key.c source code [linux/security/keys/key.c]

1	// SPDX-License-Identifier: GPL-2.0-or-later
2	/ Basic authentication token and access key management*
3	*
4	* Copyright (C) 2004-2008 Red Hat, Inc. All Rights Reserved.
5	* Written by David Howells (dhowells@redhat.com)
6	*/
7
8	#include <linux/export.h>
9	#include <linux/init.h>
10	#include <linux/poison.h>
11	#include <linux/sched.h>
12	#include <linux/slab.h>
13	#include <linux/security.h>
14	#include <linux/workqueue.h>
15	#include <linux/random.h>
16	#include <linux/err.h>
17	#include "internal.h"
18
19	struct kmem_cache *key_jar;
20	struct rb_root key_serial_tree; / tree of keys indexed by serial /
21	DEFINE_SPINLOCK(key_serial_lock);
22
23	struct rb_root key_user_tree; / tree of quota records indexed by UID /
24	DEFINE_SPINLOCK(key_user_lock);
25
26	unsigned int key_quota_root_maxkeys = `1000000`; / root's key count quota /
27	unsigned int key_quota_root_maxbytes = `25000000`; / root's key space quota /
28	unsigned int key_quota_maxkeys = `200`; / general key count quota /
29	unsigned int key_quota_maxbytes = `20000`; / general key space quota /
30
31	static LIST_HEAD(key_types_list);
32	static DECLARE_RWSEM(key_types_sem);
33
34	/ We serialise key instantiation and link /
35	DEFINE_MUTEX(key_construction_mutex);
36
37	#ifdef KEY_DEBUGGING
38	void __key_check(const struct key *key)
39	{
40	printk("__key_check: key %p {%08x} should be {%08x}\n",
41	key, key->magic, KEY_DEBUG_MAGIC);
42	BUG();
43	}
44	#endif
45
46	/*
47	* Get the key quota record for a user, allocating a new record if one doesn't
48	* already exist.
49	*/
50	struct key_user *key_user_lookup(kuid_t uid)
51	{
52	struct key_user candidate = NULL, user;
53	struct rb_node parent, *p;
54
55	try_again:
56	parent = NULL;
57	p = &key_user_tree.rb_node;
58	spin_lock(lock: &key_user_lock);
59
60	/ search the tree for a user record with a matching UID /
61	while (*p) {
62	parent = *p;
63	user = rb_entry(parent, struct key_user, node);
64
65	if (uid_lt(left: uid, right: user->uid))
66	p = &(*p)->rb_left;
67	else if (uid_gt(left: uid, right: user->uid))
68	p = &(*p)->rb_right;
69	else
70	goto found;
71	}
72
73	/ if we get here, we failed to find a match in the tree /
74	if (!candidate) {
75	/ allocate a candidate user record if we don't already have*
76	* one */
77	spin_unlock(lock: &key_user_lock);
78
79	user = NULL;
80	candidate = kmalloc(size: sizeof(struct key_user), GFP_KERNEL);
81	if (unlikely(!candidate))
82	goto out;
83
84	/ the allocation may have scheduled, so we need to repeat the*
85	* search lest someone else added the record whilst we were
86	* asleep */
87	goto try_again;
88	}
89
90	/ if we get here, then the user record still hadn't appeared on the*
91	* second pass - so we use the candidate record */
92	refcount_set(r: &candidate->usage, n: `1`);
93	atomic_set(v: &candidate->nkeys, i: `0`);
94	atomic_set(v: &candidate->nikeys, i: `0`);
95	candidate->uid = uid;
96	candidate->qnkeys = `0`;
97	candidate->qnbytes = `0`;
98	spin_lock_init(&candidate->lock);
99	mutex_init(&candidate->cons_lock);
100
101	rb_link_node(node: &candidate->node, parent, rb_link: p);
102	rb_insert_color(&candidate->node, &key_user_tree);
103	spin_unlock(lock: &key_user_lock);
104	user = candidate;
105	goto out;
106
107	/ okay - we found a user record for this UID /
108	found:
109	refcount_inc(r: &user->usage);
110	spin_unlock(lock: &key_user_lock);
111	kfree(objp: candidate);
112	out:
113	return user;
114	}
115
116	/*
117	* Dispose of a user structure
118	*/
119	void key_user_put(struct key_user *user)
120	{
121	if (refcount_dec_and_lock(r: &user->usage, lock: &key_user_lock)) {
122	rb_erase(&user->node, &key_user_tree);
123	spin_unlock(lock: &key_user_lock);
124
125	kfree(objp: user);
126	}
127	}
128
129	/*
130	* Allocate a serial number for a key. These are assigned randomly to avoid
131	* security issues through covert channel problems.
