Back to home page

LXR

 
 

    


0001 /* Task credentials management - see Documentation/security/credentials.txt
0002  *
0003  * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
0004  * Written by David Howells (dhowells@redhat.com)
0005  *
0006  * This program is free software; you can redistribute it and/or
0007  * modify it under the terms of the GNU General Public Licence
0008  * as published by the Free Software Foundation; either version
0009  * 2 of the Licence, or (at your option) any later version.
0010  */
0011 #include <linux/export.h>
0012 #include <linux/cred.h>
0013 #include <linux/slab.h>
0014 #include <linux/sched.h>
0015 #include <linux/key.h>
0016 #include <linux/keyctl.h>
0017 #include <linux/init_task.h>
0018 #include <linux/security.h>
0019 #include <linux/binfmts.h>
0020 #include <linux/cn_proc.h>
0021 
0022 #if 0
0023 #define kdebug(FMT, ...)                        \
0024     printk("[%-5.5s%5u] " FMT "\n",                 \
0025            current->comm, current->pid, ##__VA_ARGS__)
0026 #else
0027 #define kdebug(FMT, ...)                        \
0028 do {                                    \
0029     if (0)                              \
0030         no_printk("[%-5.5s%5u] " FMT "\n",          \
0031               current->comm, current->pid, ##__VA_ARGS__);  \
0032 } while (0)
0033 #endif
0034 
0035 static struct kmem_cache *cred_jar;
0036 
0037 /* init to 2 - one for init_task, one to ensure it is never freed */
0038 struct group_info init_groups = { .usage = ATOMIC_INIT(2) };
0039 
0040 /*
0041  * The initial credentials for the initial task
0042  */
0043 struct cred init_cred = {
0044     .usage          = ATOMIC_INIT(4),
0045 #ifdef CONFIG_DEBUG_CREDENTIALS
0046     .subscribers        = ATOMIC_INIT(2),
0047     .magic          = CRED_MAGIC,
0048 #endif
0049     .uid            = GLOBAL_ROOT_UID,
0050     .gid            = GLOBAL_ROOT_GID,
0051     .suid           = GLOBAL_ROOT_UID,
0052     .sgid           = GLOBAL_ROOT_GID,
0053     .euid           = GLOBAL_ROOT_UID,
0054     .egid           = GLOBAL_ROOT_GID,
0055     .fsuid          = GLOBAL_ROOT_UID,
0056     .fsgid          = GLOBAL_ROOT_GID,
0057     .securebits     = SECUREBITS_DEFAULT,
0058     .cap_inheritable    = CAP_EMPTY_SET,
0059     .cap_permitted      = CAP_FULL_SET,
0060     .cap_effective      = CAP_FULL_SET,
0061     .cap_bset       = CAP_FULL_SET,
0062     .user           = INIT_USER,
0063     .user_ns        = &init_user_ns,
0064     .group_info     = &init_groups,
0065 };
0066 
0067 static inline void set_cred_subscribers(struct cred *cred, int n)
0068 {
0069 #ifdef CONFIG_DEBUG_CREDENTIALS
0070     atomic_set(&cred->subscribers, n);
0071 #endif
0072 }
0073 
0074 static inline int read_cred_subscribers(const struct cred *cred)
0075 {
0076 #ifdef CONFIG_DEBUG_CREDENTIALS
0077     return atomic_read(&cred->subscribers);
0078 #else
0079     return 0;
0080 #endif
0081 }
0082 
0083 static inline void alter_cred_subscribers(const struct cred *_cred, int n)
0084 {
0085 #ifdef CONFIG_DEBUG_CREDENTIALS
0086     struct cred *cred = (struct cred *) _cred;
0087 
0088     atomic_add(n, &cred->subscribers);
0089 #endif
0090 }
0091 
0092 /*
0093  * The RCU callback to actually dispose of a set of credentials
0094  */
0095 static void put_cred_rcu(struct rcu_head *rcu)
0096 {
0097     struct cred *cred = container_of(rcu, struct cred, rcu);
0098 
0099     kdebug("put_cred_rcu(%p)", cred);
0100 
0101 #ifdef CONFIG_DEBUG_CREDENTIALS
0102     if (cred->magic != CRED_MAGIC_DEAD ||
0103         atomic_read(&cred->usage) != 0 ||
0104         read_cred_subscribers(cred) != 0)
0105         panic("CRED: put_cred_rcu() sees %p with"
0106               " mag %x, put %p, usage %d, subscr %d\n",
0107               cred, cred->magic, cred->put_addr,
0108               atomic_read(&cred->usage),
0109               read_cred_subscribers(cred));
0110 #else
0111     if (atomic_read(&cred->usage) != 0)
0112         panic("CRED: put_cred_rcu() sees %p with usage %d\n",
0113               cred, atomic_read(&cred->usage));
0114 #endif
0115 
0116     security_cred_free(cred);
0117     key_put(cred->session_keyring);
0118     key_put(cred->process_keyring);
0119     key_put(cred->thread_keyring);
0120     key_put(cred->request_key_auth);
0121     if (cred->group_info)
0122         put_group_info(cred->group_info);
0123     free_uid(cred->user);
0124     put_user_ns(cred->user_ns);
0125     kmem_cache_free(cred_jar, cred);
0126 }
0127 
0128 /**
0129  * __put_cred - Destroy a set of credentials
0130  * @cred: The record to release
0131  *
0132  * Destroy a set of credentials on which no references remain.
