security/keys/key.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /* Basic authentication token and access key management
0003  *
0004  * Copyright (C) 2004-2008 Red Hat, Inc. All Rights Reserved.
0005  * Written by David Howells (dhowells@redhat.com)
0006  */
0007
0008 #include <linux/export.h>
0009 #include <linux/init.h>
0010 #include <linux/poison.h>
0011 #include <linux/sched.h>
0012 #include <linux/slab.h>
0013 #include <linux/security.h>
0014 #include <linux/workqueue.h>
0015 #include <linux/random.h>
0016 #include <linux/ima.h>
0017 #include <linux/err.h>
0018 #include "internal.h"
0019
0020 struct kmem_cache *key_jar;
0021 struct rb_root      key_serial_tree; /* tree of keys indexed by serial */
0022 DEFINE_SPINLOCK(key_serial_lock);
0023
0024 struct rb_root  key_user_tree; /* tree of quota records indexed by UID */
0025 DEFINE_SPINLOCK(key_user_lock);
0026
0027 unsigned int key_quota_root_maxkeys = 1000000;  /* root's key count quota */
0028 unsigned int key_quota_root_maxbytes = 25000000; /* root's key space quota */
0029 unsigned int key_quota_maxkeys = 200;       /* general key count quota */
0030 unsigned int key_quota_maxbytes = 20000;    /* general key space quota */
0031
0032 static LIST_HEAD(key_types_list);
0033 static DECLARE_RWSEM(key_types_sem);
0034
0035 /* We serialise key instantiation and link */
0036 DEFINE_MUTEX(key_construction_mutex);
0037
0038 #ifdef KEY_DEBUGGING
0039 void __key_check(const struct key *key)
0040 {
0041     printk("__key_check: key %p {%08x} should be {%08x}\n",
0042            key, key->magic, KEY_DEBUG_MAGIC);
0043     BUG();
0044 }
0045 #endif
0046
0047 /*
0048  * Get the key quota record for a user, allocating a new record if one doesn't
0049  * already exist.
0050  */
0051 struct key_user *key_user_lookup(kuid_t uid)
0052 {
0053     struct key_user *candidate = NULL, *user;
0054     struct rb_node *parent, **p;
0055
0056 try_again:
0057     parent = NULL;
0058     p = &key_user_tree.rb_node;
0059     spin_lock(&key_user_lock);
0060
0061     /* search the tree for a user record with a matching UID */
0062     while (*p) {
0063         parent = *p;
0064         user = rb_entry(parent, struct key_user, node);
0065
0066         if (uid_lt(uid, user->uid))
0067             p = &(*p)->rb_left;
0068         else if (uid_gt(uid, user->uid))
0069             p = &(*p)->rb_right;
0070         else
0071             goto found;
0072     }
0073
0074     /* if we get here, we failed to find a match in the tree */
0075     if (!candidate) {
0076         /* allocate a candidate user record if we don't already have
0077          * one */
0078         spin_unlock(&key_user_lock);
0079
0080         user = NULL;
0081         candidate = kmalloc(sizeof(struct key_user), GFP_KERNEL);
0082         if (unlikely(!candidate))
0083             goto out;
0084
0085         /* the allocation may have scheduled, so we need to repeat the
0086          * search lest someone else added the record whilst we were
0087          * asleep */
0088         goto try_again;
0089     }
0090
0091     /* if we get here, then the user record still hadn't appeared on the
0092      * second pass - so we use the candidate record */
0093     refcount_set(&candidate->usage, 1);
0094     atomic_set(&candidate->nkeys, 0);
0095     atomic_set(&candidate->nikeys, 0);
0096     candidate->uid = uid;
0097     candidate->qnkeys = 0;
0098     candidate->qnbytes = 0;
0099     spin_lock_init(&candidate->lock);
0100     mutex_init(&candidate->cons_lock);
0101
0102     rb_link_node(&candidate->node, parent, p);
0103     rb_insert_color(&candidate->node, &key_user_tree);
0104     spin_unlock(&key_user_lock);
0105     user = candidate;
0106     goto out;
0107
0108     /* okay - we found a user record for this UID */
0109 found:
0110     refcount_inc(&user->usage);
0111     spin_unlock(&key_user_lock);
0112     kfree(candidate);
0113 out:
0114     return user;
0115 }
0116
0117 /*
0118  * Dispose of a user structure
0119  */
0120 void key_user_put(struct key_user *user)
0121 {
0122     if (refcount_dec_and_lock(&user->usage, &key_user_lock)) {
0123         rb_erase(&user->node, &key_user_tree);
0124         spin_unlock(&key_user_lock);
0125
0126         kfree(user);
0127     }
0128 }
0129
0130 /*
0131  * Allocate a serial number for a key.  These are assigned randomly to avoid
0132  * security issues through covert channel problems.
