include/linux/cred.h

0001 /* SPDX-License-Identifier: GPL-2.0-or-later */
0002 /* Credentials management - see Documentation/security/credentials.rst
0003  *
0004  * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
0005  * Written by David Howells (dhowells@redhat.com)
0006  */
0007
0008 #ifndef _LINUX_CRED_H
0009 #define _LINUX_CRED_H
0010
0011 #include <linux/capability.h>
0012 #include <linux/init.h>
0013 #include <linux/key.h>
0014 #include <linux/atomic.h>
0015 #include <linux/uidgid.h>
0016 #include <linux/sched.h>
0017 #include <linux/sched/user.h>
0018
0019 struct cred;
0020 struct inode;
0021
0022 /*
0023  * COW Supplementary groups list
0024  */
0025 struct group_info {
0026     atomic_t    usage;
0027     int     ngroups;
0028     kgid_t      gid[];
0029 } __randomize_layout;
0030
0031 /**
0032  * get_group_info - Get a reference to a group info structure
0033  * @group_info: The group info to reference
0034  *
0035  * This gets a reference to a set of supplementary groups.
0036  *
0037  * If the caller is accessing a task's credentials, they must hold the RCU read
0038  * lock when reading.
0039  */
0040 static inline struct group_info *get_group_info(struct group_info *gi)
0041 {
0042     atomic_inc(&gi->usage);
0043     return gi;
0044 }
0045
0046 /**
0047  * put_group_info - Release a reference to a group info structure
0048  * @group_info: The group info to release
0049  */
0050 #define put_group_info(group_info)          \
0051 do {                            \
0052     if (atomic_dec_and_test(&(group_info)->usage))  \
0053         groups_free(group_info);        \
0054 } while (0)
0055
0056 #ifdef CONFIG_MULTIUSER
0057 extern struct group_info *groups_alloc(int);
0058 extern void groups_free(struct group_info *);
0059
0060 extern int in_group_p(kgid_t);
0061 extern int in_egroup_p(kgid_t);
0062 extern int groups_search(const struct group_info *, kgid_t);
0063
0064 extern int set_current_groups(struct group_info *);
0065 extern void set_groups(struct cred *, struct group_info *);
0066 extern bool may_setgroups(void);
0067 extern void groups_sort(struct group_info *);
0068 #else
0069 static inline void groups_free(struct group_info *group_info)
0070 {
0071 }
0072
0073 static inline int in_group_p(kgid_t grp)
0074 {
0075         return 1;
0076 }
0077 static inline int in_egroup_p(kgid_t grp)
0078 {
0079         return 1;
0080 }
0081 static inline int groups_search(const struct group_info *group_info, kgid_t grp)
0082 {
0083     return 1;
0084 }
0085 #endif
0086
0087 /*
0088  * The security context of a task
0089  *
0090  * The parts of the context break down into two categories:
0091  *
0092  *  (1) The objective context of a task.  These parts are used when some other
0093  *  task is attempting to affect this one.
0094  *
0095  *  (2) The subjective context.  These details are used when the task is acting
0096  *  upon another object, be that a file, a task, a key or whatever.
0097  *
0098  * Note that some members of this structure belong to both categories - the
0099  * LSM security pointer for instance.
0100  *
0101  * A task has two security pointers.  task->real_cred points to the objective
0102  * context that defines that task's actual details.  The objective part of this
0103  * context is used whenever that task is acted upon.
0104  *
0105  * task->cred points to the subjective context that defines the details of how
0106  * that task is going to act upon another object.  This may be overridden
0107  * temporarily to point to another security context, but normally points to the
0108  * same context as task->real_cred.
