Blame - security/keys/request_key_auth.c - kernel/msm-4.9

blob: 68164031a74e0bc225844037ceedd45a40fc94cb [file] [log] [blame]

David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	1	/* Request key authorisation token key definition.
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	2	*
				3	* Copyright (C) 2005 Red Hat, Inc. All Rights Reserved.
				4	* Written by David Howells (dhowells@redhat.com)
				5	*
				6	* This program is free software; you can redistribute it and/or
				7	* modify it under the terms of the GNU General Public License
				8	* as published by the Free Software Foundation; either version
				9	* 2 of the License, or (at your option) any later version.
David Howells	f1a9bad	2005-10-07 15:04:52 +0100	[diff] [blame]	10	*
				11	* See Documentation/keys-request-key.txt
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	12	*/
				13
				14	#include <linux/module.h>
				15	#include <linux/sched.h>
				16	#include <linux/err.h>
				17	#include <linux/seq_file.h>
Robert P. J. Day	fdb89bc	2008-04-29 01:01:32 -0700	[diff] [blame]	18	#include <linux/slab.h>
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	19	#include <asm/uaccess.h>
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	20	#include "internal.h"
				21
				22	static int request_key_auth_instantiate(struct key , const void , size_t);
				23	static void request_key_auth_describe(const struct key , struct seq_file );
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	24	static void request_key_auth_revoke(struct key *);
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	25	static void request_key_auth_destroy(struct key *);
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	26	static long request_key_auth_read(const struct key , char __user , size_t);
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	27
				28	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	29	* The request-key authorisation key type definition.
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	30	*/
				31	struct key_type key_type_request_key_auth = {
				32	.name = ".request_key_auth",
				33	.def_datalen = sizeof(struct request_key_auth),
				34	.instantiate = request_key_auth_instantiate,
				35	.describe = request_key_auth_describe,
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	36	.revoke = request_key_auth_revoke,
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	37	.destroy = request_key_auth_destroy,
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	38	.read = request_key_auth_read,
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	39	};
				40
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	41	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	42	* Instantiate a request-key authorisation key.
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	43	*/
				44	static int request_key_auth_instantiate(struct key *key,
				45	const void *data,
				46	size_t datalen)
				47	{
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	48	key->payload.data = (struct request_key_auth *) data;
				49	return 0;
David Howells	a8b17ed	2011-01-20 16:38:27 +0000	[diff] [blame]	50	}
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	51
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	52	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	53	* Describe an authorisation token.
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	54	*/
				55	static void request_key_auth_describe(const struct key *key,
				56	struct seq_file *m)
				57	{
				58	struct request_key_auth *rka = key->payload.data;
				59
				60	seq_puts(m, "key:");
				61	seq_puts(m, key->description);
David Howells	4a38e12	2008-04-29 01:01:24 -0700	[diff] [blame]	62	seq_printf(m, " pid:%d ci:%zu", rka->pid, rka->callout_len);
David Howells	a8b17ed	2011-01-20 16:38:27 +0000	[diff] [blame]	63	}
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	64
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	65	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	66	* Read the callout_info data (retrieves the callout information).
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	67	* - the key's semaphore is read-locked
				68	*/
				69	static long request_key_auth_read(const struct key *key,
				70	char __user *buffer, size_t buflen)
				71	{
				72	struct request_key_auth *rka = key->payload.data;
				73	size_t datalen;
				74	long ret;
				75
David Howells	4a38e12	2008-04-29 01:01:24 -0700	[diff] [blame]	76	datalen = rka->callout_len;
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	77	ret = datalen;
				78
				79	/* we can return the data as is */
				80	if (buffer && buflen > 0) {
				81	if (buflen > datalen)
				82	buflen = datalen;
				83
				84	if (copy_to_user(buffer, rka->callout_info, buflen) != 0)
				85	ret = -EFAULT;
				86	}
				87
				88	return ret;
David Howells	a8b17ed	2011-01-20 16:38:27 +0000	[diff] [blame]	89	}
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	90
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	91	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	92	* Handle revocation of an authorisation token key.