0133  */
0134 static inline void key_alloc_serial(struct key *key)
0135 {
0136     struct rb_node *parent, **p;
0137     struct key *xkey;
0138
0139     /* propose a random serial number and look for a hole for it in the
0140      * serial number tree */
0141     do {
0142         get_random_bytes(&key->serial, sizeof(key->serial));
0143
0144         key->serial >>= 1; /* negative numbers are not permitted */
0145     } while (key->serial < 3);
0146
0147     spin_lock(&key_serial_lock);
0148
0149 attempt_insertion:
0150     parent = NULL;
0151     p = &key_serial_tree.rb_node;
0152
0153     while (*p) {
0154         parent = *p;
0155         xkey = rb_entry(parent, struct key, serial_node);
0156
0157         if (key->serial < xkey->serial)
0158             p = &(*p)->rb_left;
0159         else if (key->serial > xkey->serial)
0160             p = &(*p)->rb_right;
0161         else
0162             goto serial_exists;
0163     }
0164
0165     /* we've found a suitable hole - arrange for this key to occupy it */
0166     rb_link_node(&key->serial_node, parent, p);
0167     rb_insert_color(&key->serial_node, &key_serial_tree);
0168
0169     spin_unlock(&key_serial_lock);
0170     return;
0171
0172     /* we found a key with the proposed serial number - walk the tree from
0173      * that point looking for the next unused serial number */
0174 serial_exists:
0175     for (;;) {
0176         key->serial++;
0177         if (key->serial < 3) {
0178             key->serial = 3;
0179             goto attempt_insertion;
0180         }
0181
0182         parent = rb_next(parent);
0183         if (!parent)
0184             goto attempt_insertion;
0185
0186         xkey = rb_entry(parent, struct key, serial_node);
0187         if (key->serial < xkey->serial)
0188             goto attempt_insertion;
0189     }
0190 }
0191
0192 /**
0193  * key_alloc - Allocate a key of the specified type.
0194  * @type: The type of key to allocate.
0195  * @desc: The key description to allow the key to be searched out.
0196  * @uid: The owner of the new key.
0197  * @gid: The group ID for the new key's group permissions.
0198  * @cred: The credentials specifying UID namespace.
0199  * @perm: The permissions mask of the new key.
0200  * @flags: Flags specifying quota properties.
0201  * @restrict_link: Optional link restriction for new keyrings.
0202  *
0203  * Allocate a key of the specified type with the attributes given.  The key is
0204  * returned in an uninstantiated state and the caller needs to instantiate the
0205  * key before returning.
0206  *
0207  * The restrict_link structure (if not NULL) will be freed when the
0208  * keyring is destroyed, so it must be dynamically allocated.
0209  *
0210  * The user's key count quota is updated to reflect the creation of the key and
0211  * the user's key data quota has the default for the key type reserved.  The
0212  * instantiation function should amend this as necessary.  If insufficient
0213  * quota is available, -EDQUOT will be returned.
0214  *
0215  * The LSM security modules can prevent a key being created, in which case
0216  * -EACCES will be returned.
0217  *
0218  * Returns a pointer to the new key if successful and an error code otherwise.
0219  *
0220  * Note that the caller needs to ensure the key type isn't uninstantiated.
0221  * Internally this can be done by locking key_types_sem.  Externally, this can
0222  * be done by either never unregistering the key type, or making sure
0223  * key_alloc() calls don't race with module unloading.
0224  */
0225 struct key *key_alloc(struct key_type *type, const char *desc,
0226               kuid_t uid, kgid_t gid, const struct cred *cred,
0227               key_perm_t perm, unsigned long flags,
0228               struct key_restriction *restrict_link)
0229 {
0230     struct key_user *user = NULL;
0231     struct key *key;
0232     size_t desclen, quotalen;
0233     int ret;
0234
0235     key = ERR_PTR(-EINVAL);
0236     if (!desc || !*desc)
0237         goto error;
0238
0239     if (type->vet_description) {
0240         ret = type->vet_description(desc);
0241         if (ret < 0) {
0242             key = ERR_PTR(ret);
0243             goto error;
0244         }
0245     }
0246
0247     desclen = strlen(desc);
0248     quotalen = desclen + 1 + type->def_datalen;
0249
0250     /* get hold of the key tracking for this user */
0251     user = key_user_lookup(uid);
0252     if (!user)
0253         goto no_memory_1;
0254
0255     /* check that the user's quota permits allocation of another key and
0256      * its description */
0257     if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) {
0258         unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ?
0259             key_quota_root_maxkeys : key_quota_maxkeys;
0260         unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ?
