Blame - security/keys/request_key_auth.c - kernel/msm-4.9

blob: 60d4e3f5e4bb21373900fb4cedb0907f61f68ea1 [file] [log] [blame]

David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	1	/* Request key authorisation token key definition.
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	2	*
				3	* Copyright (C) 2005 Red Hat, Inc. All Rights Reserved.
				4	* Written by David Howells (dhowells@redhat.com)
				5	*
				6	* This program is free software; you can redistribute it and/or
				7	* modify it under the terms of the GNU General Public License
				8	* as published by the Free Software Foundation; either version
				9	* 2 of the License, or (at your option) any later version.
David Howells	f1a9bad	2005-10-07 15:04:52 +0100	[diff] [blame]	10	*
Randy Dunlap	d410fa4	2011-05-19 15:59:38 -0700	[diff] [blame]	11	* See Documentation/security/keys-request-key.txt
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	12	*/
				13
				14	#include <linux/module.h>
				15	#include <linux/sched.h>
				16	#include <linux/err.h>
				17	#include <linux/seq_file.h>
Robert P. J. Day	fdb89bc	2008-04-29 01:01:32 -0700	[diff] [blame]	18	#include <linux/slab.h>
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	19	#include <asm/uaccess.h>
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	20	#include "internal.h"
				21
				22	static int request_key_auth_instantiate(struct key , const void , size_t);
				23	static void request_key_auth_describe(const struct key , struct seq_file );
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	24	static void request_key_auth_revoke(struct key *);
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	25	static void request_key_auth_destroy(struct key *);
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	26	static long request_key_auth_read(const struct key , char __user , size_t);
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	27
				28	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	29	* The request-key authorisation key type definition.
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	30	*/
				31	struct key_type key_type_request_key_auth = {
				32	.name = ".request_key_auth",
				33	.def_datalen = sizeof(struct request_key_auth),
				34	.instantiate = request_key_auth_instantiate,
				35	.describe = request_key_auth_describe,
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	36	.revoke = request_key_auth_revoke,
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	37	.destroy = request_key_auth_destroy,
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	38	.read = request_key_auth_read,
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	39	};
				40
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	41	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	42	* Instantiate a request-key authorisation key.
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	43	*/
				44	static int request_key_auth_instantiate(struct key *key,
				45	const void *data,
				46	size_t datalen)
				47	{
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	48	key->payload.data = (struct request_key_auth *) data;
				49	return 0;
David Howells	a8b17ed	2011-01-20 16:38:27 +0000	[diff] [blame]	50	}
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	51
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	52	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	53	* Describe an authorisation token.
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	54	*/
				55	static void request_key_auth_describe(const struct key *key,
				56	struct seq_file *m)
				57	{
				58	struct request_key_auth *rka = key->payload.data;
				59
				60	seq_puts(m, "key:");
				61	seq_puts(m, key->description);
David Howells	78b7280	2011-03-11 17:57:23 +0000	[diff] [blame]	62	if (key_is_instantiated(key))
				63	seq_printf(m, " pid:%d ci:%zu", rka->pid, rka->callout_len);
David Howells	a8b17ed	2011-01-20 16:38:27 +0000	[diff] [blame]	64	}
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	65
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	66	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	67	* Read the callout_info data (retrieves the callout information).
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	68	* - the key's semaphore is read-locked
				69	*/
				70	static long request_key_auth_read(const struct key *key,
				71	char __user *buffer, size_t buflen)
				72	{
				73	struct request_key_auth *rka = key->payload.data;
				74	size_t datalen;
				75	long ret;
				76
David Howells	4a38e12	2008-04-29 01:01:24 -0700	[diff] [blame]	77	datalen = rka->callout_len;
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	78	ret = datalen;
				79
				80	/* we can return the data as is */
				81	if (buffer && buflen > 0) {
				82	if (buflen > datalen)
				83	buflen = datalen;
				84
				85	if (copy_to_user(buffer, rka->callout_info, buflen) != 0)
				86	ret = -EFAULT;
				87	}
				88
				89	return ret;
David Howells	a8b17ed	2011-01-20 16:38:27 +0000	[diff] [blame]	90	}
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	91
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	92	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	93	* Handle revocation of an authorisation token key.
