1// SPDX-License-Identifier: GPL-2.0-or-later
  2/* Request key authorisation token key definition.
  3 *
  4 * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved.
  5 * Written by David Howells (dhowells@redhat.com)
  6 *
  7 * See Documentation/security/keys/request-key.rst
 
 
 
 
 
  8 */
  9
 
 10#include <linux/sched.h>
 11#include <linux/err.h>
 12#include <linux/seq_file.h>
 13#include <linux/slab.h>
 14#include <linux/uaccess.h>
 15#include "internal.h"
 16#include <keys/request_key_auth-type.h>
 17
 18static int request_key_auth_preparse(struct key_preparsed_payload *);
 19static void request_key_auth_free_preparse(struct key_preparsed_payload *);
 20static int request_key_auth_instantiate(struct key *,
 21					struct key_preparsed_payload *);
 22static void request_key_auth_describe(const struct key *, struct seq_file *);
 23static void request_key_auth_revoke(struct key *);
 24static void request_key_auth_destroy(struct key *);
 25static long request_key_auth_read(const struct key *, char *, size_t);
 26
 27/*
 28 * The request-key authorisation key type definition.
 29 */
 30struct key_type key_type_request_key_auth = {
 31	.name		= ".request_key_auth",
 32	.def_datalen	= sizeof(struct request_key_auth),
 33	.preparse	= request_key_auth_preparse,
 34	.free_preparse	= request_key_auth_free_preparse,
 35	.instantiate	= request_key_auth_instantiate,
 36	.describe	= request_key_auth_describe,
 37	.revoke		= request_key_auth_revoke,
 38	.destroy	= request_key_auth_destroy,
 39	.read		= request_key_auth_read,
 40};
 41
 42static int request_key_auth_preparse(struct key_preparsed_payload *prep)
 43{
 44	return 0;
 45}
 46
 47static void request_key_auth_free_preparse(struct key_preparsed_payload *prep)
 48{
 49}
 50
 51/*
 52 * Instantiate a request-key authorisation key.
 53 */
 54static int request_key_auth_instantiate(struct key *key,
 55					struct key_preparsed_payload *prep)
 56{
 57	rcu_assign_keypointer(key, (struct request_key_auth *)prep->data);
 58	return 0;
 59}
 60
 61/*
 62 * Describe an authorisation token.
 63 */
 64static void request_key_auth_describe(const struct key *key,
 65				      struct seq_file *m)
 66{
 67	struct request_key_auth *rka = dereference_key_rcu(key);
 68
 69	if (!rka)
 70		return;
 71
 72	seq_puts(m, "key:");
 73	seq_puts(m, key->description);
 74	if (key_is_positive(key))
 75		seq_printf(m, " pid:%d ci:%zu", rka->pid, rka->callout_len);
 76}
 77
 78/*
 79 * Read the callout_info data (retrieves the callout information).
 80 * - the key's semaphore is read-locked
 81 */
 82static long request_key_auth_read(const struct key *key,
 83				  char *buffer, size_t buflen)
 84{
 85	struct request_key_auth *rka = dereference_key_locked(key);
 86	size_t datalen;
 87	long ret;
 88
 89	if (!rka)
 90		return -EKEYREVOKED;
 91
 92	datalen = rka->callout_len;
 93	ret = datalen;
 94
 95	/* we can return the data as is */
 96	if (buffer && buflen > 0) {
 97		if (buflen > datalen)
 98			buflen = datalen;
 99
100		memcpy(buffer, rka->callout_info, buflen);
 
101	}
102
103	return ret;
104}
105
106static void free_request_key_auth(struct request_key_auth *rka)
107{
108	if (!rka)
109		return;
110	key_put(rka->target_key);
111	key_put(rka->dest_keyring);
112	if (rka->cred)
113		put_cred(rka->cred);
114	kfree(rka->callout_info);
115	kfree(rka);
116}
117
118/*
119 * Dispose of the request_key_auth record under RCU conditions
120 */
121static void request_key_auth_rcu_disposal(struct rcu_head *rcu)
122{
123	struct request_key_auth *rka =
124		container_of(rcu, struct request_key_auth, rcu);
125
126	free_request_key_auth(rka);
127}
128
129/*
130 * Handle revocation of an authorisation token key.
131 *
132 * Called with the key sem write-locked.
133 */
134static void request_key_auth_revoke(struct key *key)
135{
136	struct request_key_auth *rka = dereference_key_locked(key);
137
138	kenter("{%d}", key->serial);
139	rcu_assign_keypointer(key, NULL);
140	call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
 
 
 