				93	*
				94	* Called with the key sem write-locked.
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	95	*/
				96	static void request_key_auth_revoke(struct key *key)
				97	{
				98	struct request_key_auth *rka = key->payload.data;
				99
				100	kenter("{%d}", key->serial);
				101
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	102	if (rka->cred) {
				103	put_cred(rka->cred);
				104	rka->cred = NULL;
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	105	}
David Howells	a8b17ed	2011-01-20 16:38:27 +0000	[diff] [blame]	106	}
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	107
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	108	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	109	* Destroy an instantiation authorisation token key.
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	110	*/
				111	static void request_key_auth_destroy(struct key *key)
				112	{
				113	struct request_key_auth *rka = key->payload.data;
				114
				115	kenter("{%d}", key->serial);
				116
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	117	if (rka->cred) {
				118	put_cred(rka->cred);
				119	rka->cred = NULL;
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	120	}
				121
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	122	key_put(rka->target_key);
David Howells	8bbf4976	2008-11-14 10:39:14 +1100	[diff] [blame]	123	key_put(rka->dest_keyring);
David Howells	76181c1	2007-10-16 23:29:46 -0700	[diff] [blame]	124	kfree(rka->callout_info);
David Howells	74fd92c	2005-10-07 15:01:09 +0100	[diff] [blame]	125	kfree(rka);
David Howells	a8b17ed	2011-01-20 16:38:27 +0000	[diff] [blame]	126	}
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	127
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	128	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	129	* Create an authorisation token for /sbin/request-key or whoever to gain
				130	* access to the caller's security data.
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	131	*/
David Howells	4a38e12	2008-04-29 01:01:24 -0700	[diff] [blame]	132	struct key request_key_auth_new(struct key target, const void *callout_info,
David Howells	8bbf4976	2008-11-14 10:39:14 +1100	[diff] [blame]	133	size_t callout_len, struct key *dest_keyring)
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	134	{
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	135	struct request_key_auth rka, irka;
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	136	const struct cred *cred = current->cred;
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	137	struct key *authkey = NULL;
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	138	char desc[20];
				139	int ret;
				140
				141	kenter("%d,", target->serial);
				142
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	143	/* allocate a auth record */
				144	rka = kmalloc(sizeof(*rka), GFP_KERNEL);
				145	if (!rka) {
				146	kleave(" = -ENOMEM");
				147	return ERR_PTR(-ENOMEM);
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	148	}
David Howells	4a38e12	2008-04-29 01:01:24 -0700	[diff] [blame]	149	rka->callout_info = kmalloc(callout_len, GFP_KERNEL);
David Howells	76181c1	2007-10-16 23:29:46 -0700	[diff] [blame]	150	if (!rka->callout_info) {
				151	kleave(" = -ENOMEM");
				152	kfree(rka);
				153	return ERR_PTR(-ENOMEM);
				154	}
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	155
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	156	/* see if the calling process is already servicing the key request of
				157	* another process */
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	158	if (cred->request_key_auth) {
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	159	/* it is - use that instantiation context here too */
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	160	down_read(&cred->request_key_auth->sem);
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	161
				162	/* if the auth key has been revoked, then the key we're
				163	* servicing is already instantiated */
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	164	if (test_bit(KEY_FLAG_REVOKED, &cred->request_key_auth->flags))
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	165	goto auth_key_revoked;
				166
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	167	irka = cred->request_key_auth->payload.data;
				168	rka->cred = get_cred(irka->cred);
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	169	rka->pid = irka->pid;
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	170
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	171	up_read(&cred->request_key_auth->sem);
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	172	}
				173	else {
				174	/* it isn't - use this process as the context */
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	175	rka->cred = get_cred(cred);
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	176	rka->pid = current->pid;
				177	}
				178
				179	rka->target_key = key_get(target);
David Howells	8bbf4976	2008-11-14 10:39:14 +1100	[diff] [blame]	180	rka->dest_keyring = key_get(dest_keyring);
