diff options
Diffstat (limited to 'security/keys/request_key_auth.c')
| -rw-r--r-- | security/keys/request_key_auth.c | 273 |
1 files changed, 176 insertions, 97 deletions
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c index a8e4069d48c..7495a93b4b9 100644 --- a/security/keys/request_key_auth.c +++ b/security/keys/request_key_auth.c @@ -1,4 +1,4 @@ -/* request_key_auth.c: request key authorisation controlling key def +/* Request key authorisation token key definition. * * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. * Written by David Howells (dhowells@redhat.com) @@ -8,88 +8,107 @@ * as published by the Free Software Foundation; either version * 2 of the License, or (at your option) any later version. * - * See Documentation/keys-request-key.txt + * See Documentation/security/keys-request-key.txt */ #include <linux/module.h> #include <linux/sched.h> #include <linux/err.h> #include <linux/seq_file.h> +#include <linux/slab.h> +#include <asm/uaccess.h> #include "internal.h" +#include <keys/user-type.h> -static int request_key_auth_instantiate(struct key *, const void *, size_t); +static int request_key_auth_instantiate(struct key *, + struct key_preparsed_payload *); static void request_key_auth_describe(const struct key *, struct seq_file *); +static void request_key_auth_revoke(struct key *); static void request_key_auth_destroy(struct key *); +static long request_key_auth_read(const struct key *, char __user *, size_t); /* - * the request-key authorisation key type definition + * The request-key authorisation key type definition. */ struct key_type key_type_request_key_auth = { .name = ".request_key_auth", .def_datalen = sizeof(struct request_key_auth), .instantiate = request_key_auth_instantiate, .describe = request_key_auth_describe, + .revoke = request_key_auth_revoke, .destroy = request_key_auth_destroy, + .read = request_key_auth_read, }; -/*****************************************************************************/ /* - * instantiate a request-key authorisation record + * Instantiate a request-key authorisation key. */ static int request_key_auth_instantiate(struct key *key, - const void *data, - size_t datalen) + struct key_preparsed_payload *prep) { - struct request_key_auth *rka, *irka; - struct key *instkey; - int ret; + key->payload.data = (struct request_key_auth *)prep->data; + return 0; +} - ret = -ENOMEM; - rka = kmalloc(sizeof(*rka), GFP_KERNEL); - if (rka) { - /* see if the calling process is already servicing the key - * request of another process */ - instkey = key_get_instantiation_authkey(0); - if (!IS_ERR(instkey)) { - /* it is - use that instantiation context here too */ - irka = instkey->payload.data; - rka->context = irka->context; - rka->pid = irka->pid; - key_put(instkey); - } - else { - /* it isn't - use this process as the context */ - rka->context = current; - rka->pid = current->pid; - } - - rka->target_key = key_get((struct key *) data); - key->payload.data = rka; - ret = 0; +/* + * Describe an authorisation token. + */ +static void request_key_auth_describe(const struct key *key, + struct seq_file *m) +{ + struct request_key_auth *rka = key->payload.data; + + seq_puts(m, "key:"); + seq_puts(m, key->description); + if (key_is_instantiated(key)) + seq_printf(m, " pid:%d ci:%zu", rka->pid, rka->callout_len); +} + +/* + * Read the callout_info data (retrieves the callout information). + * - the key's semaphore is read-locked + */ +static long request_key_auth_read(const struct key *key, + char __user *buffer, size_t buflen) +{ + struct request_key_auth *rka = key->payload.data; + size_t datalen; + long ret; + + datalen = rka->callout_len; + ret = datalen; + + /* we can return the data as is */ + if (buffer && buflen > 0) { + if (buflen > datalen) + buflen = datalen; + + if (copy_to_user(buffer, rka->callout_info, buflen) != 0) + ret = -EFAULT; } return ret; +} -} /* end request_key_auth_instantiate() */ - -/*****************************************************************************/ /* + * Handle revocation of an authorisation token key. * + * Called with the key sem write-locked. */ -static void request_key_auth_describe(const struct key *key, - struct seq_file *m) +static void request_key_auth_revoke(struct key *key) { struct request_key_auth *rka = key->payload.data; - seq_puts(m, "key:"); - seq_puts(m, key->description); - seq_printf(m, " pid:%d", rka->pid); + kenter("{%d}", key->serial); -} /* end request_key_auth_describe() */ + if (rka->cred) { + put_cred(rka->cred); + rka->cred = NULL; + } +} -/*****************************************************************************/ /* - * destroy an instantiation authorisation token key + * Destroy an instantiation authorisation token key. */ static void request_key_auth_destroy(struct key *key) { @@ -97,87 +116,147 @@ static void request_key_auth_destroy(struct key *key) kenter("{%d}", key->serial); + if (rka->cred) { + put_cred(rka->cred); + rka->cred = NULL; + } + key_put(rka->target_key); + key_put(rka->dest_keyring); + kfree(rka->callout_info); kfree(rka); +} -} /* end request_key_auth_destroy() */ - -/*****************************************************************************/ /* - * create a session keyring to be for the invokation of /sbin/request-key and - * stick an authorisation token in it + * Create an authorisation token for /sbin/request-key or whoever to gain + * access to the caller's security data. */ -struct key *request_key_auth_new(struct key *target, struct key **_rkakey) +struct key *request_key_auth_new(struct key *target, const void *callout_info, + size_t callout_len, struct key *dest_keyring) { - struct key *keyring, *rkakey = NULL; + struct request_key_auth *rka, *irka; + const struct cred *cred = current->cred; + struct key *authkey = NULL; char desc[20]; int ret; kenter("%d,", target->serial); - /* allocate a new session keyring */ - sprintf(desc, "_req.