0261             key_quota_root_maxbytes : key_quota_maxbytes;
0262
0263         spin_lock(&user->lock);
0264         if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) {
0265             if (user->qnkeys + 1 > maxkeys ||
0266                 user->qnbytes + quotalen > maxbytes ||
0267                 user->qnbytes + quotalen < user->qnbytes)
0268                 goto no_quota;
0269         }
0270
0271         user->qnkeys++;
0272         user->qnbytes += quotalen;
0273         spin_unlock(&user->lock);
0274     }
0275
0276     /* allocate and initialise the key and its description */
0277     key = kmem_cache_zalloc(key_jar, GFP_KERNEL);
0278     if (!key)
0279         goto no_memory_2;
0280
0281     key->index_key.desc_len = desclen;
0282     key->index_key.description = kmemdup(desc, desclen + 1, GFP_KERNEL);
0283     if (!key->index_key.description)
0284         goto no_memory_3;
0285     key->index_key.type = type;
0286     key_set_index_key(&key->index_key);
0287
0288     refcount_set(&key->usage, 1);
0289     init_rwsem(&key->sem);
0290     lockdep_set_class(&key->sem, &type->lock_class);
0291     key->user = user;
0292     key->quotalen = quotalen;
0293     key->datalen = type->def_datalen;
0294     key->uid = uid;
0295     key->gid = gid;
0296     key->perm = perm;
0297     key->restrict_link = restrict_link;
0298     key->last_used_at = ktime_get_real_seconds();
0299
0300     if (!(flags & KEY_ALLOC_NOT_IN_QUOTA))
0301         key->flags |= 1 << KEY_FLAG_IN_QUOTA;
0302     if (flags & KEY_ALLOC_BUILT_IN)
0303         key->flags |= 1 << KEY_FLAG_BUILTIN;
0304     if (flags & KEY_ALLOC_UID_KEYRING)
0305         key->flags |= 1 << KEY_FLAG_UID_KEYRING;
0306     if (flags & KEY_ALLOC_SET_KEEP)
0307         key->flags |= 1 << KEY_FLAG_KEEP;
0308
0309 #ifdef KEY_DEBUGGING
0310     key->magic = KEY_DEBUG_MAGIC;
0311 #endif
0312
0313     /* let the security module know about the key */
0314     ret = security_key_alloc(key, cred, flags);
0315     if (ret < 0)
0316         goto security_error;
0317
0318     /* publish the key by giving it a serial number */
0319     refcount_inc(&key->domain_tag->usage);
0320     atomic_inc(&user->nkeys);
0321     key_alloc_serial(key);
0322
0323 error:
0324     return key;
0325
0326 security_error:
0327     kfree(key->description);
0328     kmem_cache_free(key_jar, key);
0329     if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) {
0330         spin_lock(&user->lock);
0331         user->qnkeys--;
0332         user->qnbytes -= quotalen;
0333         spin_unlock(&user->lock);
0334     }
0335     key_user_put(user);
0336     key = ERR_PTR(ret);
0337     goto error;
0338
0339 no_memory_3:
0340     kmem_cache_free(key_jar, key);
0341 no_memory_2:
0342     if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) {
0343         spin_lock(&user->lock);
0344         user->qnkeys--;
0345         user->qnbytes -= quotalen;
0346         spin_unlock(&user->lock);
0347     }
0348     key_user_put(user);
0349 no_memory_1:
0350     key = ERR_PTR(-ENOMEM);
0351     goto error;
0352
0353 no_quota:
0354     spin_unlock(&user->lock);
0355     key_user_put(user);
0356     key = ERR_PTR(-EDQUOT);
0357     goto error;
0358 }
0359 EXPORT_SYMBOL(key_alloc);
0360
0361 /**
0362  * key_payload_reserve - Adjust data quota reservation for the key's payload
0363  * @key: The key to make the reservation for.
0364  * @datalen: The amount of data payload the caller now wants.
0365  *
0366  * Adjust the amount of the owning user's key data quota that a key reserves.
0367  * If the amount is increased, then -EDQUOT may be returned if there isn't
0368  * enough free quota available.
0369  *
0370  * If successful, 0 is returned.
0371  */
0372 int key_payload_reserve(struct key *key, size_t datalen)
0373 {
0374     int delta = (int)datalen - key->datalen;
0375     int ret = 0;
0376
0377     key_check(key);
0378
0379     /* contemplate the quota adjustment */
0380     if (delta != 0 && test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
0381         unsigned maxbytes = uid_eq(key->user->uid, GLOBAL_ROOT_UID) ?
0382             key_quota_root_maxbytes : key_quota_maxbytes;
0383
0384         spin_lock(&key->user->lock);
0385
0386         if (delta > 0 &&
0387             (key->user->qnbytes + delta > maxbytes ||
0388              key->user->qnbytes + delta < key->user->qnbytes)) {
0389             ret = -EDQUOT;
0390         }
0391         else {
0392             key->user->qnbytes += delta;
0393             key->quotalen += delta;
0394         }
0395         spin_unlock(&key->user->lock);
0396     }
0397
0398     /* change the recorded data length if that didn't generate an error */
0399     if (ret == 0)
0400         key->datalen = datalen;
0401
0402     return ret;
0403 }
0404 EXPORT_SYMBOL(key_payload_reserve);
0405
0406 /*
0407  * Change the key state to being instantiated.
0408  */
0409 static void mark_key_instantiated(struct key *key, int reject_error)
0410 {
0411     /* Commit the payload before setting the state; barrier versus
0412      * key_read_state().
0413      */
0414     smp_store_release(&key->state,
0415               (reject_error < 0) ? reject_error : KEY_IS_POSITIVE);
0416 }
0417
0418 /*
0419  * Instantiate a key and link it into the target keyring atomically.  Must be
0420  * called with the target keyring's semaphore writelocked.  The target key's
0421  * semaphore need not be locked as instantiation is serialised by
0422  * key_construction_mutex.