0133  */
0134 void __put_cred(struct cred *cred)
0135 {
0136     kdebug("__put_cred(%p{%d,%d})", cred,
0137            atomic_read(&cred->usage),
0138            read_cred_subscribers(cred));
0139 
0140     BUG_ON(atomic_read(&cred->usage) != 0);
0141 #ifdef CONFIG_DEBUG_CREDENTIALS
0142     BUG_ON(read_cred_subscribers(cred) != 0);
0143     cred->magic = CRED_MAGIC_DEAD;
0144     cred->put_addr = __builtin_return_address(0);
0145 #endif
0146     BUG_ON(cred == current->cred);
0147     BUG_ON(cred == current->real_cred);
0148 
0149     call_rcu(&cred->rcu, put_cred_rcu);
0150 }
0151 EXPORT_SYMBOL(__put_cred);
0152 
0153 /*
0154  * Clean up a task's credentials when it exits
0155  */
0156 void exit_creds(struct task_struct *tsk)
0157 {
0158     struct cred *cred;
0159 
0160     kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
0161            atomic_read(&tsk->cred->usage),
0162            read_cred_subscribers(tsk->cred));
0163 
0164     cred = (struct cred *) tsk->real_cred;
0165     tsk->real_cred = NULL;
0166     validate_creds(cred);
0167     alter_cred_subscribers(cred, -1);
0168     put_cred(cred);
0169 
0170     cred = (struct cred *) tsk->cred;
0171     tsk->cred = NULL;
0172     validate_creds(cred);
0173     alter_cred_subscribers(cred, -1);
0174     put_cred(cred);
0175 }
0176 
0177 /**
0178  * get_task_cred - Get another task's objective credentials
0179  * @task: The task to query
0180  *
0181  * Get the objective credentials of a task, pinning them so that they can't go
0182  * away.  Accessing a task's credentials directly is not permitted.
0183  *
0184  * The caller must also make sure task doesn't get deleted, either by holding a
0185  * ref on task or by holding tasklist_lock to prevent it from being unlinked.
0186  */
0187 const struct cred *get_task_cred(struct task_struct *task)
0188 {
0189     const struct cred *cred;
0190 
0191     rcu_read_lock();
0192 
0193     do {
0194         cred = __task_cred((task));
0195         BUG_ON(!cred);
0196     } while (!atomic_inc_not_zero(&((struct cred *)cred)->usage));
0197 
0198     rcu_read_unlock();
0199     return cred;
0200 }
0201 
0202 /*
0203  * Allocate blank credentials, such that the credentials can be filled in at a
0204  * later date without risk of ENOMEM.
0205  */
0206 struct cred *cred_alloc_blank(void)
0207 {
0208     struct cred *new;
0209 
0210     new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
0211     if (!new)
0212         return NULL;
0213 
0214     atomic_set(&new->usage, 1);
0215 #ifdef CONFIG_DEBUG_CREDENTIALS
0216     new->magic = CRED_MAGIC;
0217 #endif
0218 
0219     if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
0220         goto error;
0221 
0222     return new;
0223 
0224 error:
0225     abort_creds(new);
0226     return NULL;
0227 }
0228 
0229 /**
0230  * prepare_creds - Prepare a new set of credentials for modification
0231  *
0232  * Prepare a new set of task credentials for modification.  A task's creds
0233  * shouldn't generally be modified directly, therefore this function is used to
0234  * prepare a new copy, which the caller then modifies and then commits by
0235  * calling commit_creds().