132	*/
133	static inline void key_alloc_serial(struct key *key)
134	{
135	struct rb_node parent, *p;
136	struct key *xkey;
137
138	/ propose a random serial number and look for a hole for it in the*
139	* serial number tree */
140	do {
141	get_random_bytes(buf: &key->serial, len: sizeof(key->serial));
142
143	key->serial >>= `1`; / negative numbers are not permitted /
144	} while (key->serial < `3`);
145
146	spin_lock(lock: &key_serial_lock);
147
148	attempt_insertion:
149	parent = NULL;
150	p = &key_serial_tree.rb_node;
151
152	while (*p) {
153	parent = *p;
154	xkey = rb_entry(parent, struct key, serial_node);
155
156	if (key->serial < xkey->serial)
157	p = &(*p)->rb_left;
158	else if (key->serial > xkey->serial)
159	p = &(*p)->rb_right;
160	else
161	goto serial_exists;
162	}
163
164	/ we've found a suitable hole - arrange for this key to occupy it /
165	rb_link_node(node: &key->serial_node, parent, rb_link: p);
166	rb_insert_color(&key->serial_node, &key_serial_tree);
167
168	spin_unlock(lock: &key_serial_lock);
169	return;
170
171	/ we found a key with the proposed serial number - walk the tree from*
172	* that point looking for the next unused serial number */
173	serial_exists:
174	for (;;) {
175	key->serial++;
176	if (key->serial < `3`) {
177	key->serial = `3`;
178	goto attempt_insertion;
179	}
180
181	parent = rb_next(parent);
182	if (!parent)
183	goto attempt_insertion;
184
185	xkey = rb_entry(parent, struct key, serial_node);
186	if (key->serial < xkey->serial)
187	goto attempt_insertion;
188	}
189	}
190
191	/**
192	* key_alloc - Allocate a key of the specified type.
193	* @type: The type of key to allocate.
194	* @desc: The key description to allow the key to be searched out.
195	* @uid: The owner of the new key.
196	* @gid: The group ID for the new key's group permissions.
197	* @cred: The credentials specifying UID namespace.
198	* @perm: The permissions mask of the new key.
199	* @flags: Flags specifying quota properties.
200	* @restrict_link: Optional link restriction for new keyrings.
201	*
202	* Allocate a key of the specified type with the attributes given. The key is
203	* returned in an uninstantiated state and the caller needs to instantiate the
204	* key before returning.
205	*
206	* The restrict_link structure (if not NULL) will be freed when the
207	* keyring is destroyed, so it must be dynamically allocated.
208	*
209	* The user's key count quota is updated to reflect the creation of the key and
210	* the user's key data quota has the default for the key type reserved. The
211	* instantiation function should amend this as necessary. If insufficient
212	* quota is available, -EDQUOT will be returned.
213	*
214	* The LSM security modules can prevent a key being created, in which case
215	* -EACCES will be returned.
216	*
217	* Returns a pointer to the new key if successful and an error code otherwise.
218	*
219	* Note that the caller needs to ensure the key type isn't uninstantiated.
220	* Internally this can be done by locking key_types_sem. Externally, this can
221	* be done by either never unregistering the key type, or making sure
222	* key_alloc() calls don't race with module unloading.
223	*/
224	struct key key_alloc(struct* key_type type, const* char *desc,
225	kuid_t uid, kgid_t gid, const struct cred *cred,
226	key_perm_t perm, unsigned long flags,
227	struct key_restriction *restrict_link)
228	{
229	struct key_user *user = NULL;
230	struct key *key;
231	size_t desclen, quotalen;
232	int ret;
233
234	key = ERR_PTR(error: -EINVAL);
235	if (!desc \|\| !*desc)
236	goto error;
237
238	if (type->vet_description) {
239	ret = type->vet_description(desc);
240	if (ret < `0`) {
241	key = ERR_PTR(error: ret);
242	goto error;
243	}
244	}
245
246	desclen = strlen(desc);
247	quotalen = desclen + `1` + type->def_datalen;
248
249	/ get hold of the key tracking for this user /
250	user = key_user_lookup(uid);
251	if (!user)
252	goto no_memory_1;
253
254	/ check that the user's quota permits allocation of another key and*
255	* its description */
256	if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) {
257	unsigned maxkeys = uid_eq(left: uid, GLOBAL_ROOT_UID) ?
258	key_quota_root_maxkeys : key_quota_maxkeys;
259	unsigned maxbytes = uid_eq(left: uid, GLOBAL_ROOT_UID) ?