0423  */
0424 static int __key_instantiate_and_link(struct key *key,
0425                       struct key_preparsed_payload *prep,
0426                       struct key *keyring,
0427                       struct key *authkey,
0428                       struct assoc_array_edit **_edit)
0429 {
0430     int ret, awaken;
0431
0432     key_check(key);
0433     key_check(keyring);
0434
0435     awaken = 0;
0436     ret = -EBUSY;
0437
0438     mutex_lock(&key_construction_mutex);
0439
0440     /* can't instantiate twice */
0441     if (key->state == KEY_IS_UNINSTANTIATED) {
0442         /* instantiate the key */
0443         ret = key->type->instantiate(key, prep);
0444
0445         if (ret == 0) {
0446             /* mark the key as being instantiated */
0447             atomic_inc(&key->user->nikeys);
0448             mark_key_instantiated(key, 0);
0449             notify_key(key, NOTIFY_KEY_INSTANTIATED, 0);
0450
0451             if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags))
0452                 awaken = 1;
0453
0454             /* and link it into the destination keyring */
0455             if (keyring) {
0456                 if (test_bit(KEY_FLAG_KEEP, &keyring->flags))
0457                     set_bit(KEY_FLAG_KEEP, &key->flags);
0458
0459                 __key_link(keyring, key, _edit);
0460             }
0461
0462             /* disable the authorisation key */
0463             if (authkey)
0464                 key_invalidate(authkey);
0465
0466             if (prep->expiry != TIME64_MAX) {
0467                 key->expiry = prep->expiry;
0468                 key_schedule_gc(prep->expiry + key_gc_delay);
0469             }
0470         }
0471     }
0472
0473     mutex_unlock(&key_construction_mutex);
0474
0475     /* wake up anyone waiting for a key to be constructed */
0476     if (awaken)
0477         wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT);
0478
0479     return ret;
0480 }
0481
0482 /**
0483  * key_instantiate_and_link - Instantiate a key and link it into the keyring.
0484  * @key: The key to instantiate.
0485  * @data: The data to use to instantiate the keyring.
0486  * @datalen: The length of @data.
0487  * @keyring: Keyring to create a link in on success (or NULL).
0488  * @authkey: The authorisation token permitting instantiation.
0489  *
0490  * Instantiate a key that's in the uninstantiated state using the provided data
0491  * and, if successful, link it in to the destination keyring if one is
0492  * supplied.
0493  *
0494  * If successful, 0 is returned, the authorisation token is revoked and anyone
0495  * waiting for the key is woken up.  If the key was already instantiated,
0496  * -EBUSY will be returned.
0497  */
0498 int key_instantiate_and_link(struct key *key,
0499                  const void *data,
0500                  size_t datalen,
0501                  struct key *keyring,
0502                  struct key *authkey)
0503 {
0504     struct key_preparsed_payload prep;
0505     struct assoc_array_edit *edit = NULL;
0506     int ret;
0507
0508     memset(&prep, 0, sizeof(prep));
0509     prep.orig_description = key->description;
0510     prep.data = data;
0511     prep.datalen = datalen;
0512     prep.quotalen = key->type->def_datalen;
0513     prep.expiry = TIME64_MAX;
0514     if (key->type->preparse) {
0515         ret = key->type->preparse(&prep);
0516         if (ret < 0)
0517             goto error;
0518     }
0519
0520     if (keyring) {
0521         ret = __key_link_lock(keyring, &key->index_key);
0522         if (ret < 0)
0523             goto error;
0524
0525         ret = __key_link_begin(keyring, &key->index_key, &edit);
0526         if (ret < 0)
0527             goto error_link_end;
0528
0529         if (keyring->restrict_link && keyring->restrict_link->check) {
0530             struct key_restriction *keyres = keyring->restrict_link;
0531
0532             ret = keyres->check(keyring, key->type, &prep.payload,
0533                         keyres->key);
0534             if (ret < 0)
0535                 goto error_link_end;
0536         }
0537     }
0538
0539     ret = __key_instantiate_and_link(key, &prep, keyring, authkey, &edit);
0540
0541 error_link_end:
0542     if (keyring)
0543         __key_link_end(keyring, &key->index_key, edit);
0544
0545 error:
0546     if (key->type->preparse)
0547         key->type->free_preparse(&prep);
0548     return ret;
0549 }
0550
0551 EXPORT_SYMBOL(key_instantiate_and_link);
0552
0553 /**
0554  * key_reject_and_link - Negatively instantiate a key and link it into the keyring.
0555  * @key: The key to instantiate.
0556  * @timeout: The timeout on the negative key.
0557  * @error: The error to return when the key is hit.
0558  * @keyring: Keyring to create a link in on success (or NULL).
0559  * @authkey: The authorisation token permitting instantiation.
0560  *
0561  * Negatively instantiate a key that's in the uninstantiated state and, if
0562  * successful, set its timeout and stored error and link it in to the
0563  * destination keyring if one is supplied.  The key and any links to the key
0564  * will be automatically garbage collected after the timeout expires.
0565  *
0566  * Negative keys are used to rate limit repeated request_key() calls by causing
0567  * them to return the stored error code (typically ENOKEY) until the negative
0568  * key expires.
0569  *
0570  * If successful, 0 is returned, the authorisation token is revoked and anyone
0571  * waiting for the key is woken up.  If the key was already instantiated,
0572  * -EBUSY will be returned.