%u", target->serial); + /* allocate a auth record */ + rka = kmalloc(sizeof(*rka), GFP_KERNEL); + if (!rka) { + kleave(" = -ENOMEM"); + return ERR_PTR(-ENOMEM); + } + rka->callout_info = kmalloc(callout_len, GFP_KERNEL); + if (!rka->callout_info) { + kleave(" = -ENOMEM"); + kfree(rka); + return ERR_PTR(-ENOMEM); + } + + /* see if the calling process is already servicing the key request of + * another process */ + if (cred->request_key_auth) { + /* it is - use that instantiation context here too */ + down_read(&cred->request_key_auth->sem); - keyring = keyring_alloc(desc, current->fsuid, current->fsgid, 1, NULL); - if (IS_ERR(keyring)) { - kleave("= %ld", PTR_ERR(keyring)); - return keyring; + /* if the auth key has been revoked, then the key we're + * servicing is already instantiated */ + if (test_bit(KEY_FLAG_REVOKED, &cred->request_key_auth->flags)) + goto auth_key_revoked; + + irka = cred->request_key_auth->payload.data; + rka->cred = get_cred(irka->cred); + rka->pid = irka->pid; + + up_read(&cred->request_key_auth->sem); + } + else { + /* it isn't - use this process as the context */ + rka->cred = get_cred(cred); + rka->pid = current->pid; } + rka->target_key = key_get(target); + rka->dest_keyring = key_get(dest_keyring); + memcpy(rka->callout_info, callout_info, callout_len); + rka->callout_len = callout_len; + /* allocate the auth key */ sprintf(desc, "%x", target->serial); - rkakey = key_alloc(&key_type_request_key_auth, desc, - current->fsuid, current->fsgid, - KEY_POS_VIEW | KEY_USR_VIEW, 1); - if (IS_ERR(rkakey)) { - key_put(keyring); - kleave("= %ld", PTR_ERR(rkakey)); - return rkakey; + authkey = key_alloc(&key_type_request_key_auth, desc, + cred->fsuid, cred->fsgid, cred, + KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH | + KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA); + if (IS_ERR(authkey)) { + ret = PTR_ERR(authkey); + goto error_alloc; } - /* construct and attach to the keyring */ - ret = key_instantiate_and_link(rkakey, target, 0, keyring, NULL); - if (ret < 0) { - key_revoke(rkakey); - key_put(rkakey); - key_put(keyring); - kleave("= %d", ret); - return ERR_PTR(ret); - } + /* construct the auth key */ + ret = key_instantiate_and_link(authkey, rka, 0, NULL, NULL); + if (ret < 0) + goto error_inst; - *_rkakey = rkakey; - kleave(" = {%d} ({%d})", keyring->serial, rkakey->serial); - return keyring; + kleave(" = {%d,%d}", authkey->serial, atomic_read(&authkey->usage)); + return authkey; -} /* end request_key_auth_new() */ +auth_key_revoked: + up_read(&cred->request_key_auth->sem); + kfree(rka->callout_info); + kfree(rka); + kleave("= -EKEYREVOKED"); + return ERR_PTR(-EKEYREVOKED); + +error_inst: + key_revoke(authkey); + key_put(authkey); +error_alloc: + key_put(rka->target_key); + key_put(rka->dest_keyring); + kfree(rka->callout_info); + kfree(rka); + kleave("= %d", ret); + return ERR_PTR(ret); +} -/*****************************************************************************/ /* - * get the authorisation key for instantiation of a specific key if attached to - * the current process's keyrings - * - this key is inserted into a keyring and that is set as /sbin/request-key's - * session keyring - * - a target_id of zero specifies any valid token + * Search the current process's keyrings for the authorisation key for + * instantiation of a key. */ struct key *key_get_instantiation_authkey(key_serial_t target_id) { - struct task_struct *tsk = current; - struct key *instkey; + char description[16]; + struct keyring_search_context ctx = { + .index_key.type = &key_type_request_key_auth, + .index_key.description = description, + .cred = current_cred(), + .match = user_match, + .match_data = description, + .flags = KEYRING_SEARCH_LOOKUP_DIRECT, + }; + struct key *authkey; + key_ref_t authkey_ref; - /* we must have our own personal session keyring */ - if (!tsk->signal->session_keyring) - return ERR_PTR(-EACCES); + sprintf(description, "%x", target_id); - /* and it must contain a suitable request authorisation key - * - lock RCU against session keyring changing - */ - rcu_read_lock(); + authkey_ref = search_process_keyrings(&ctx); - instkey = keyring_search_instkey( - rcu_dereference(tsk->signal->session_keyring), target_id); + if (IS_ERR(authkey_ref)) { + authkey = ERR_CAST(authkey_ref); + if (authkey == ERR_PTR(-EAGAIN)) + authkey = ERR_PTR(-ENOKEY); + goto error; + } - rcu_read_unlock(); - return instkey; + authkey = key_ref_to_ptr(authkey_ref); + if (test_bit(KEY_FLAG_REVOKED, &authkey->flags)) { + key_put(authkey); + authkey = ERR_PTR(-EKEYREVOKED); + } -} /* end key_get_instantiation_authkey() */ +error: + return authkey; +} |