141}
142
143/*
144 * Destroy an instantiation authorisation token key.
145 */
146static void request_key_auth_destroy(struct key *key)
147{
148	struct request_key_auth *rka = rcu_access_pointer(key->payload.rcu_data0);
149
150	kenter("{%d}", key->serial);
151	if (rka) {
152		rcu_assign_keypointer(key, NULL);
153		call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
 
154	}
 
 
 
 
 
155}
156
157/*
158 * Create an authorisation token for /sbin/request-key or whoever to gain
159 * access to the caller's security data.
160 */
161struct key *request_key_auth_new(struct key *target, const char *op,
162				 const void *callout_info, size_t callout_len,
163				 struct key *dest_keyring)
164{
165	struct request_key_auth *rka, *irka;
166	const struct cred *cred = current_cred();
167	struct key *authkey = NULL;
168	char desc[20];
169	int ret = -ENOMEM;
170
171	kenter("%d,", target->serial);
172
173	/* allocate a auth record */
174	rka = kzalloc(sizeof(*rka), GFP_KERNEL);
175	if (!rka)
176		goto error;
177	rka->callout_info = kmemdup(callout_info, callout_len, GFP_KERNEL);
178	if (!rka->callout_info)
179		goto error_free_rka;
180	rka->callout_len = callout_len;
181	strlcpy(rka->op, op, sizeof(rka->op));
 
 
 
182
183	/* see if the calling process is already servicing the key request of
184	 * another process */
185	if (cred->request_key_auth) {
186		/* it is - use that instantiation context here too */
187		down_read(&cred->request_key_auth->sem);
188
189		/* if the auth key has been revoked, then the key we're
190		 * servicing is already instantiated */
191		if (test_bit(KEY_FLAG_REVOKED,
192			     &cred->request_key_auth->flags)) {
193			up_read(&cred->request_key_auth->sem);
194			ret = -EKEYREVOKED;
195			goto error_free_rka;
196		}
197
198		irka = cred->request_key_auth->payload.data[0];
199		rka->cred = get_cred(irka->cred);
200		rka->pid = irka->pid;
201
202		up_read(&cred->request_key_auth->sem);
203	}
204	else {
205		/* it isn't - use this process as the context */
206		rka->cred = get_cred(cred);
207		rka->pid = current->pid;
208	}
209
210	rka->target_key = key_get(target);
211	rka->dest_keyring = key_get(dest_keyring);
 
 
212
213	/* allocate the auth key */
214	sprintf(desc, "%x", target->serial);
215
216	authkey = key_alloc(&key_type_request_key_auth, desc,
217			    cred->fsuid, cred->fsgid, cred,
218			    KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH | KEY_POS_LINK |
219			    KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA, NULL);
220	if (IS_ERR(authkey)) {
221		ret = PTR_ERR(authkey);
222		goto error_free_rka;
223	}
224
225	/* construct the auth key */
226	ret = key_instantiate_and_link(authkey, rka, 0, NULL, NULL);
227	if (ret < 0)
228		goto error_put_authkey;
229
230	kleave(" = {%d,%d}", authkey->serial, refcount_read(&authkey->usage));
231	return authkey;
232
233error_put_authkey:
 
 
 
 
 
 
 
 
234	key_put(authkey);
235error_free_rka:
236	free_request_key_auth(rka);
237error:
 
 
238	kleave("= %d", ret);
239	return ERR_PTR(ret);
240}
241
242/*
243 * Search the current process's keyrings for the authorisation key for
244 * instantiation of a key.
245 */
246struct key *key_get_instantiation_authkey(key_serial_t target_id)
247{
248	char description[16];
249	struct keyring_search_context ctx = {
250		.index_key.type		= &key_type_request_key_auth,
251		.index_key.description	= description,
252		.cred			= current_cred(),
253		.match_data.cmp		= key_default_cmp,
254		.match_data.raw_data	= description,
255		.match_data.lookup_type	= KEYRING_SEARCH_LOOKUP_DIRECT,
256		.flags			= (KEYRING_SEARCH_DO_STATE_CHECK |
257					   KEYRING_SEARCH_RECURSE),
258	};
259	struct key *authkey;
260	key_ref_t authkey_ref;
261
262	ctx.index_key.desc_len = sprintf(description, "%x", target_id);
263
264	rcu_read_lock();
265	authkey_ref = search_process_keyrings_rcu(&ctx);
266	rcu_read_unlock();
267
268	if (IS_ERR(authkey_ref)) {
269		authkey = ERR_CAST(authkey_ref);
270		if (authkey == ERR_PTR(-EAGAIN))
271			authkey = ERR_PTR(-ENOKEY);
272		goto error;
273	}
274
275	authkey = key_ref_to_ptr(authkey_ref);
276	if (test_bit(KEY_FLAG_REVOKED, &authkey->flags)) {
277		key_put(authkey);
278		authkey = ERR_PTR(-EKEYREVOKED);
279	}
280
281error:
282	return authkey;
283}