0573  */
0574 int key_reject_and_link(struct key *key,
0575             unsigned timeout,
0576             unsigned error,
0577             struct key *keyring,
0578             struct key *authkey)
0579 {
0580     struct assoc_array_edit *edit = NULL;
0581     int ret, awaken, link_ret = 0;
0582
0583     key_check(key);
0584     key_check(keyring);
0585
0586     awaken = 0;
0587     ret = -EBUSY;
0588
0589     if (keyring) {
0590         if (keyring->restrict_link)
0591             return -EPERM;
0592
0593         link_ret = __key_link_lock(keyring, &key->index_key);
0594         if (link_ret == 0) {
0595             link_ret = __key_link_begin(keyring, &key->index_key, &edit);
0596             if (link_ret < 0)
0597                 __key_link_end(keyring, &key->index_key, edit);
0598         }
0599     }
0600
0601     mutex_lock(&key_construction_mutex);
0602
0603     /* can't instantiate twice */
0604     if (key->state == KEY_IS_UNINSTANTIATED) {
0605         /* mark the key as being negatively instantiated */
0606         atomic_inc(&key->user->nikeys);
0607         mark_key_instantiated(key, -error);
0608         notify_key(key, NOTIFY_KEY_INSTANTIATED, -error);
0609         key->expiry = ktime_get_real_seconds() + timeout;
0610         key_schedule_gc(key->expiry + key_gc_delay);
0611
0612         if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags))
0613             awaken = 1;
0614
0615         ret = 0;
0616
0617         /* and link it into the destination keyring */
0618         if (keyring && link_ret == 0)
0619             __key_link(keyring, key, &edit);
0620
0621         /* disable the authorisation key */
0622         if (authkey)
0623             key_invalidate(authkey);
0624     }
0625
0626     mutex_unlock(&key_construction_mutex);
0627
0628     if (keyring && link_ret == 0)
0629         __key_link_end(keyring, &key->index_key, edit);
0630
0631     /* wake up anyone waiting for a key to be constructed */
0632     if (awaken)
0633         wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT);
0634
0635     return ret == 0 ? link_ret : ret;
0636 }
0637 EXPORT_SYMBOL(key_reject_and_link);
0638
0639 /**
0640  * key_put - Discard a reference to a key.
0641  * @key: The key to discard a reference from.
0642  *
0643  * Discard a reference to a key, and when all the references are gone, we
0644  * schedule the cleanup task to come and pull it out of the tree in process
0645  * context at some later time.
0646  */
0647 void key_put(struct key *key)
0648 {
0649     if (key) {
0650         key_check(key);
0651
0652         if (refcount_dec_and_test(&key->usage))
0653             schedule_work(&key_gc_work);
0654     }
0655 }
0656 EXPORT_SYMBOL(key_put);
0657
0658 /*
0659  * Find a key by its serial number.
0660  */
0661 struct key *key_lookup(key_serial_t id)
0662 {
0663     struct rb_node *n;
0664     struct key *key;
0665
0666     spin_lock(&key_serial_lock);
0667
0668     /* search the tree for the specified key */
0669     n = key_serial_tree.rb_node;
0670     while (n) {
0671         key = rb_entry(n, struct key, serial_node);
0672
0673         if (id < key->serial)
0674             n = n->rb_left;
0675         else if (id > key->serial)
0676             n = n->rb_right;
0677         else
0678             goto found;
0679     }
0680
0681 not_found:
0682     key = ERR_PTR(-ENOKEY);
0683     goto error;
0684
0685 found:
0686     /* A key is allowed to be looked up only if someone still owns a
0687      * reference to it - otherwise it's awaiting the gc.
0688      */
0689     if (!refcount_inc_not_zero(&key->usage))
0690         goto not_found;
0691
0692 error:
0693     spin_unlock(&key_serial_lock);
0694     return key;
0695 }
0696
0697 /*
0698  * Find and lock the specified key type against removal.
0699  *
0700  * We return with the sem read-locked if successful.  If the type wasn't
0701  * available -ENOKEY is returned instead.
0702  */
0703 struct key_type *key_type_lookup(const char *type)
0704 {
0705     struct key_type *ktype;
0706
0707     down_read(&key_types_sem);
0708
0709     /* look up the key type to see if it's one of the registered kernel
0710      * types */
0711     list_for_each_entry(ktype, &key_types_list, link) {
0712         if (strcmp(ktype->name, type) == 0)
0713             goto found_kernel_type;
0714     }
0715
0716     up_read(&key_types_sem);
0717     ktype = ERR_PTR(-ENOKEY);
0718
0719 found_kernel_type:
0720     return ktype;
0721 }
0722
0723 void key_set_timeout(struct key *key, unsigned timeout)
0724 {
0725     time64_t expiry = 0;
0726
0727     /* make the changes with the locks held to prevent races */
0728     down_write(&key->sem);
0729
0730     if (timeout > 0)
0731         expiry = ktime_get_real_seconds() + timeout;
0732
0733     key->expiry = expiry;
0734     key_schedule_gc(key->expiry + key_gc_delay);
0735
0736     up_write(&key->sem);
0737 }
0738 EXPORT_SYMBOL_GPL(key_set_timeout);
0739
0740 /*
0741  * Unlock a key type locked by key_type_lookup().
0742  */
0743 void key_type_put(struct key_type *ktype)
0744 {
0745     up_read(&key_types_sem);
0746 }
0747
0748 /*
0749  * Attempt to update an existing key.
0750  *
0751  * The key is given to us with an incremented refcount that we need to discard
0752  * if we get an error.