0236  *
0237  * Preparation involves making a copy of the objective creds for modification.
0238  *
0239  * Returns a pointer to the new creds-to-be if successful, NULL otherwise.
0240  *
0241  * Call commit_creds() or abort_creds() to clean up.
0242  */
0243 struct cred *prepare_creds(void)
0244 {
0245     struct task_struct *task = current;
0246     const struct cred *old;
0247     struct cred *new;
0248 
0249     validate_process_creds();
0250 
0251     new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
0252     if (!new)
0253         return NULL;
0254 
0255     kdebug("prepare_creds() alloc %p", new);
0256 
0257     old = task->cred;
0258     memcpy(new, old, sizeof(struct cred));
0259 
0260     atomic_set(&new->usage, 1);
0261     set_cred_subscribers(new, 0);
0262     get_group_info(new->group_info);
0263     get_uid(new->user);
0264     get_user_ns(new->user_ns);
0265 
0266 #ifdef CONFIG_KEYS
0267     key_get(new->session_keyring);
0268     key_get(new->process_keyring);
0269     key_get(new->thread_keyring);
0270     key_get(new->request_key_auth);
0271 #endif
0272 
0273 #ifdef CONFIG_SECURITY
0274     new->security = NULL;
0275 #endif
0276 
0277     if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
0278         goto error;
0279     validate_creds(new);
0280     return new;
0281 
0282 error:
0283     abort_creds(new);
0284     return NULL;
0285 }
0286 EXPORT_SYMBOL(prepare_creds);
0287 
0288 /*
0289  * Prepare credentials for current to perform an execve()
0290  * - The caller must hold ->cred_guard_mutex
0291  */
0292 struct cred *prepare_exec_creds(void)
0293 {
0294     struct cred *new;
0295 
0296     new = prepare_creds();
0297     if (!new)
0298         return new;
0299 
0300 #ifdef CONFIG_KEYS
0301     /* newly exec'd tasks don't get a thread keyring */
0302     key_put(new->thread_keyring);
0303     new->thread_keyring = NULL;
0304 
0305     /* inherit the session keyring; new process keyring */
0306     key_put(new->process_keyring);
0307     new->process_keyring = NULL;
0308 #endif
0309 
0310     return new;
0311 }
0312 
0313 /*
0314  * Copy credentials for the new process created by fork()
0315  *
0316  * We share if we can, but under some circumstances we have to generate a new
0317  * set.
0318  *
0319  * The new process gets the current process's subjective credentials as its
0320  * objective and subjective credentials
0321  */
0322 int copy_creds(struct task_struct *p, unsigned long clone_flags)
0323 {
0324     struct cred *new;
0325     int ret;
0326 
0327     if (
0328 #ifdef CONFIG_KEYS
0329         !p->cred->thread_keyring &&
0330 #endif
0331         clone_flags & CLONE_THREAD
0332         ) {
0333         p->real_cred = get_cred(p->cred);
0334         get_cred(p->cred);
0335         alter_cred_subscribers(p->cred, 2);
0336         kdebug("share_creds(%p{%d,%d})",
0337                p->cred, atomic_read(&p->cred->usage),
0338                read_cred_subscribers(p->cred));
0339         atomic_inc(&p->cred->user->processes);
0340         return 0;
0341     }
0342 
0343     new = prepare_creds();
0344     if (!new)
0345         return -ENOMEM;
0346 
0347     if (clone_flags & CLONE_NEWUSER) {
0348         ret = create_user_ns(new);
0349         if (ret < 0)
0350             goto error_put;
0351     }
0352 
0353 #ifdef CONFIG_KEYS
0354     /* new threads get their own thread keyrings if their parent already
0355      * had one */
0356     if (new->thread_keyring) {
0357         key_put(new->thread_keyring);
0358         new->thread_keyring = NULL;
0359         if (clone_flags & CLONE_THREAD)
0360             install_thread_keyring_to_cred(new);
0361     }
0362 
0363     /* The process keyring is only shared between the threads in a process;
0364      * anything outside of those threads doesn't inherit.