				94	*
				95	* Called with the key sem write-locked.
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	96	*/
				97	static void request_key_auth_revoke(struct key *key)
				98	{
				99	struct request_key_auth *rka = key->payload.data;
				100
				101	kenter("{%d}", key->serial);
				102
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	103	if (rka->cred) {
				104	put_cred(rka->cred);
				105	rka->cred = NULL;
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	106	}
David Howells	a8b17ed	2011-01-20 16:38:27 +0000	[diff] [blame]	107	}
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	108
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	109	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	110	* Destroy an instantiation authorisation token key.
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	111	*/
				112	static void request_key_auth_destroy(struct key *key)
				113	{
				114	struct request_key_auth *rka = key->payload.data;
				115
				116	kenter("{%d}", key->serial);
				117
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	118	if (rka->cred) {
				119	put_cred(rka->cred);
				120	rka->cred = NULL;
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	121	}
				122
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	123	key_put(rka->target_key);
David Howells	8bbf4976	2008-11-14 10:39:14 +1100	[diff] [blame]	124	key_put(rka->dest_keyring);
David Howells	76181c1	2007-10-16 23:29:46 -0700	[diff] [blame]	125	kfree(rka->callout_info);
David Howells	74fd92c	2005-10-07 15:01:09 +0100	[diff] [blame]	126	kfree(rka);
David Howells	a8b17ed	2011-01-20 16:38:27 +0000	[diff] [blame]	127	}
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	128
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	129	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	130	* Create an authorisation token for /sbin/request-key or whoever to gain
				131	* access to the caller's security data.
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	132	*/
David Howells	4a38e12	2008-04-29 01:01:24 -0700	[diff] [blame]	133	struct key request_key_auth_new(struct key target, const void *callout_info,
David Howells	8bbf4976	2008-11-14 10:39:14 +1100	[diff] [blame]	134	size_t callout_len, struct key *dest_keyring)
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	135	{
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	136	struct request_key_auth rka, irka;
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	137	const struct cred *cred = current->cred;
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	138	struct key *authkey = NULL;
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	139	char desc[20];
				140	int ret;
				141
				142	kenter("%d,", target->serial);
				143
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	144	/* allocate a auth record */
				145	rka = kmalloc(sizeof(*rka), GFP_KERNEL);
				146	if (!rka) {
				147	kleave(" = -ENOMEM");
				148	return ERR_PTR(-ENOMEM);
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	149	}
David Howells	4a38e12	2008-04-29 01:01:24 -0700	[diff] [blame]	150	rka->callout_info = kmalloc(callout_len, GFP_KERNEL);
David Howells	76181c1	2007-10-16 23:29:46 -0700	[diff] [blame]	151	if (!rka->callout_info) {
				152	kleave(" = -ENOMEM");
				153	kfree(rka);
				154	return ERR_PTR(-ENOMEM);
				155	}
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	156
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	157	/* see if the calling process is already servicing the key request of
				158	* another process */
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	159	if (cred->request_key_auth) {
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	160	/* it is - use that instantiation context here too */
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	161	down_read(&cred->request_key_auth->sem);
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	162
				163	/* if the auth key has been revoked, then the key we're
				164	* servicing is already instantiated */
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	165	if (test_bit(KEY_FLAG_REVOKED, &cred->request_key_auth->flags))
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	166	goto auth_key_revoked;
				167
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	168	irka = cred->request_key_auth->payload.data;
				169	rka->cred = get_cred(irka->cred);
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	170	rka->pid = irka->pid;
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	171
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	172	up_read(&cred->request_key_auth->sem);
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	173	}
				174	else {
				175	/* it isn't - use this process as the context */
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	176	rka->cred = get_cred(cred);
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	177	rka->pid = current->pid;
				178	}
				179
				180	rka->target_key = key_get(target);
David Howells	8bbf4976	2008-11-14 10:39:14 +1100	[diff] [blame]	181	rka->dest_keyring = key_get(dest_keyring);