0753  */
0754 static inline key_ref_t __key_update(key_ref_t key_ref,
0755                      struct key_preparsed_payload *prep)
0756 {
0757     struct key *key = key_ref_to_ptr(key_ref);
0758     int ret;
0759
0760     /* need write permission on the key to update it */
0761     ret = key_permission(key_ref, KEY_NEED_WRITE);
0762     if (ret < 0)
0763         goto error;
0764
0765     ret = -EEXIST;
0766     if (!key->type->update)
0767         goto error;
0768
0769     down_write(&key->sem);
0770
0771     ret = key->type->update(key, prep);
0772     if (ret == 0) {
0773         /* Updating a negative key positively instantiates it */
0774         mark_key_instantiated(key, 0);
0775         notify_key(key, NOTIFY_KEY_UPDATED, 0);
0776     }
0777
0778     up_write(&key->sem);
0779
0780     if (ret < 0)
0781         goto error;
0782 out:
0783     return key_ref;
0784
0785 error:
0786     key_put(key);
0787     key_ref = ERR_PTR(ret);
0788     goto out;
0789 }
0790
0791 /**
0792  * key_create_or_update - Update or create and instantiate a key.
0793  * @keyring_ref: A pointer to the destination keyring with possession flag.
0794  * @type: The type of key.
0795  * @description: The searchable description for the key.
0796  * @payload: The data to use to instantiate or update the key.
0797  * @plen: The length of @payload.
0798  * @perm: The permissions mask for a new key.
0799  * @flags: The quota flags for a new key.
0800  *
0801  * Search the destination keyring for a key of the same description and if one
0802  * is found, update it, otherwise create and instantiate a new one and create a
0803  * link to it from that keyring.
0804  *
0805  * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be
0806  * concocted.
0807  *
0808  * Returns a pointer to the new key if successful, -ENODEV if the key type
0809  * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the
0810  * caller isn't permitted to modify the keyring or the LSM did not permit
0811  * creation of the key.
0812  *
0813  * On success, the possession flag from the keyring ref will be tacked on to
0814  * the key ref before it is returned.
0815  */
0816 key_ref_t key_create_or_update(key_ref_t keyring_ref,
0817                    const char *type,
0818                    const char *description,
0819                    const void *payload,
0820                    size_t plen,
0821                    key_perm_t perm,
0822                    unsigned long flags)
0823 {
0824     struct keyring_index_key index_key = {
0825         .description    = description,
0826     };
0827     struct key_preparsed_payload prep;
0828     struct assoc_array_edit *edit = NULL;
0829     const struct cred *cred = current_cred();
0830     struct key *keyring, *key = NULL;
0831     key_ref_t key_ref;
0832     int ret;
0833     struct key_restriction *restrict_link = NULL;
0834
0835     /* look up the key type to see if it's one of the registered kernel
0836      * types */
0837     index_key.type = key_type_lookup(type);
0838     if (IS_ERR(index_key.type)) {
0839         key_ref = ERR_PTR(-ENODEV);
0840         goto error;
0841     }
0842
0843     key_ref = ERR_PTR(-EINVAL);
0844     if (!index_key.type->instantiate ||
0845         (!index_key.description && !index_key.type->preparse))
0846         goto error_put_type;
0847
0848     keyring = key_ref_to_ptr(keyring_ref);
0849
0850     key_check(keyring);
0851
0852     if (!(flags & KEY_ALLOC_BYPASS_RESTRICTION))
0853         restrict_link = keyring->restrict_link;
0854
0855     key_ref = ERR_PTR(-ENOTDIR);
0856     if (keyring->type != &key_type_keyring)
0857         goto error_put_type;
0858
0859     memset(&prep, 0, sizeof(prep));
0860     prep.orig_description = description;
0861     prep.data = payload;
0862     prep.datalen = plen;
0863     prep.quotalen = index_key.type->def_datalen;
0864     prep.expiry = TIME64_MAX;
0865     if (index_key.type->preparse) {
0866         ret = index_key.type->preparse(&prep);
0867         if (ret < 0) {
0868             key_ref = ERR_PTR(ret);
0869             goto error_free_prep;
0870         }
0871         if (!index_key.description)
0872             index_key.description = prep.description;
0873         key_ref = ERR_PTR(-EINVAL);
0874         if (!index_key.description)
0875             goto error_free_prep;
0876     }
0877     index_key.desc_len = strlen(index_key.description);
0878     key_set_index_key(&index_key);
0879
0880     ret = __key_link_lock(keyring, &index_key);
0881     if (ret < 0) {
0882         key_ref = ERR_PTR(ret);
0883         goto error_free_prep;
0884     }
0885
0886     ret = __key_link_begin(keyring, &index_key, &edit);
0887     if (ret < 0) {
0888         key_ref = ERR_PTR(ret);
0889         goto error_link_end;
0890     }
0891
0892     if (restrict_link && restrict_link->check) {
0893         ret = restrict_link->check(keyring, index_key.type,
0894                        &prep.payload, restrict_link->key);
0895         if (ret < 0) {
0896             key_ref = ERR_PTR(ret);
0897             goto error_link_end;
0898         }
0899     }
0900
0901     /* if we're going to allocate a new key, we're going to have
0902      * to modify the keyring */
0903     ret = key_permission(keyring_ref, KEY_NEED_WRITE);
0904     if (ret < 0) {
0905         key_ref = ERR_PTR(ret);
0906         goto error_link_end;
0907     }
0908
0909     /* if it's possible to update this type of key, search for an existing
0910      * key of the same type and description in the destination keyring and
0911      * update that instead if possible
0912      */
0913     if (index_key.type->update) {
0914         key_ref = find_key_to_update(keyring_ref, &index_key);
0915         if (key_ref)
0916             goto found_matching_key;
0917     }