0109  */
0110 struct cred {
0111     atomic_t    usage;
0112 #ifdef CONFIG_DEBUG_CREDENTIALS
0113     atomic_t    subscribers;    /* number of processes subscribed */
0114     void        *put_addr;
0115     unsigned    magic;
0116 #define CRED_MAGIC  0x43736564
0117 #define CRED_MAGIC_DEAD 0x44656144
0118 #endif
0119     kuid_t      uid;        /* real UID of the task */
0120     kgid_t      gid;        /* real GID of the task */
0121     kuid_t      suid;       /* saved UID of the task */
0122     kgid_t      sgid;       /* saved GID of the task */
0123     kuid_t      euid;       /* effective UID of the task */
0124     kgid_t      egid;       /* effective GID of the task */
0125     kuid_t      fsuid;      /* UID for VFS ops */
0126     kgid_t      fsgid;      /* GID for VFS ops */
0127     unsigned    securebits; /* SUID-less security management */
0128     kernel_cap_t    cap_inheritable; /* caps our children can inherit */
0129     kernel_cap_t    cap_permitted;  /* caps we're permitted */
0130     kernel_cap_t    cap_effective;  /* caps we can actually use */
0131     kernel_cap_t    cap_bset;   /* capability bounding set */
0132     kernel_cap_t    cap_ambient;    /* Ambient capability set */
0133 #ifdef CONFIG_KEYS
0134     unsigned char   jit_keyring;    /* default keyring to attach requested
0135                      * keys to */
0136     struct key  *session_keyring; /* keyring inherited over fork */
0137     struct key  *process_keyring; /* keyring private to this process */
0138     struct key  *thread_keyring; /* keyring private to this thread */
0139     struct key  *request_key_auth; /* assumed request_key authority */
0140 #endif
0141 #ifdef CONFIG_SECURITY
0142     void        *security;  /* LSM security */
0143 #endif
0144     struct user_struct *user;   /* real user ID subscription */
0145     struct user_namespace *user_ns; /* user_ns the caps and keyrings are relative to. */
0146     struct ucounts *ucounts;
0147     struct group_info *group_info;  /* supplementary groups for euid/fsgid */
0148     /* RCU deletion */
0149     union {
0150         int non_rcu;            /* Can we skip RCU deletion? */
0151         struct rcu_head rcu;        /* RCU deletion hook */
0152     };
0153 } __randomize_layout;
0154
0155 extern void __put_cred(struct cred *);
0156 extern void exit_creds(struct task_struct *);
0157 extern int copy_creds(struct task_struct *, unsigned long);
0158 extern const struct cred *get_task_cred(struct task_struct *);
0159 extern struct cred *cred_alloc_blank(void);
0160 extern struct cred *prepare_creds(void);
0161 extern struct cred *prepare_exec_creds(void);
0162 extern int commit_creds(struct cred *);
0163 extern void abort_creds(struct cred *);
0164 extern const struct cred *override_creds(const struct cred *);
0165 extern void revert_creds(const struct cred *);
0166 extern struct cred *prepare_kernel_cred(struct task_struct *);
0167 extern int change_create_files_as(struct cred *, struct inode *);
0168 extern int set_security_override(struct cred *, u32);
0169 extern int set_security_override_from_ctx(struct cred *, const char *);
0170 extern int set_create_files_as(struct cred *, struct inode *);
0171 extern int cred_fscmp(const struct cred *, const struct cred *);
0172 extern void __init cred_init(void);
0173 extern int set_cred_ucounts(struct cred *);
0174
0175 /*
0176  * check for validity of credentials
0177  */
0178 #ifdef CONFIG_DEBUG_CREDENTIALS
0179 extern void __noreturn __invalid_creds(const struct cred *, const char *, unsigned);
0180 extern void __validate_process_creds(struct task_struct *,
0181                      const char *, unsigned);
0182
0183 extern bool creds_are_invalid(const struct cred *cred);
0184
0185 static inline void __validate_creds(const struct cred *cred,
0186                     const char *file, unsigned line)
0187 {
0188     if (unlikely(creds_are_invalid(cred)))
0189         __invalid_creds(cred, file, line);
0190 }
0191
0192 #define validate_creds(cred)                \
0193 do {                            \
0194     __validate_creds((cred), __FILE__, __LINE__);   \
0195 } while(0)
0196
0197 #define validate_process_creds()                \
0198 do {                                \
0199     __validate_process_creds(current, __FILE__, __LINE__);  \
0200 } while(0)
0201
0202 extern void validate_creds_for_do_exit(struct task_struct *);
0203 #else
0204 static inline void validate_creds(const struct cred *cred)
0205 {
0206 }
0207 static inline void validate_creds_for_do_exit(struct task_struct *tsk)
0208 {
0209 }
0210 static inline void validate_process_creds(void)
0211 {
0212 }
0213 #endif
0214
0215 static inline bool cap_ambient_invariant_ok(const struct cred *cred)
0216 {
0217     return cap_issubset(cred->cap_ambient,
0218                 cap_intersect(cred->cap_permitted,
0219                       cred->cap_inheritable));
0220 }
0221
0222 /**
0223  * get_new_cred - Get a reference on a new set of credentials
0224  * @cred: The new credentials to reference
0225  *
0226  * Get a reference on the specified set of new credentials.  The caller must
0227  * release the reference.