0365      */
0366     if (!(clone_flags & CLONE_THREAD)) {
0367         key_put(new->process_keyring);
0368         new->process_keyring = NULL;
0369     }
0370 #endif
0371 
0372     atomic_inc(&new->user->processes);
0373     p->cred = p->real_cred = get_cred(new);
0374     alter_cred_subscribers(new, 2);
0375     validate_creds(new);
0376     return 0;
0377 
0378 error_put:
0379     put_cred(new);
0380     return ret;
0381 }
0382 
0383 static bool cred_cap_issubset(const struct cred *set, const struct cred *subset)
0384 {
0385     const struct user_namespace *set_ns = set->user_ns;
0386     const struct user_namespace *subset_ns = subset->user_ns;
0387 
0388     /* If the two credentials are in the same user namespace see if
0389      * the capabilities of subset are a subset of set.
0390      */
0391     if (set_ns == subset_ns)
0392         return cap_issubset(subset->cap_permitted, set->cap_permitted);
0393 
0394     /* The credentials are in a different user namespaces
0395      * therefore one is a subset of the other only if a set is an
0396      * ancestor of subset and set->euid is owner of subset or one
0397      * of subsets ancestors.
0398      */
0399     for (;subset_ns != &init_user_ns; subset_ns = subset_ns->parent) {
0400         if ((set_ns == subset_ns->parent)  &&
0401             uid_eq(subset_ns->owner, set->euid))
0402             return true;
0403     }
0404 
0405     return false;
0406 }
0407 
0408 /**
0409  * commit_creds - Install new credentials upon the current task
0410  * @new: The credentials to be assigned
0411  *
0412  * Install a new set of credentials to the current task, using RCU to replace
0413  * the old set.  Both the objective and the subjective credentials pointers are
0414  * updated.  This function may not be called if the subjective credentials are
0415  * in an overridden state.
0416  *
0417  * This function eats the caller's reference to the new credentials.
0418  *
0419  * Always returns 0 thus allowing this function to be tail-called at the end
0420  * of, say, sys_setgid().
0421  */
0422 int commit_creds(struct cred *new)
0423 {
0424     struct task_struct *task = current;
0425     const struct cred *old = task->real_cred;
0426 
0427     kdebug("commit_creds(%p{%d,%d})", new,
0428            atomic_read(&new->usage),
0429            read_cred_subscribers(new));
0430 
0431     BUG_ON(task->cred != old);
0432 #ifdef CONFIG_DEBUG_CREDENTIALS
0433     BUG_ON(read_cred_subscribers(old) < 2);
0434     validate_creds(old);
0435     validate_creds(new);
0436 #endif
0437     BUG_ON(atomic_read(&new->usage) < 1);
0438 
0439     get_cred(new); /* we will require a ref for the subj creds too */
0440 
0441     /* dumpability changes */
0442     if (!uid_eq(old->euid, new->euid) ||
0443         !gid_eq(old->egid, new->egid) ||
0444         !uid_eq(old->fsuid, new->fsuid) ||
0445         !gid_eq(old->fsgid, new->fsgid) ||
0446         !cred_cap_issubset(old, new)) {
0447         if (task->mm)
0448             set_dumpable(task->mm, suid_dumpable);
0449         task->pdeath_signal = 0;
0450         smp_wmb();
0451     }
0452 
0453     /* alter the thread keyring */
0454     if (!uid_eq(new->fsuid, old->fsuid))
0455         key_fsuid_changed(task);
0456     if (!gid_eq(new->fsgid, old->fsgid))
0457         key_fsgid_changed(task);
0458 
0459     /* do it
0460      * RLIMIT_NPROC limits on user->processes have already been checked
0461      * in set_user().