0918
0919     /* if the client doesn't provide, decide on the permissions we want */
0920     if (perm == KEY_PERM_UNDEF) {
0921         perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
0922         perm |= KEY_USR_VIEW;
0923
0924         if (index_key.type->read)
0925             perm |= KEY_POS_READ;
0926
0927         if (index_key.type == &key_type_keyring ||
0928             index_key.type->update)
0929             perm |= KEY_POS_WRITE;
0930     }
0931
0932     /* allocate a new key */
0933     key = key_alloc(index_key.type, index_key.description,
0934             cred->fsuid, cred->fsgid, cred, perm, flags, NULL);
0935     if (IS_ERR(key)) {
0936         key_ref = ERR_CAST(key);
0937         goto error_link_end;
0938     }
0939
0940     /* instantiate it and link it into the target keyring */
0941     ret = __key_instantiate_and_link(key, &prep, keyring, NULL, &edit);
0942     if (ret < 0) {
0943         key_put(key);
0944         key_ref = ERR_PTR(ret);
0945         goto error_link_end;
0946     }
0947
0948     ima_post_key_create_or_update(keyring, key, payload, plen,
0949                       flags, true);
0950
0951     key_ref = make_key_ref(key, is_key_possessed(keyring_ref));
0952
0953 error_link_end:
0954     __key_link_end(keyring, &index_key, edit);
0955 error_free_prep:
0956     if (index_key.type->preparse)
0957         index_key.type->free_preparse(&prep);
0958 error_put_type:
0959     key_type_put(index_key.type);
0960 error:
0961     return key_ref;
0962
0963  found_matching_key:
0964     /* we found a matching key, so we're going to try to update it
0965      * - we can drop the locks first as we have the key pinned
0966      */
0967     __key_link_end(keyring, &index_key, edit);
0968
0969     key = key_ref_to_ptr(key_ref);
0970     if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) {
0971         ret = wait_for_key_construction(key, true);
0972         if (ret < 0) {
0973             key_ref_put(key_ref);
0974             key_ref = ERR_PTR(ret);
0975             goto error_free_prep;
0976         }
0977     }
0978
0979     key_ref = __key_update(key_ref, &prep);
0980
0981     if (!IS_ERR(key_ref))
0982         ima_post_key_create_or_update(keyring, key,
0983                           payload, plen,
0984                           flags, false);
0985
0986     goto error_free_prep;
0987 }
0988 EXPORT_SYMBOL(key_create_or_update);
0989
0990 /**
0991  * key_update - Update a key's contents.
0992  * @key_ref: The pointer (plus possession flag) to the key.
0993  * @payload: The data to be used to update the key.
0994  * @plen: The length of @payload.
0995  *
0996  * Attempt to update the contents of a key with the given payload data.  The
0997  * caller must be granted Write permission on the key.  Negative keys can be
0998  * instantiated by this method.
0999  *
1000  * Returns 0 on success, -EACCES if not permitted and -EOPNOTSUPP if the key
1001  * type does not support updating.  The key type may return other errors.
1002  */
1003 int key_update(key_ref_t key_ref, const void *payload, size_t plen)
1004 {
1005     struct key_preparsed_payload prep;
1006     struct key *key = key_ref_to_ptr(key_ref);
1007     int ret;
1008
1009     key_check(key);
1010
1011     /* the key must be writable */
1012     ret = key_permission(key_ref, KEY_NEED_WRITE);
1013     if (ret < 0)
1014         return ret;
1015
1016     /* attempt to update it if supported */
1017     if (!key->type->update)
1018         return -EOPNOTSUPP;
1019
1020     memset(&prep, 0, sizeof(prep));
1021     prep.data = payload;
1022     prep.datalen = plen;
1023     prep.quotalen = key->type->def_datalen;
1024     prep.expiry = TIME64_MAX;
1025     if (key->type->preparse) {
1026         ret = key->type->preparse(&prep);
1027         if (ret < 0)
1028             goto error;
1029     }
1030
1031     down_write(&key->sem);
1032
1033     ret = key->type->update(key, &prep);
1034     if (ret == 0) {
1035         /* Updating a negative key positively instantiates it */
1036         mark_key_instantiated(key, 0);
1037         notify_key(key, NOTIFY_KEY_UPDATED, 0);
1038     }
1039
1040     up_write(&key->sem);
1041
1042 error:
1043     if (key->type->preparse)
1044         key->type->free_preparse(&prep);
1045     return ret;
1046 }
1047 EXPORT_SYMBOL(key_update);
1048
1049 /**
1050  * key_revoke - Revoke a key.
1051  * @key: The key to be revoked.
1052  *
1053  * Mark a key as being revoked and ask the type to free up its resources.  The
1054  * revocation timeout is set and the key and all its links will be
1055  * automatically garbage collected after key_gc_delay amount of time if they
1056  * are not manually dealt with first.
1057  */
1058 void key_revoke(struct key *key)
1059 {
1060     time64_t time;
1061
1062     key_check(key);
1063
1064     /* make sure no one's trying to change or use the key when we mark it
1065      * - we tell lockdep that we might nest because we might be revoking an
1066      *   authorisation key whilst holding the sem on a key we've just
1067      *   instantiated
1068      */
1069     down_write_nested(&key->sem, 1);
1070     if (!test_and_set_bit(KEY_FLAG_REVOKED, &key->flags)) {
1071         notify_key(key, NOTIFY_KEY_REVOKED, 0);
1072         if (key->type->revoke)
1073             key->type->revoke(key);
1074
1075         /* set the death time to no more than the expiry time */
1076         time = ktime_get_real_seconds();
1077         if (key->revoked_at == 0 || key->revoked_at > time) {
1078             key->revoked_at = time;
1079             key_schedule_gc(key->revoked_at + key_gc_delay);
1080         }
1081     }
1082
1083     up_write(&key->sem);
1084 }
1085 EXPORT_SYMBOL(key_revoke);
1086
1087 /**
1088  * key_invalidate - Invalidate a key.