260	key_quota_root_maxbytes : key_quota_maxbytes;
261
262	spin_lock(lock: &user->lock);
263	if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) {
264	if (user->qnkeys + `1` > maxkeys \|\|
265	user->qnbytes + quotalen > maxbytes \|\|
266	user->qnbytes + quotalen < user->qnbytes)
267	goto no_quota;
268	}
269
270	user->qnkeys++;
271	user->qnbytes += quotalen;
272	spin_unlock(lock: &user->lock);
273	}
274
275	/ allocate and initialise the key and its description /
276	key = kmem_cache_zalloc(k: key_jar, GFP_KERNEL);
277	if (!key)
278	goto no_memory_2;
279
280	key->index_key.desc_len = desclen;
281	key->index_key.description = kmemdup(p: desc, size: desclen + `1`, GFP_KERNEL);
282	if (!key->index_key.description)
283	goto no_memory_3;
284	key->index_key.type = type;
285	key_set_index_key(index_key: &key->index_key);
286
287	refcount_set(r: &key->usage, n: `1`);
288	init_rwsem(&key->sem);
289	lockdep_set_class(&key->sem, &type->lock_class);
290	key->user = user;
291	key->quotalen = quotalen;
292	key->datalen = type->def_datalen;
293	key->uid = uid;
294	key->gid = gid;
295	key->perm = perm;
296	key->expiry = TIME64_MAX;
297	key->restrict_link = restrict_link;
298	key->last_used_at = ktime_get_real_seconds();
299
300	if (!(flags & KEY_ALLOC_NOT_IN_QUOTA))
301	key->flags \|= `1` << KEY_FLAG_IN_QUOTA;
302	if (flags & KEY_ALLOC_BUILT_IN)
303	key->flags \|= `1` << KEY_FLAG_BUILTIN;
304	if (flags & KEY_ALLOC_UID_KEYRING)
305	key->flags \|= `1` << KEY_FLAG_UID_KEYRING;
306	if (flags & KEY_ALLOC_SET_KEEP)
307	key->flags \|= `1` << KEY_FLAG_KEEP;
308
309	#ifdef KEY_DEBUGGING
310	key->magic = KEY_DEBUG_MAGIC;
311	#endif
312
313	/ let the security module know about the key /
314	ret = security_key_alloc(key, cred, flags);
315	if (ret < `0`)
316	goto security_error;
317
318	/ publish the key by giving it a serial number /
319	refcount_inc(r: &key->domain_tag->usage);
320	atomic_inc(v: &user->nkeys);
321	key_alloc_serial(key);
322
323	error:
324	return key;
325
326	security_error:
327	kfree(objp: key->description);
328	kmem_cache_free(s: key_jar, objp: key);
329	if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) {
330	spin_lock(lock: &user->lock);
331	user->qnkeys--;
332	user->qnbytes -= quotalen;
333	spin_unlock(lock: &user->lock);
334	}
335	key_user_put(user);
336	key = ERR_PTR(error: ret);
337	goto error;
338
339	no_memory_3:
340	kmem_cache_free(s: key_jar, objp: key);
341	no_memory_2:
342	if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) {
343	spin_lock(lock: &user->lock);
344	user->qnkeys--;
345	user->qnbytes -= quotalen;
346	spin_unlock(lock: &user->lock);
347	}
348	key_user_put(user);
349	no_memory_1:
350	key = ERR_PTR(error: -ENOMEM);
351	goto error;
352
353	no_quota:
354	spin_unlock(lock: &user->lock);
355	key_user_put(user);
356	key = ERR_PTR(error: -EDQUOT);
357	goto error;
358	}
359	EXPORT_SYMBOL(key_alloc);
360
361	/**
362	* key_payload_reserve - Adjust data quota reservation for the key's payload
363	* @key: The key to make the reservation for.
364	* @datalen: The amount of data payload the caller now wants.
365	*
366	* Adjust the amount of the owning user's key data quota that a key reserves.
367	* If the amount is increased, then -EDQUOT may be returned if there isn't
368	* enough free quota available.
369	*
370	* If successful, 0 is returned.
371	*/
372	int key_payload_reserve(struct key *key, size_t datalen)
373	{
374	int delta = (int)datalen - key->datalen;
375	int ret = `0`;
376
377	key_check(key);
378
379	/ contemplate the quota adjustment /
380	if (delta != `0` && test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
381	unsigned maxbytes = uid_eq(left: key->user->uid, GLOBAL_ROOT_UID) ?
382	key_quota_root_maxbytes : key_quota_maxbytes;
383
384	spin_lock(lock: &key->user->lock);
385
386	if (delta > `0` &&
387	(key->user->qnbytes + delta > maxbytes \|\|
388	key->user->qnbytes + delta < key->user->qnbytes)) {
389	ret = -EDQUOT;
390	}
391	else {
392	key->user->qnbytes += delta;
393	key->quotalen += delta;
394	}
395	spin_unlock(lock: &key->user->lock);
396	}
397
398	/ change the recorded data length if that didn't generate an error /
399	if (ret == `0`)
400	key->datalen = datalen;
401
402	return ret;
403	}
404	EXPORT_SYMBOL(key_payload_reserve);
405
406	/*
407	* Change the key state to being instantiated.
