1 | /* SPDX-License-Identifier: GPL-2.0-or-later */ |
2 | /* Definitions for key type implementations |
3 | * |
4 | * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. |
5 | * Written by David Howells (dhowells@redhat.com) |
6 | */ |
7 | |
8 | #ifndef _LINUX_KEY_TYPE_H |
9 | #define _LINUX_KEY_TYPE_H |
10 | |
11 | #include <linux/key.h> |
12 | #include <linux/errno.h> |
13 | |
14 | #ifdef CONFIG_KEYS |
15 | |
16 | struct kernel_pkey_query; |
17 | struct kernel_pkey_params; |
18 | |
19 | /* |
20 | * Pre-parsed payload, used by key add, update and instantiate. |
21 | * |
22 | * This struct will be cleared and data and datalen will be set with the data |
23 | * and length parameters from the caller and quotalen will be set from |
24 | * def_datalen from the key type. Then if the preparse() op is provided by the |
25 | * key type, that will be called. Then the struct will be passed to the |
26 | * instantiate() or the update() op. |
27 | * |
28 | * If the preparse() op is given, the free_preparse() op will be called to |
29 | * clear the contents. |
30 | */ |
31 | struct key_preparsed_payload { |
32 | const char *orig_description; /* Actual or proposed description (maybe NULL) */ |
33 | char *description; /* Proposed key description (or NULL) */ |
34 | union key_payload payload; /* Proposed payload */ |
35 | const void *data; /* Raw data */ |
36 | size_t datalen; /* Raw datalen */ |
37 | size_t quotalen; /* Quota length for proposed payload */ |
38 | time64_t expiry; /* Expiry time of key */ |
39 | } __randomize_layout; |
40 | |
41 | typedef int (*request_key_actor_t)(struct key *auth_key, void *aux); |
42 | |
43 | /* |
44 | * Preparsed matching criterion. |
45 | */ |
46 | struct key_match_data { |
47 | /* Comparison function, defaults to exact description match, but can be |
48 | * overridden by type->match_preparse(). Should return true if a match |
49 | * is found and false if not. |
50 | */ |
51 | bool (*cmp)(const struct key *key, |
52 | const struct key_match_data *match_data); |
53 | |
54 | const void *raw_data; /* Raw match data */ |
55 | void *preparsed; /* For ->match_preparse() to stash stuff */ |
56 | unsigned lookup_type; /* Type of lookup for this search. */ |
57 | #define KEYRING_SEARCH_LOOKUP_DIRECT 0x0000 /* Direct lookup by description. */ |
58 | #define KEYRING_SEARCH_LOOKUP_ITERATE 0x0001 /* Iterative search. */ |
59 | }; |
60 | |
61 | /* |
62 | * kernel managed key type definition |
63 | */ |
64 | struct key_type { |
65 | /* name of the type */ |
66 | const char *name; |
67 | |
68 | /* default payload length for quota precalculation (optional) |
69 | * - this can be used instead of calling key_payload_reserve(), that |
70 | * function only needs to be called if the real datalen is different |
71 | */ |
72 | size_t def_datalen; |
73 | |
74 | unsigned int flags; |
75 | #define KEY_TYPE_NET_DOMAIN 0x00000001 /* Keys of this type have a net namespace domain */ |
76 | #define KEY_TYPE_INSTANT_REAP 0x00000002 /* Keys of this type don't have a delay after expiring */ |
77 | |
78 | /* vet a description */ |
79 | int (*vet_description)(const char *description); |
80 | |
81 | /* Preparse the data blob from userspace that is to be the payload, |
82 | * generating a proposed description and payload that will be handed to |
83 | * the instantiate() and update() ops. |
84 | */ |
85 | int (*preparse)(struct key_preparsed_payload *prep); |
86 | |
87 | /* Free a preparse data structure. |
88 | */ |
89 | void (*free_preparse)(struct key_preparsed_payload *prep); |
90 | |
91 | /* instantiate a key of this type |
92 | * - this method should call key_payload_reserve() to determine if the |
93 | * user's quota will hold the payload |
94 | */ |
95 | int (*instantiate)(struct key *key, struct key_preparsed_payload *prep); |
96 | |
97 | /* update a key of this type (optional) |
98 | * - this method should call key_payload_reserve() to recalculate the |
99 | * quota consumption |