 
  1/* Request key authorisation token key definition.
  2 *
  3 * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved.
  4 * Written by David Howells (dhowells@redhat.com)
  5 *
  6 * This program is free software; you can redistribute it and/or
  7 * modify it under the terms of the GNU General Public License
  8 * as published by the Free Software Foundation; either version
  9 * 2 of the License, or (at your option) any later version.
 10 *
 11 * See Documentation/security/keys-request-key.txt
 12 */
 13
 14#include <linux/module.h>
 15#include <linux/sched.h>
 16#include <linux/err.h>
 17#include <linux/seq_file.h>
 18#include <linux/slab.h>
 19#include <asm/uaccess.h>
 20#include "internal.h"
 21#include <keys/user-type.h>
 22
 
 
 23static int request_key_auth_instantiate(struct key *,
 24					struct key_preparsed_payload *);
 25static void request_key_auth_describe(const struct key *, struct seq_file *);
 26static void request_key_auth_revoke(struct key *);
 27static void request_key_auth_destroy(struct key *);
 28static long request_key_auth_read(const struct key *, char __user *, size_t);
 29
 30/*
 31 * The request-key authorisation key type definition.
 32 */
 33struct key_type key_type_request_key_auth = {
 34	.name		= ".request_key_auth",
 35	.def_datalen	= sizeof(struct request_key_auth),
 
 
 36	.instantiate	= request_key_auth_instantiate,
 37	.describe	= request_key_auth_describe,
 38	.revoke		= request_key_auth_revoke,
 39	.destroy	= request_key_auth_destroy,
 40	.read		= request_key_auth_read,
 41};
 42
 
 
 
 
 
 
 
 
 
 43/*
 44 * Instantiate a request-key authorisation key.
 45 */
 46static int request_key_auth_instantiate(struct key *key,
 47					struct key_preparsed_payload *prep)
 48{
 49	key->payload.data = (struct request_key_auth *)prep->data;
 50	return 0;
 51}
 52
 53/*
 54 * Describe an authorisation token.
 55 */
 56static void request_key_auth_describe(const struct key *key,
 57				      struct seq_file *m)
 58{
 59	struct request_key_auth *rka = key->payload.data;
 
 
 
 60
 61	seq_puts(m, "key:");
 62	seq_puts(m, key->description);
 63	if (key_is_instantiated(key))
 64		seq_printf(m, " pid:%d ci:%zu", rka->pid, rka->callout_len);
 65}
 66
 67/*
 68 * Read the callout_info data (retrieves the callout information).
 69 * - the key's semaphore is read-locked
 70 */
 71static long request_key_auth_read(const struct key *key,
 72				  char __user *buffer, size_t buflen)
 73{
 74	struct request_key_auth *rka = key->payload.data;
 75	size_t datalen;
 76	long ret;
 77
 
 
 
 78	datalen = rka->callout_len;
 79	ret = datalen;
 80
 81	/* we can return the data as is */
 82	if (buffer && buflen > 0) {
 83		if (buflen > datalen)
 84			buflen = datalen;
 85
 86		if (copy_to_user(buffer, rka->callout_info, buflen) != 0)
 87			ret = -EFAULT;
 88	}
 89
 90	return ret;
 91}
 92
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 93/*
 94 * Handle revocation of an authorisation token key.
 95 *
 96 * Called with the key sem write-locked.
 97 */
 98static void request_key_auth_revoke(struct key *key)
 99{
100	struct request_key_auth *rka = key->payload.data;
101
102	kenter("{%d}", key->serial);
103
104	if (rka->cred) {
105		put_cred(rka->cred);
106		rka->cred = NULL;
107	}
108}
109
110/*
111 * Destroy an instantiation authorisation token key.
112 */
113static void request_key_auth_destroy(struct key *key)
114{
115	struct request_key_auth *rka = key->payload.data;
116
117	kenter("{%d}", key->serial);
118
119	if (rka->cred) {
120		put_cred(rka->cred);
121		rka->cred = NULL;
122	}
123
124	key_put(rka->target_key);
125	key_put(rka->dest_keyring);
126	kfree(rka->callout_info);
127	kfree(rka);
128}
129
130/*
131 * Create an authorisation token for /sbin/request-key or whoever to gain
132 * access to the caller's security data.
133 */
134struct key *request_key_auth_new(struct key *target, const void *callout_info,
135				 size_t callout_len, struct key *dest_keyring)
 