1089  * @key: The key to be invalidated.
1090  *
1091  * Mark a key as being invalidated and have it cleaned up immediately.  The key
1092  * is ignored by all searches and other operations from this point.
1093  */
1094 void key_invalidate(struct key *key)
1095 {
1096     kenter("%d", key_serial(key));
1097
1098     key_check(key);
1099
1100     if (!test_bit(KEY_FLAG_INVALIDATED, &key->flags)) {
1101         down_write_nested(&key->sem, 1);
1102         if (!test_and_set_bit(KEY_FLAG_INVALIDATED, &key->flags)) {
1103             notify_key(key, NOTIFY_KEY_INVALIDATED, 0);
1104             key_schedule_gc_links();
1105         }
1106         up_write(&key->sem);
1107     }
1108 }
1109 EXPORT_SYMBOL(key_invalidate);
1110
1111 /**
1112  * generic_key_instantiate - Simple instantiation of a key from preparsed data
1113  * @key: The key to be instantiated
1114  * @prep: The preparsed data to load.
1115  *
1116  * Instantiate a key from preparsed data.  We assume we can just copy the data
1117  * in directly and clear the old pointers.
1118  *
1119  * This can be pointed to directly by the key type instantiate op pointer.
1120  */
1121 int generic_key_instantiate(struct key *key, struct key_preparsed_payload *prep)
1122 {
1123     int ret;
1124
1125     pr_devel("==>%s()\n", __func__);
1126
1127     ret = key_payload_reserve(key, prep->quotalen);
1128     if (ret == 0) {
1129         rcu_assign_keypointer(key, prep->payload.data[0]);
1130         key->payload.data[1] = prep->payload.data[1];
1131         key->payload.data[2] = prep->payload.data[2];
1132         key->payload.data[3] = prep->payload.data[3];
1133         prep->payload.data[0] = NULL;
1134         prep->payload.data[1] = NULL;
1135         prep->payload.data[2] = NULL;
1136         prep->payload.data[3] = NULL;
1137     }
1138     pr_devel("<==%s() = %d\n", __func__, ret);
1139     return ret;
1140 }
1141 EXPORT_SYMBOL(generic_key_instantiate);
1142
1143 /**
1144  * register_key_type - Register a type of key.
1145  * @ktype: The new key type.
1146  *
1147  * Register a new key type.
1148  *
1149  * Returns 0 on success or -EEXIST if a type of this name already exists.
1150  */
1151 int register_key_type(struct key_type *ktype)
1152 {
1153     struct key_type *p;
1154     int ret;
1155
1156     memset(&ktype->lock_class, 0, sizeof(ktype->lock_class));
1157
1158     ret = -EEXIST;
1159     down_write(&key_types_sem);
1160
1161     /* disallow key types with the same name */
1162     list_for_each_entry(p, &key_types_list, link) {
1163         if (strcmp(p->name, ktype->name) == 0)
1164             goto out;
1165     }
1166
1167     /* store the type */
1168     list_add(&ktype->link, &key_types_list);
1169
1170     pr_notice("Key type %s registered\n", ktype->name);
1171     ret = 0;
1172
1173 out:
1174     up_write(&key_types_sem);
1175     return ret;
1176 }
1177 EXPORT_SYMBOL(register_key_type);
1178
1179 /**
1180  * unregister_key_type - Unregister a type of key.
1181  * @ktype: The key type.
1182  *
1183  * Unregister a key type and mark all the extant keys of this type as dead.
1184  * Those keys of this type are then destroyed to get rid of their payloads and
1185  * they and their links will be garbage collected as soon as possible.
1186  */
1187 void unregister_key_type(struct key_type *ktype)
1188 {
1189     down_write(&key_types_sem);
1190     list_del_init(&ktype->link);
1191     downgrade_write(&key_types_sem);
1192     key_gc_keytype(ktype);
1193     pr_notice("Key type %s unregistered\n", ktype->name);
1194     up_read(&key_types_sem);
1195 }
1196 EXPORT_SYMBOL(unregister_key_type);
1197
1198 /*
1199  * Initialise the key management state.
1200  */
1201 void __init key_init(void)
1202 {
1203     /* allocate a slab in which we can store keys */
1204     key_jar = kmem_cache_create("key_jar", sizeof(struct key),
1205             0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
1206
1207     /* add the special key types */
1208     list_add_tail(&key_type_keyring.link, &key_types_list);
1209     list_add_tail(&key_type_dead.link, &key_types_list);
1210     list_add_tail(&key_type_user.link, &key_types_list);
1211     list_add_tail(&key_type_logon.link, &key_types_list);
1212
1213     /* record the root user tracking */
1214     rb_link_node(&root_key_user.node,
1215              NULL,
1216              &key_user_tree.rb_node);
1217
1218     rb_insert_color(&root_key_user.node,
1219             &key_user_tree);
1220 }