David Howells	4a38e12	2008-04-29 01:01:24 -0700	[diff] [blame]	182	memcpy(rka->callout_info, callout_info, callout_len);
				183	rka->callout_len = callout_len;
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	184
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	185	/* allocate the auth key */
				186	sprintf(desc, "%x", target->serial);
				187
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	188	authkey = key_alloc(&key_type_request_key_auth, desc,
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	189	cred->fsuid, cred->fsgid, cred,
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	190	KEY_POS_VIEW \| KEY_POS_READ \| KEY_POS_SEARCH \|
David Howells	7e047ef	2006-06-26 00:24:50 -0700	[diff] [blame]	191	KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA);
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	192	if (IS_ERR(authkey)) {
				193	ret = PTR_ERR(authkey);
				194	goto error_alloc;
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	195	}
				196
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	197	/* construct the auth key */
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	198	ret = key_instantiate_and_link(authkey, rka, 0, NULL, NULL);
				199	if (ret < 0)
				200	goto error_inst;
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	201
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	202	kleave(" = {%d,%d}", authkey->serial, atomic_read(&authkey->usage));
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	203	return authkey;
				204
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	205	auth_key_revoked:
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	206	up_read(&cred->request_key_auth->sem);
David Howells	76181c1	2007-10-16 23:29:46 -0700	[diff] [blame]	207	kfree(rka->callout_info);
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	208	kfree(rka);
				209	kleave("= -EKEYREVOKED");
				210	return ERR_PTR(-EKEYREVOKED);
				211
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	212	error_inst:
				213	key_revoke(authkey);
				214	key_put(authkey);
				215	error_alloc:
				216	key_put(rka->target_key);
David Howells	8bbf4976	2008-11-14 10:39:14 +1100	[diff] [blame]	217	key_put(rka->dest_keyring);
David Howells	76181c1	2007-10-16 23:29:46 -0700	[diff] [blame]	218	kfree(rka->callout_info);
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	219	kfree(rka);
				220	kleave("= %d", ret);
				221	return ERR_PTR(ret);
David Howells	a8b17ed	2011-01-20 16:38:27 +0000	[diff] [blame]	222	}
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	223
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	224	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	225	* See if an authorisation key is associated with a particular key.
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	226	*/
				227	static int key_get_instantiation_authkey_match(const struct key *key,
				228	const void *_id)
				229	{
				230	struct request_key_auth *rka = key->payload.data;
				231	key_serial_t id = (key_serial_t)(unsigned long) _id;
				232
				233	return rka->target_key->serial == id;
David Howells	a8b17ed	2011-01-20 16:38:27 +0000	[diff] [blame]	234	}
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	235
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	236	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	237	* Search the current process's keyrings for the authorisation key for
				238	* instantiation of a key.
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	239	*/
				240	struct key *key_get_instantiation_authkey(key_serial_t target_id)
				241	{
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	242	const struct cred *cred = current_cred();
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	243	struct key *authkey;
				244	key_ref_t authkey_ref;
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	245
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	246	authkey_ref = search_process_keyrings(
				247	&key_type_request_key_auth,
				248	(void *) (unsigned long) target_id,
				249	key_get_instantiation_authkey_match,
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	250	cred);
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	251
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	252	if (IS_ERR(authkey_ref)) {
David Howells	e231c2e	2008-02-07 00:15:26 -0800	[diff] [blame]	253	authkey = ERR_CAST(authkey_ref);
David Howells	4d67431	2011-06-13 22:33:52 +0100	[diff] [blame]	254	if (authkey == ERR_PTR(-EAGAIN))
				255	authkey = ERR_PTR(-ENOKEY);
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	256	goto error;
				257	}
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	258
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	259	authkey = key_ref_to_ptr(authkey_ref);
				260	if (test_bit(KEY_FLAG_REVOKED, &authkey->flags)) {
				261	key_put(authkey);
				262	authkey = ERR_PTR(-EKEYREVOKED);
				263	}
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	264
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	265	error:
				266	return authkey;
David Howells	a8b17ed	2011-01-20 16:38:27 +0000	[diff] [blame]	267	}