0462      */
0463     alter_cred_subscribers(new, 2);
0464     if (new->user != old->user)
0465         atomic_inc(&new->user->processes);
0466     rcu_assign_pointer(task->real_cred, new);
0467     rcu_assign_pointer(task->cred, new);
0468     if (new->user != old->user)
0469         atomic_dec(&old->user->processes);
0470     alter_cred_subscribers(old, -2);
0471 
0472     /* send notifications */
0473     if (!uid_eq(new->uid,   old->uid)  ||
0474         !uid_eq(new->euid,  old->euid) ||
0475         !uid_eq(new->suid,  old->suid) ||
0476         !uid_eq(new->fsuid, old->fsuid))
0477         proc_id_connector(task, PROC_EVENT_UID);
0478 
0479     if (!gid_eq(new->gid,   old->gid)  ||
0480         !gid_eq(new->egid,  old->egid) ||
0481         !gid_eq(new->sgid,  old->sgid) ||
0482         !gid_eq(new->fsgid, old->fsgid))
0483         proc_id_connector(task, PROC_EVENT_GID);
0484 
0485     /* release the old obj and subj refs both */
0486     put_cred(old);
0487     put_cred(old);
0488     return 0;
0489 }
0490 EXPORT_SYMBOL(commit_creds);
0491 
0492 /**
0493  * abort_creds - Discard a set of credentials and unlock the current task
0494  * @new: The credentials that were going to be applied
0495  *
0496  * Discard a set of credentials that were under construction and unlock the
0497  * current task.
0498  */
0499 void abort_creds(struct cred *new)
0500 {
0501     kdebug("abort_creds(%p{%d,%d})", new,
0502            atomic_read(&new->usage),
0503            read_cred_subscribers(new));
0504 
0505 #ifdef CONFIG_DEBUG_CREDENTIALS
0506     BUG_ON(read_cred_subscribers(new) != 0);
0507 #endif
0508     BUG_ON(atomic_read(&new->usage) < 1);
0509     put_cred(new);
0510 }
0511 EXPORT_SYMBOL(abort_creds);
0512 
0513 /**
0514  * override_creds - Override the current process's subjective credentials
0515  * @new: The credentials to be assigned
0516  *
0517  * Install a set of temporary override subjective credentials on the current
0518  * process, returning the old set for later reversion.
0519  */
0520 const struct cred *override_creds(const struct cred *new)
0521 {
0522     const struct cred *old = current->cred;
0523 
0524     kdebug("override_creds(%p{%d,%d})", new,
0525            atomic_read(&new->usage),
0526            read_cred_subscribers(new));
0527 
0528     validate_creds(old);
0529     validate_creds(new);
0530     get_cred(new);
0531     alter_cred_subscribers(new, 1);
0532     rcu_assign_pointer(current->cred, new);
0533     alter_cred_subscribers(old, -1);
0534 
0535     kdebug("override_creds() = %p{%d,%d}", old,
0536            atomic_read(&old->usage),
0537            read_cred_subscribers(old));
0538     return old;
0539 }
0540 EXPORT_SYMBOL(override_creds);
0541 
0542 /**
0543  * revert_creds - Revert a temporary subjective credentials override
0544  * @old: The credentials to be restored
0545  *
0546  * Revert a temporary set of override subjective credentials to an old set,
0547  * discarding the override set.
0548  */
0549 void revert_creds(const struct cred *old)
0550 {
0551     const struct cred *override = current->cred;
0552 
0553     kdebug("revert_creds(%p{%d,%d})", old,
0554            atomic_read(&old->usage),
0555            read_cred_subscribers(old));
0556 
0557     validate_creds(old);
0558     validate_creds(override);
0559     alter_cred_subscribers(old, 1);
0560     rcu_assign_pointer(current->cred, old);
0561     alter_cred_subscribers(override, -1);
0562     put_cred(override);
0563 }
0564 EXPORT_SYMBOL(revert_creds);
0565 
0566 /*
0567  * initialise the credentials stuff
0568  */
0569 void __init cred_init(void)
0570 {
0571     /* allocate a slab in which we can store credentials */
0572     cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred), 0,
0573             SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT, NULL);
0574 }
0575 
0576 /**
0577  * prepare_kernel_cred - Prepare a set of credentials for a kernel service
0578  * @daemon: A userspace daemon to be used as a reference
0579  *
0580  * Prepare a set of credentials for a kernel service.  This can then be used to
0581  * override a task's own credentials so that work can be done on behalf of that
0582  * task that requires a different subjective context.
0583  *
0584  * @daemon is used to provide a base for the security record, but can be NULL.
0585  * If @daemon is supplied, then the security data will be derived from that;
0586  * otherwise they'll be set to 0 and no groups, full capabilities and no keys.
0587  *
0588  * The caller may change these controls afterwards if desired.
0589  *
0590  * Returns the new credentials or NULL if out of memory.
0591  *
0592  * Does not take, and does not return holding current->cred_replace_mutex.
