include/linux/key-type.h

0001 /* SPDX-License-Identifier: GPL-2.0-or-later */
0002 /* Definitions for key type implementations
0003  *
0004  * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
0005  * Written by David Howells (dhowells@redhat.com)
0006  */
0007
0008 #ifndef _LINUX_KEY_TYPE_H
0009 #define _LINUX_KEY_TYPE_H
0010
0011 #include <linux/key.h>
0012 #include <linux/errno.h>
0013
0014 #ifdef CONFIG_KEYS
0015
0016 struct kernel_pkey_query;
0017 struct kernel_pkey_params;
0018
0019 /*
0020  * Pre-parsed payload, used by key add, update and instantiate.
0021  *
0022  * This struct will be cleared and data and datalen will be set with the data
0023  * and length parameters from the caller and quotalen will be set from
0024  * def_datalen from the key type.  Then if the preparse() op is provided by the
0025  * key type, that will be called.  Then the struct will be passed to the
0026  * instantiate() or the update() op.
0027  *
0028  * If the preparse() op is given, the free_preparse() op will be called to
0029  * clear the contents.
0030  */
0031 struct key_preparsed_payload {
0032     const char  *orig_description; /* Actual or proposed description (maybe NULL) */
0033     char        *description;   /* Proposed key description (or NULL) */
0034     union key_payload payload;  /* Proposed payload */
0035     const void  *data;      /* Raw data */
0036     size_t      datalen;    /* Raw datalen */
0037     size_t      quotalen;   /* Quota length for proposed payload */
0038     time64_t    expiry;     /* Expiry time of key */
0039 } __randomize_layout;
0040
0041 typedef int (*request_key_actor_t)(struct key *auth_key, void *aux);
0042
0043 /*
0044  * Preparsed matching criterion.
0045  */
0046 struct key_match_data {
0047     /* Comparison function, defaults to exact description match, but can be
0048      * overridden by type->match_preparse().  Should return true if a match
0049      * is found and false if not.
0050      */
0051     bool (*cmp)(const struct key *key,
0052             const struct key_match_data *match_data);
0053
0054     const void  *raw_data;  /* Raw match data */
0055     void        *preparsed; /* For ->match_preparse() to stash stuff */
0056     unsigned    lookup_type;    /* Type of lookup for this search. */
0057 #define KEYRING_SEARCH_LOOKUP_DIRECT    0x0000  /* Direct lookup by description. */
0058 #define KEYRING_SEARCH_LOOKUP_ITERATE   0x0001  /* Iterative search. */
0059 };
0060
0061 /*
0062  * kernel managed key type definition
0063  */
0064 struct key_type {
0065     /* name of the type */
0066     const char *name;
0067
0068     /* default payload length for quota precalculation (optional)
0069      * - this can be used instead of calling key_payload_reserve(), that
0070      *   function only needs to be called if the real datalen is different
0071      */
0072     size_t def_datalen;
0073
0074     unsigned int flags;
0075 #define KEY_TYPE_NET_DOMAIN 0x00000001 /* Keys of this type have a net namespace domain */
0076
0077     /* vet a description */
0078     int (*vet_description)(const char *description);
0079
0080     /* Preparse the data blob from userspace that is to be the payload,
0081      * generating a proposed description and payload that will be handed to
0082      * the instantiate() and update() ops.
0083      */
0084     int (*preparse)(struct key_preparsed_payload *prep);
0085
0086     /* Free a preparse data structure.
0087      */
0088     void (*free_preparse)(struct key_preparsed_payload *prep);
0089
0090     /* instantiate a key of this type
0091      * - this method should call key_payload_reserve() to determine if the
0092      *   user's quota will hold the payload
0093      */
0094     int (*instantiate)(struct key *key, struct key_preparsed_payload *prep);
0095
0096     /* update a key of this type (optional)
0097      * - this method should call key_payload_reserve() to recalculate the
0098      *   quota consumption
0099      * - the key must be locked against read when modifying
0100      */
0101     int (*update)(struct key *key, struct key_preparsed_payload *prep);
0102
0103     /* Preparse the data supplied to ->match() (optional).  The
0104      * data to be preparsed can be found in match_data->raw_data.
0105      * The lookup type can also be set by this function.
0106      */
0107     int (*match_preparse)(struct key_match_data *match_data);
0108
0109     /* Free preparsed match data (optional).  This should be supplied it
0110      * ->match_preparse() is supplied. */
0111     void (*match_free)(struct key_match_data *match_data);
0112
0113     /* clear some of the data from a key on revokation (optional)
0114      * - the key's semaphore will be write-locked by the caller
0115      */
0116     void (*revoke)(struct key *key);
0117
0118     /* clear the data from a key (optional) */
0119     void (*destroy)(struct key *key);
0120
0121     /* describe a key */
0122     void (*describe)(const struct key *key, struct seq_file *p);
0123
0124     /* read a key's data (optional)
0125      * - permission checks will be done by the caller
0126      * - the key's semaphore will be readlocked by the caller
0127      * - should return the amount of data that could be read, no matter how
0128      *   much is copied into the buffer
0129      * - shouldn't do the copy if the buffer is NULL
0130      */
0131     long (*read)(const struct key *key, char *buffer, size_t buflen);
0132
0133     /* handle request_key() for this type instead of invoking
0134      * /sbin/request-key (optional)
0135      * - key is the key to instantiate
0136      * - authkey is the authority to assume when instantiating this key
0137      * - op is the operation to be done, usually "create"
0138      * - the call must not return until the instantiation process has run
0139      *   its course
0140      */
0141     request_key_actor_t request_key;
0142
0143     /* Look up a keyring access restriction (optional)
0144      *
0145      * - NULL is a valid return value (meaning the requested restriction
0146      *   is known but will never block addition of a key)
0147      * - should return -EINVAL if the restriction is unknown
0148      */
0149     struct key_restriction *(*lookup_restriction)(const char *params);
0150
0151     /* Asymmetric key accessor functions. */
0152     int (*asym_query)(const struct kernel_pkey_params *params,
0153               struct kernel_pkey_query *info);
0154     int (*asym_eds_op)(struct kernel_pkey_params *params,
0155                const void *in, void *out);
0156     int (*asym_verify_signature)(struct kernel_pkey_params *params,
0157                      const void *in, const void *in2);
0158
0159     /* internal fields */
0160     struct list_head    link;       /* link in types list */
0161     struct lock_class_key   lock_class; /* key->sem lock class */
0162 } __randomize_layout;
0163
0164 extern struct key_type key_type_keyring;
0165
0166 extern int register_key_type(struct key_type *ktype);
0167 extern void unregister_key_type(struct key_type *ktype);
0168
0169 extern int key_payload_reserve(struct key *key, size_t datalen);
0170 extern int key_instantiate_and_link(struct key *key,
0171                     const void *data,
0172                     size_t datalen,
0173                     struct key *keyring,
0174                     struct key *authkey);
0175 extern int key_reject_and_link(struct key *key,
0176                    unsigned timeout,
0177                    unsigned error,
0178                    struct key *keyring,
0179                    struct key *authkey);
0180 extern void complete_request_key(struct key *authkey, int error);
0181
0182 static inline int key_negate_and_link(struct key *key,
0183                       unsigned timeout,
0184                       struct key *keyring,
0185                       struct key *authkey)
0186 {
0187     return key_reject_and_link(key, timeout, ENOKEY, keyring, authkey);
0188 }
0189
0190 extern int generic_key_instantiate(struct key *key, struct key_preparsed_payload *prep);
0191
0192 #endif /* CONFIG_KEYS */
0193 #endif /* _LINUX_KEY_TYPE_H */