0228  */
0229 static inline struct cred *get_new_cred(struct cred *cred)
0230 {
0231     atomic_inc(&cred->usage);
0232     return cred;
0233 }
0234
0235 /**
0236  * get_cred - Get a reference on a set of credentials
0237  * @cred: The credentials to reference
0238  *
0239  * Get a reference on the specified set of credentials.  The caller must
0240  * release the reference.  If %NULL is passed, it is returned with no action.
0241  *
0242  * This is used to deal with a committed set of credentials.  Although the
0243  * pointer is const, this will temporarily discard the const and increment the
0244  * usage count.  The purpose of this is to attempt to catch at compile time the
0245  * accidental alteration of a set of credentials that should be considered
0246  * immutable.
0247  */
0248 static inline const struct cred *get_cred(const struct cred *cred)
0249 {
0250     struct cred *nonconst_cred = (struct cred *) cred;
0251     if (!cred)
0252         return cred;
0253     validate_creds(cred);
0254     nonconst_cred->non_rcu = 0;
0255     return get_new_cred(nonconst_cred);
0256 }
0257
0258 static inline const struct cred *get_cred_rcu(const struct cred *cred)
0259 {
0260     struct cred *nonconst_cred = (struct cred *) cred;
0261     if (!cred)
0262         return NULL;
0263     if (!atomic_inc_not_zero(&nonconst_cred->usage))
0264         return NULL;
0265     validate_creds(cred);
0266     nonconst_cred->non_rcu = 0;
0267     return cred;
0268 }
0269
0270 /**
0271  * put_cred - Release a reference to a set of credentials
0272  * @cred: The credentials to release
0273  *
0274  * Release a reference to a set of credentials, deleting them when the last ref
0275  * is released.  If %NULL is passed, nothing is done.
0276  *
0277  * This takes a const pointer to a set of credentials because the credentials
0278  * on task_struct are attached by const pointers to prevent accidental
0279  * alteration of otherwise immutable credential sets.
0280  */
0281 static inline void put_cred(const struct cred *_cred)
0282 {
0283     struct cred *cred = (struct cred *) _cred;
0284
0285     if (cred) {
0286         validate_creds(cred);
0287         if (atomic_dec_and_test(&(cred)->usage))
0288             __put_cred(cred);
0289     }
0290 }
0291
0292 /**
0293  * current_cred - Access the current task's subjective credentials
0294  *
0295  * Access the subjective credentials of the current task.  RCU-safe,
0296  * since nobody else can modify it.
0297  */
0298 #define current_cred() \
0299     rcu_dereference_protected(current->cred, 1)
0300
0301 /**
0302  * current_real_cred - Access the current task's objective credentials
0303  *
0304  * Access the objective credentials of the current task.  RCU-safe,
0305  * since nobody else can modify it.
0306  */
0307 #define current_real_cred() \
0308     rcu_dereference_protected(current->real_cred, 1)
0309
0310 /**
0311  * __task_cred - Access a task's objective credentials
0312  * @task: The task to query
0313  *
0314  * Access the objective credentials of a task.  The caller must hold the RCU
0315  * readlock.
0316  *
0317  * The result of this function should not be passed directly to get_cred();
0318  * rather get_task_cred() should be used instead.