0593  */
0594 struct cred *prepare_kernel_cred(struct task_struct *daemon)
0595 {
0596     const struct cred *old;
0597     struct cred *new;
0598 
0599     new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
0600     if (!new)
0601         return NULL;
0602 
0603     kdebug("prepare_kernel_cred() alloc %p", new);
0604 
0605     if (daemon)
0606         old = get_task_cred(daemon);
0607     else
0608         old = get_cred(&init_cred);
0609 
0610     validate_creds(old);
0611 
0612     *new = *old;
0613     atomic_set(&new->usage, 1);
0614     set_cred_subscribers(new, 0);
0615     get_uid(new->user);
0616     get_user_ns(new->user_ns);
0617     get_group_info(new->group_info);
0618 
0619 #ifdef CONFIG_KEYS
0620     new->session_keyring = NULL;
0621     new->process_keyring = NULL;
0622     new->thread_keyring = NULL;
0623     new->request_key_auth = NULL;
0624     new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
0625 #endif
0626 
0627 #ifdef CONFIG_SECURITY
0628     new->security = NULL;
0629 #endif
0630     if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
0631         goto error;
0632 
0633     put_cred(old);
0634     validate_creds(new);
0635     return new;
0636 
0637 error:
0638     put_cred(new);
0639     put_cred(old);
0640     return NULL;
0641 }
0642 EXPORT_SYMBOL(prepare_kernel_cred);
0643 
0644 /**
0645  * set_security_override - Set the security ID in a set of credentials
0646  * @new: The credentials to alter
0647  * @secid: The LSM security ID to set
0648  *
0649  * Set the LSM security ID in a set of credentials so that the subjective
0650  * security is overridden when an alternative set of credentials is used.
0651  */
0652 int set_security_override(struct cred *new, u32 secid)
0653 {
0654     return security_kernel_act_as(new, secid);
0655 }
0656 EXPORT_SYMBOL(set_security_override);
0657 
0658 /**
0659  * set_security_override_from_ctx - Set the security ID in a set of credentials
0660  * @new: The credentials to alter
0661  * @secctx: The LSM security context to generate the security ID from.
0662  *
0663  * Set the LSM security ID in a set of credentials so that the subjective
0664  * security is overridden when an alternative set of credentials is used.  The
0665  * security ID is specified in string form as a security context to be
0666  * interpreted by the LSM.
0667  */
0668 int set_security_override_from_ctx(struct cred *new, const char *secctx)
0669 {
0670     u32 secid;
0671     int ret;
0672 
0673     ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
0674     if (ret < 0)
0675         return ret;
0676 
0677     return set_security_override(new, secid);
0678 }
0679 EXPORT_SYMBOL(set_security_override_from_ctx);
0680 
0681 /**
0682  * set_create_files_as - Set the LSM file create context in a set of credentials
0683  * @new: The credentials to alter
0684  * @inode: The inode to take the context from
0685  *
0686  * Change the LSM file creation context in a set of credentials to be the same
0687  * as the object context of the specified inode, so that the new inodes have
0688  * the same MAC context as that inode.
0689  */
0690 int set_create_files_as(struct cred *new, struct inode *inode)
0691 {
0692     if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid))
0693         return -EINVAL;
0694     new->fsuid = inode->i_uid;
0695     new->fsgid = inode->i_gid;
0696     return security_kernel_create_files_as(new, inode);
0697 }
0698 EXPORT_SYMBOL(set_create_files_as);
0699 
0700 #ifdef CONFIG_DEBUG_CREDENTIALS
0701 
0702 bool creds_are_invalid(const struct cred *cred)
0703 {
0704     if (cred->magic != CRED_MAGIC)
0705         return true;
0706 #ifdef CONFIG_SECURITY_SELINUX
0707     /*
0708      * cred->security == NULL if security_cred_alloc_blank() or
0709      * security_prepare_creds() returned an error.