100 | * - the key must be locked against read when modifying |
101 | */ |
102 | int (*update)(struct key *key, struct key_preparsed_payload *prep); |
103 | |
104 | /* Preparse the data supplied to ->match() (optional). The |
105 | * data to be preparsed can be found in match_data->raw_data. |
106 | * The lookup type can also be set by this function. |
107 | */ |
108 | int (*match_preparse)(struct key_match_data *match_data); |
109 | |
110 | /* Free preparsed match data (optional). This should be supplied it |
111 | * ->match_preparse() is supplied. */ |
112 | void (*match_free)(struct key_match_data *match_data); |
113 | |
114 | /* clear some of the data from a key on revokation (optional) |
115 | * - the key's semaphore will be write-locked by the caller |
116 | */ |
117 | void (*revoke)(struct key *key); |
118 | |
119 | /* clear the data from a key (optional) */ |
120 | void (*destroy)(struct key *key); |
121 | |
122 | /* describe a key */ |
123 | void (*describe)(const struct key *key, struct seq_file *p); |
124 | |
125 | /* read a key's data (optional) |
126 | * - permission checks will be done by the caller |
127 | * - the key's semaphore will be readlocked by the caller |
128 | * - should return the amount of data that could be read, no matter how |
129 | * much is copied into the buffer |
130 | * - shouldn't do the copy if the buffer is NULL |
131 | */ |
132 | long (*read)(const struct key *key, char *buffer, size_t buflen); |
133 | |
134 | /* handle request_key() for this type instead of invoking |
135 | * /sbin/request-key (optional) |
136 | * - key is the key to instantiate |
137 | * - authkey is the authority to assume when instantiating this key |
138 | * - op is the operation to be done, usually "create" |
139 | * - the call must not return until the instantiation process has run |
140 | * its course |
141 | */ |
142 | request_key_actor_t request_key; |
143 | |
144 | /* Look up a keyring access restriction (optional) |
145 | * |
146 | * - NULL is a valid return value (meaning the requested restriction |
147 | * is known but will never block addition of a key) |
148 | * - should return -EINVAL if the restriction is unknown |
149 | */ |
150 | struct key_restriction *(*lookup_restriction)(const char *params); |
151 | |
152 | /* Asymmetric key accessor functions. */ |
153 | int (*asym_query)(const struct kernel_pkey_params *params, |
154 | struct kernel_pkey_query *info); |
155 | int (*asym_eds_op)(struct kernel_pkey_params *params, |
156 | const void *in, void *out); |
157 | int (*asym_verify_signature)(struct kernel_pkey_params *params, |
158 | const void *in, const void *in2); |
159 | |
160 | /* internal fields */ |
161 | struct list_head link; /* link in types list */ |
162 | struct lock_class_key lock_class; /* key->sem lock class */ |
163 | } __randomize_layout; |
164 | |
165 | extern struct key_type key_type_keyring; |
166 | |
167 | extern int register_key_type(struct key_type *ktype); |
168 | extern void unregister_key_type(struct key_type *ktype); |
169 | |
170 | extern int key_payload_reserve(struct key *key, size_t datalen); |
171 | extern int key_instantiate_and_link(struct key *key, |
172 | const void *data, |
173 | size_t datalen, |
174 | struct key *keyring, |
175 | struct key *authkey); |
176 | extern int key_reject_and_link(struct key *key, |
177 | unsigned timeout, |
178 | unsigned error, |
179 | struct key *keyring, |
180 | struct key *authkey); |
181 | extern void complete_request_key(struct key *authkey, int error); |
182 | |
183 | static inline int key_negate_and_link(struct key *key, |
184 | unsigned timeout, |
185 | struct key *keyring, |
186 | struct key *authkey) |
187 | { |
188 | return key_reject_and_link(key, timeout, ENOKEY, keyring, authkey); |
189 | } |
190 | |
191 | extern int generic_key_instantiate(struct key *key, struct key_preparsed_payload *prep); |
192 | |
193 | #endif /* CONFIG_KEYS */ |
194 | #endif /* _LINUX_KEY_TYPE_H */ |
195 | |