0319  */
0320 #define __task_cred(task)   \
0321     rcu_dereference((task)->real_cred)
0322
0323 /**
0324  * get_current_cred - Get the current task's subjective credentials
0325  *
0326  * Get the subjective credentials of the current task, pinning them so that
0327  * they can't go away.  Accessing the current task's credentials directly is
0328  * not permitted.
0329  */
0330 #define get_current_cred()              \
0331     (get_cred(current_cred()))
0332
0333 /**
0334  * get_current_user - Get the current task's user_struct
0335  *
0336  * Get the user record of the current task, pinning it so that it can't go
0337  * away.
0338  */
0339 #define get_current_user()              \
0340 ({                          \
0341     struct user_struct *__u;            \
0342     const struct cred *__cred;          \
0343     __cred = current_cred();            \
0344     __u = get_uid(__cred->user);            \
0345     __u;                        \
0346 })
0347
0348 /**
0349  * get_current_groups - Get the current task's supplementary group list
0350  *
0351  * Get the supplementary group list of the current task, pinning it so that it
0352  * can't go away.
0353  */
0354 #define get_current_groups()                \
0355 ({                          \
0356     struct group_info *__groups;            \
0357     const struct cred *__cred;          \
0358     __cred = current_cred();            \
0359     __groups = get_group_info(__cred->group_info);  \
0360     __groups;                   \
0361 })
0362
0363 #define task_cred_xxx(task, xxx)            \
0364 ({                          \
0365     __typeof__(((struct cred *)NULL)->xxx) ___val;  \
0366     rcu_read_lock();                \
0367     ___val = __task_cred((task))->xxx;      \
0368     rcu_read_unlock();              \
0369     ___val;                     \
0370 })
0371
0372 #define task_uid(task)      (task_cred_xxx((task), uid))
0373 #define task_euid(task)     (task_cred_xxx((task), euid))
0374 #define task_ucounts(task)  (task_cred_xxx((task), ucounts))
0375
0376 #define current_cred_xxx(xxx)           \
0377 ({                      \
0378     current_cred()->xxx;            \
0379 })
0380
0381 #define current_uid()       (current_cred_xxx(uid))
0382 #define current_gid()       (current_cred_xxx(gid))
0383 #define current_euid()      (current_cred_xxx(euid))
0384 #define current_egid()      (current_cred_xxx(egid))
0385 #define current_suid()      (current_cred_xxx(suid))
0386 #define current_sgid()      (current_cred_xxx(sgid))
0387 #define current_fsuid()     (current_cred_xxx(fsuid))
0388 #define current_fsgid()     (current_cred_xxx(fsgid))
0389 #define current_cap()       (current_cred_xxx(cap_effective))
0390 #define current_user()      (current_cred_xxx(user))
0391 #define current_ucounts()   (current_cred_xxx(ucounts))
0392
0393 extern struct user_namespace init_user_ns;
0394 #ifdef CONFIG_USER_NS
0395 #define current_user_ns()   (current_cred_xxx(user_ns))
0396 #else
0397 static inline struct user_namespace *current_user_ns(void)
0398 {
0399     return &init_user_ns;
0400 }
0401 #endif
0402
0403
0404 #define current_uid_gid(_uid, _gid)     \
0405 do {                        \
0406     const struct cred *__cred;      \
0407     __cred = current_cred();        \
0408     *(_uid) = __cred->uid;          \
0409     *(_gid) = __cred->gid;          \
0410 } while(0)
0411
0412 #define current_euid_egid(_euid, _egid)     \
0413 do {                        \
0414     const struct cred *__cred;      \
0415     __cred = current_cred();        \
0416     *(_euid) = __cred->euid;        \
0417     *(_egid) = __cred->egid;        \
0418 } while(0)
0419
0420 #define current_fsuid_fsgid(_fsuid, _fsgid) \
0421 do {                        \
0422     const struct cred *__cred;      \
0423     __cred = current_cred();        \
0424     *(_fsuid) = __cred->fsuid;      \
0425     *(_fsgid) = __cred->fsgid;      \
0426 } while(0)
0427
0428 #endif /* _LINUX_CRED_H */