1007 keyring->datalen - KEYQUOTA_LINK_BYTES);
1008
1009 rcu_assign_pointer(keyring->payload.subscriptions, nklist);
1010
1011 up_write(&keyring->sem);
1012
1013 /* schedule for later cleanup */
1014 klist->delkey = loop;
1015 call_rcu(&klist->rcu, keyring_unlink_rcu_disposal);
1016
1017 ret = 0;
1018
1019 error:
1020 return ret;
1021 nomem:
1022 ret = -ENOMEM;
1023 up_write(&keyring->sem);
1024 goto error;
1025 }
1026 EXPORT_SYMBOL(key_unlink);
1027
1028 /*
1029 * Dispose of a keyring list after the RCU grace period, releasing the keys it
1030 * links to.
1031 */
1032 static void keyring_clear_rcu_disposal(struct rcu_head *rcu)
1033 {
1034 struct keyring_list *klist;
1035 int loop;
1036
1037 klist = container_of(rcu, struct keyring_list, rcu);
1038
1039 for (loop = klist->nkeys - 1; loop >= 0; loop--)
1040 key_put(klist->keys[loop]);
1041
1042 kfree(klist);
1043 }
1044
1045 /**
1046 * keyring_clear - Clear a keyring
1047 * @keyring: The keyring to clear.
1048 *
1049 * Clear the contents of the specified keyring.
1050 *
1051 * Returns 0 if successful or -ENOTDIR if the keyring isn't a keyring.
1052 */
1053 int keyring_clear(struct key *keyring)
1054 {
1055 struct keyring_list *klist;
1056 int ret;
1057
1058 ret = -ENOTDIR;
1059 if (keyring->type == &key_type_keyring) {
1060 /* detach the pointer block with the locks held */
1061 down_write(&keyring->sem);
1062
1063 klist = rcu_dereference_locked_keyring(keyring);
1064 if (klist) {
1065 /* adjust the quota */
1066 key_payload_reserve(keyring,
1067 sizeof(struct keyring_list));
1068
1069 rcu_assign_pointer(keyring->payload.subscriptions,
1070 NULL);
1071 }
1072
1073 up_write(&keyring->sem);
1074
1075 /* free the keys after the locks have been dropped */
1076 if (klist)
1077 call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
1078
1079 ret = 0;
1080 }
1081
1082 return ret;
1083 }
1084 EXPORT_SYMBOL(keyring_clear);
1085
1086 /*
1087 * Dispose of the links from a revoked keyring.
1088 *
1089 * This is called with the key sem write-locked.
1090 */
1091 static void keyring_revoke(struct key *keyring)
1092 {
1093 struct keyring_list *klist;
1094
1095 klist = rcu_dereference_locked_keyring(keyring);
1096
1097 /* adjust the quota */
1098 key_payload_reserve(keyring, 0);
1099
1100 if (klist) {
1101 rcu_assign_pointer(keyring->payload.subscriptions, NULL);
1102 call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
1103 }
1104 }
1105
1106 /*
1107 * Determine whether a key is dead.
1108 */
1109 static bool key_is_dead(struct key *key, time_t limit)
1110 {
1111 return test_bit(KEY_FLAG_DEAD, &key->flags) ||
1112 (key->expiry > 0 && key->expiry <= limit);
1113 }
1114
1115 /*
1116 * Collect garbage from the contents of a keyring, replacing the old list with
1117 * a new one with the pointers all shuffled down.
1118 *
1119 * Dead keys are classed as oned that are flagged as being dead or are revoked,
1120 * expired or negative keys that were revoked or expired before the specified
1121 * limit.
1122 */
1123 void keyring_gc(struct key *keyring, time_t limit)
1124 {
1125 struct keyring_list *klist, *new;
1126 struct key *key;
1127 int loop, keep, max;
1128
1129 kenter("{%x,%s}", key_serial(keyring), keyring->description);
1130
1131 down_write(&keyring->sem);
1132
1133 klist = rcu_dereference_locked_keyring(keyring);
1134 if (!klist)
1135 goto no_klist;
1136
1137 /* work out how many subscriptions we're keeping */
1138 keep = 0;
1139 for (loop = klist->nkeys - 1; loop >= 0; loop--)
1140 if (!key_is_dead(klist->keys[loop], limit))
1141 keep++;
1142
1143 if (keep == klist->nkeys)
1144 goto just_return;
1145
1146 /* allocate a new keyring payload */
1147 max = roundup(keep, 4);
1148 new = kmalloc(sizeof(struct keyring_list) + max * sizeof(struct key *),
1149 GFP_KERNEL);
1150 if (!new)
1151 goto nomem;
1152 new->maxkeys = max;
1153 new->nkeys = 0;
1154 new->delkey = 0;
1155
1156 /* install the live keys
1157 * - must take care as expired keys may be updated back to life
1158 */
1159 keep = 0;
1160 for (loop = klist->nkeys - 1; loop >= 0; loop--) {
1161 key = klist->keys[loop];
1162 if (!key_is_dead(key, limit)) {
1163 if (keep >= max)
1164 goto discard_new;
1165 new->keys[keep++] = key_get(key);
1166 }
1167 }
1168 new->nkeys = keep;
1169
1170 /* adjust the quota */
1171 key_payload_reserve(keyring,
1172 sizeof(struct keyring_list) +
1173 KEYQUOTA_LINK_BYTES * keep);
1174
1175 if (keep == 0) {
1176 rcu_assign_pointer(keyring->payload.subscriptions, NULL);
1177 kfree(new);
1178 } else {
1179 rcu_assign_pointer(keyring->payload.subscriptions, new);
1180 }
1181
1182 up_write(&keyring->sem);
1183
1184 call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
1185 kleave(" [yes]");
1186 return;
1187
1188 discard_new:
1189 new->nkeys = keep;
1190 keyring_clear_rcu_disposal(&new->rcu);
1191 up_write(&keyring->sem);
1192 kleave(" [discard]");
1193 return;
1194
1195 just_return:
1196 up_write(&keyring->sem);
1197 kleave(" [no dead]");
1198 return;
1199
1200 no_klist:
1201 up_write(&keyring->sem);
1202 kleave(" [no_klist]");
1203 return;
1204
1205 nomem:
1206 up_write(&keyring->sem);
1207 kleave(" [oom]");
1208 }
Linux kernel - Deliverables
This page took 0.086252 seconds and 5 git commands to generate.