136{
137	struct request_key_auth *rka, *irka;
138	const struct cred *cred = current->cred;
139	struct key *authkey = NULL;
140	char desc[20];
141	int ret;
142
143	kenter("%d,", target->serial);
144
145	/* allocate a auth record */
146	rka = kmalloc(sizeof(*rka), GFP_KERNEL);
147	if (!rka) {
148		kleave(" = -ENOMEM");
149		return ERR_PTR(-ENOMEM);
150	}
151	rka->callout_info = kmalloc(callout_len, GFP_KERNEL);
152	if (!rka->callout_info) {
153		kleave(" = -ENOMEM");
154		kfree(rka);
155		return ERR_PTR(-ENOMEM);
156	}
157
158	/* see if the calling process is already servicing the key request of
159	 * another process */
160	if (cred->request_key_auth) {
161		/* it is - use that instantiation context here too */
162		down_read(&cred->request_key_auth->sem);
163
164		/* if the auth key has been revoked, then the key we're
165		 * servicing is already instantiated */
166		if (test_bit(KEY_FLAG_REVOKED, &cred->request_key_auth->flags))
167			goto auth_key_revoked;
 
 
 
 
168
169		irka = cred->request_key_auth->payload.data;
170		rka->cred = get_cred(irka->cred);
171		rka->pid = irka->pid;
172
173		up_read(&cred->request_key_auth->sem);
174	}
175	else {
176		/* it isn't - use this process as the context */
177		rka->cred = get_cred(cred);
178		rka->pid = current->pid;
179	}
180
181	rka->target_key = key_get(target);
182	rka->dest_keyring = key_get(dest_keyring);
183	memcpy(rka->callout_info, callout_info, callout_len);
184	rka->callout_len = callout_len;
185
186	/* allocate the auth key */
187	sprintf(desc, "%x", target->serial);
188
189	authkey = key_alloc(&key_type_request_key_auth, desc,
190			    cred->fsuid, cred->fsgid, cred,
191			    KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH |
192			    KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA);
193	if (IS_ERR(authkey)) {
194		ret = PTR_ERR(authkey);
195		goto error_alloc;
196	}
197
198	/* construct the auth key */
199	ret = key_instantiate_and_link(authkey, rka, 0, NULL, NULL);
200	if (ret < 0)
201		goto error_inst;
202
203	kleave(" = {%d,%d}", authkey->serial, atomic_read(&authkey->usage));
204	return authkey;
205
206auth_key_revoked:
207	up_read(&cred->request_key_auth->sem);
208	kfree(rka->callout_info);
209	kfree(rka);
210	kleave("= -EKEYREVOKED");
211	return ERR_PTR(-EKEYREVOKED);
212
213error_inst:
214	key_revoke(authkey);
215	key_put(authkey);
216error_alloc:
217	key_put(rka->target_key);
218	key_put(rka->dest_keyring);
219	kfree(rka->callout_info);
220	kfree(rka);
221	kleave("= %d", ret);
222	return ERR_PTR(ret);
223}
224
225/*
226 * Search the current process's keyrings for the authorisation key for
227 * instantiation of a key.
228 */
229struct key *key_get_instantiation_authkey(key_serial_t target_id)
230{
231	char description[16];
232	struct keyring_search_context ctx = {
233		.index_key.type		= &key_type_request_key_auth,
234		.index_key.description	= description,
235		.cred			= current_cred(),
236		.match			= user_match,
237		.match_data		= description,
238		.flags			= KEYRING_SEARCH_LOOKUP_DIRECT,
 
 
239	};
240	struct key *authkey;
241	key_ref_t authkey_ref;
242
243	sprintf(description, "%x", target_id);
244
245	authkey_ref = search_process_keyrings(&ctx);
 
 
246
247	if (IS_ERR(authkey_ref)) {
248		authkey = ERR_CAST(authkey_ref);
249		if (authkey == ERR_PTR(-EAGAIN))
250			authkey = ERR_PTR(-ENOKEY);
251		goto error;
252	}
253
254	authkey = key_ref_to_ptr(authkey_ref);
255	if (test_bit(KEY_FLAG_REVOKED, &authkey->flags)) {
256		key_put(authkey);
257		authkey = ERR_PTR(-EKEYREVOKED);
258	}
259
260error:
261	return authkey;
262}