0710      */
0711     if (selinux_is_enabled() && cred->security) {
0712         if ((unsigned long) cred->security < PAGE_SIZE)
0713             return true;
0714         if ((*(u32 *)cred->security & 0xffffff00) ==
0715             (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
0716             return true;
0717     }
0718 #endif
0719     return false;
0720 }
0721 EXPORT_SYMBOL(creds_are_invalid);
0722 
0723 /*
0724  * dump invalid credentials
0725  */
0726 static void dump_invalid_creds(const struct cred *cred, const char *label,
0727                    const struct task_struct *tsk)
0728 {
0729     printk(KERN_ERR "CRED: %s credentials: %p %s%s%s\n",
0730            label, cred,
0731            cred == &init_cred ? "[init]" : "",
0732            cred == tsk->real_cred ? "[real]" : "",
0733            cred == tsk->cred ? "[eff]" : "");
0734     printk(KERN_ERR "CRED: ->magic=%x, put_addr=%p\n",
0735            cred->magic, cred->put_addr);
0736     printk(KERN_ERR "CRED: ->usage=%d, subscr=%d\n",
0737            atomic_read(&cred->usage),
0738            read_cred_subscribers(cred));
0739     printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
0740         from_kuid_munged(&init_user_ns, cred->uid),
0741         from_kuid_munged(&init_user_ns, cred->euid),
0742         from_kuid_munged(&init_user_ns, cred->suid),
0743         from_kuid_munged(&init_user_ns, cred->fsuid));
0744     printk(KERN_ERR "CRED: ->*gid = { %d,%d,%d,%d }\n",
0745         from_kgid_munged(&init_user_ns, cred->gid),
0746         from_kgid_munged(&init_user_ns, cred->egid),
0747         from_kgid_munged(&init_user_ns, cred->sgid),
0748         from_kgid_munged(&init_user_ns, cred->fsgid));
0749 #ifdef CONFIG_SECURITY
0750     printk(KERN_ERR "CRED: ->security is %p\n", cred->security);
0751     if ((unsigned long) cred->security >= PAGE_SIZE &&
0752         (((unsigned long) cred->security & 0xffffff00) !=
0753          (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)))
0754         printk(KERN_ERR "CRED: ->security {%x, %x}\n",
0755                ((u32*)cred->security)[0],
0756                ((u32*)cred->security)[1]);
0757 #endif
0758 }
0759 
0760 /*
0761  * report use of invalid credentials
0762  */
0763 void __invalid_creds(const struct cred *cred, const char *file, unsigned line)
0764 {
0765     printk(KERN_ERR "CRED: Invalid credentials\n");
0766     printk(KERN_ERR "CRED: At %s:%u\n", file, line);
0767     dump_invalid_creds(cred, "Specified", current);
0768     BUG();
0769 }
0770 EXPORT_SYMBOL(__invalid_creds);
0771 
0772 /*
0773  * check the credentials on a process
0774  */
0775 void __validate_process_creds(struct task_struct *tsk,
0776                   const char *file, unsigned line)
0777 {
0778     if (tsk->cred == tsk->real_cred) {
0779         if (unlikely(read_cred_subscribers(tsk->cred) < 2 ||
0780                  creds_are_invalid(tsk->cred)))
0781             goto invalid_creds;
0782     } else {
0783         if (unlikely(read_cred_subscribers(tsk->real_cred) < 1 ||
0784                  read_cred_subscribers(tsk->cred) < 1 ||
0785                  creds_are_invalid(tsk->real_cred) ||
0786                  creds_are_invalid(tsk->cred)))
0787             goto invalid_creds;
0788     }
0789     return;
0790 
0791 invalid_creds:
0792     printk(KERN_ERR "CRED: Invalid process credentials\n");
0793     printk(KERN_ERR "CRED: At %s:%u\n", file, line);
0794 
0795     dump_invalid_creds(tsk->real_cred, "Real", tsk);
0796     if (tsk->cred != tsk->real_cred)
0797         dump_invalid_creds(tsk->cred, "Effective", tsk);
0798     else
0799         printk(KERN_ERR "CRED: Effective creds == Real creds\n");
0800     BUG();
0801 }
0802 EXPORT_SYMBOL(__validate_process_creds);
0803 
0804 /*
0805  * check creds for do_exit()
0806  */
0807 void validate_creds_for_do_exit(struct task_struct *tsk)
0808 {
0809     kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})",
0810            tsk->real_cred, tsk->cred,
0811            atomic_read(&tsk->cred->usage),
0812            read_cred_subscribers(tsk->cred));
0813 
0814     __validate_process_creds(tsk, __FILE__, __LINE__);
0815 }
0816 
0817 #endif /* CONFIG_DEBUG_CREDENTIALS */