David Howells	4a38e12	2008-04-29 01:01:24 -0700	[diff] [blame]	181	memcpy(rka->callout_info, callout_info, callout_len);
				182	rka->callout_len = callout_len;
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	183
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	184	/* allocate the auth key */
				185	sprintf(desc, "%x", target->serial);
				186
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	187	authkey = key_alloc(&key_type_request_key_auth, desc,
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	188	cred->fsuid, cred->fsgid, cred,
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	189	KEY_POS_VIEW \| KEY_POS_READ \| KEY_POS_SEARCH \|
David Howells	7e047ef	2006-06-26 00:24:50 -0700	[diff] [blame]	190	KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA);
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	191	if (IS_ERR(authkey)) {
				192	ret = PTR_ERR(authkey);
				193	goto error_alloc;
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	194	}
				195
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	196	/* construct the auth key */
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	197	ret = key_instantiate_and_link(authkey, rka, 0, NULL, NULL);
				198	if (ret < 0)
				199	goto error_inst;
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	200
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	201	kleave(" = {%d,%d}", authkey->serial, atomic_read(&authkey->usage));
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	202	return authkey;
				203
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	204	auth_key_revoked:
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	205	up_read(&cred->request_key_auth->sem);
David Howells	76181c1	2007-10-16 23:29:46 -0700	[diff] [blame]	206	kfree(rka->callout_info);
David Howells	04c567d	2006-06-22 14:47:18 -0700	[diff] [blame]	207	kfree(rka);
				208	kleave("= -EKEYREVOKED");
				209	return ERR_PTR(-EKEYREVOKED);
				210
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	211	error_inst:
				212	key_revoke(authkey);
				213	key_put(authkey);
				214	error_alloc:
				215	key_put(rka->target_key);
David Howells	8bbf4976	2008-11-14 10:39:14 +1100	[diff] [blame]	216	key_put(rka->dest_keyring);
David Howells	76181c1	2007-10-16 23:29:46 -0700	[diff] [blame]	217	kfree(rka->callout_info);
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	218	kfree(rka);
				219	kleave("= %d", ret);
				220	return ERR_PTR(ret);
David Howells	a8b17ed	2011-01-20 16:38:27 +0000	[diff] [blame]	221	}
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	222
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	223	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	224	* See if an authorisation key is associated with a particular key.
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	225	*/
				226	static int key_get_instantiation_authkey_match(const struct key *key,
				227	const void *_id)
				228	{
				229	struct request_key_auth *rka = key->payload.data;
				230	key_serial_t id = (key_serial_t)(unsigned long) _id;
				231
				232	return rka->target_key->serial == id;
David Howells	a8b17ed	2011-01-20 16:38:27 +0000	[diff] [blame]	233	}
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	234
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	235	/*
David Howells	973c9f4	2011-01-20 16:38:33 +0000	[diff] [blame]	236	* Search the current process's keyrings for the authorisation key for
				237	* instantiation of a key.
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	238	*/
				239	struct key *key_get_instantiation_authkey(key_serial_t target_id)
				240	{
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	241	const struct cred *cred = current_cred();
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	242	struct key *authkey;
				243	key_ref_t authkey_ref;
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	244
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	245	authkey_ref = search_process_keyrings(
				246	&key_type_request_key_auth,
				247	(void *) (unsigned long) target_id,
				248	key_get_instantiation_authkey_match,
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	249	cred);
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	250
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	251	if (IS_ERR(authkey_ref)) {
David Howells	e231c2e	2008-02-07 00:15:26 -0800	[diff] [blame]	252	authkey = ERR_CAST(authkey_ref);
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	253	goto error;
				254	}
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	255
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	256	authkey = key_ref_to_ptr(authkey_ref);
				257	if (test_bit(KEY_FLAG_REVOKED, &authkey->flags)) {
				258	key_put(authkey);
				259	authkey = ERR_PTR(-EKEYREVOKED);
				260	}
David Howells	3e30148	2005-06-23 22:00:56 -0700	[diff] [blame]	261
David Howells	b5f545c	2006-01-08 01:02:47 -0800	[diff] [blame]	262	error:
				263	return authkey;
David Howells	a8b17ed	2011-01-20 16:38:27 +0000	[diff] [blame]	264	}