408	*/
409	static void mark_key_instantiated(struct key key, int* reject_error)
410	{
411	/ Commit the payload before setting the state; barrier versus*
412	* key_read_state().
413	*/
414	smp_store_release(&key->state,
415	(reject_error < `0`) ? reject_error : KEY_IS_POSITIVE);
416	}
417
418	/*
419	* Instantiate a key and link it into the target keyring atomically. Must be
420	* called with the target keyring's semaphore writelocked. The target key's
421	* semaphore need not be locked as instantiation is serialised by
422	* key_construction_mutex.
423	*/
424	static int __key_instantiate_and_link(struct key *key,
425	struct key_preparsed_payload *prep,
426	struct key *keyring,
427	struct key *authkey,
428	struct assoc_array_edit **_edit)
429	{
430	int ret, awaken;
431
432	key_check(key);
433	key_check(keyring);
434
435	awaken = `0`;
436	ret = -EBUSY;
437
438	mutex_lock(&key_construction_mutex);
439
440	/ can't instantiate twice /
441	if (key->state == KEY_IS_UNINSTANTIATED) {
442	/ instantiate the key /
443	ret = key->type->instantiate(key, prep);
444
445	if (ret == `0`) {
446	/ mark the key as being instantiated /
447	atomic_inc(v: &key->user->nikeys);
448	mark_key_instantiated(key, reject_error: `0`);
449	notify_key(key, subtype: NOTIFY_KEY_INSTANTIATED, aux: `0`);
450
451	if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, addr: &key->flags))
452	awaken = `1`;
453
454	/ and link it into the destination keyring /
455	if (keyring) {
456	if (test_bit(KEY_FLAG_KEEP, &keyring->flags))
457	set_bit(KEY_FLAG_KEEP, addr: &key->flags);
458
459	__key_link(keyring, key, _edit);
460	}
461
462	/ disable the authorisation key /
463	if (authkey)
464	key_invalidate(key: authkey);
465
466	key_set_expiry(key, expiry: prep->expiry);
467	}
468	}
469
470	mutex_unlock(lock: &key_construction_mutex);
471
472	/ wake up anyone waiting for a key to be constructed /
473	if (awaken)
474	wake_up_bit(word: &key->flags, KEY_FLAG_USER_CONSTRUCT);
475
476	return ret;
477	}
478
479	/**
480	* key_instantiate_and_link - Instantiate a key and link it into the keyring.
481	* @key: The key to instantiate.
482	* @data: The data to use to instantiate the keyring.
483	* @datalen: The length of @data.
484	* @keyring: Keyring to create a link in on success (or NULL).
485	* @authkey: The authorisation token permitting instantiation.
486	*
487	* Instantiate a key that's in the uninstantiated state using the provided data
488	* and, if successful, link it in to the destination keyring if one is
489	* supplied.
490	*
491	* If successful, 0 is returned, the authorisation token is revoked and anyone
492	* waiting for the key is woken up. If the key was already instantiated,
493	* -EBUSY will be returned.
494	*/
495	int key_instantiate_and_link(struct key *key,
496	const void *data,
497	size_t datalen,
498	struct key *keyring,
499	struct key *authkey)
500	{
501	struct key_preparsed_payload prep;
502	struct assoc_array_edit *edit = NULL;
503	int ret;
504
505	memset(&prep, `0`, sizeof(prep));
506	prep.orig_description = key->description;
507	prep.data = data;
508	prep.datalen = datalen;
509	prep.quotalen = key->type->def_datalen;
510	prep.expiry = TIME64_MAX;
511	if (key->type->preparse) {
512	ret = key->type->preparse(&prep);
513	if (ret < `0`)
514	goto error;
515	}
516
517	if (keyring) {
518	ret = __key_link_lock(keyring, index_key: &key->index_key);
519	if (ret < `0`)
520	goto error;
521
522	ret = __key_link_begin(keyring, index_key: &key->index_key, edit: &edit);
523	if (ret < `0`)
524	goto error_link_end;
525
526	if (keyring->restrict_link && keyring->restrict_link->check) {
527	struct key_restriction *keyres = keyring->restrict_link;
528
529	ret = keyres->check(keyring, key->type, &prep.payload,
530	keyres->key);
531	if (ret < `0`)
532	goto error_link_end;
533	}
534	}
535
536	ret = __key_instantiate_and_link(key, prep: &prep, keyring, authkey, edit: &edit);
537
538	error_link_end:
539	if (keyring)
540	__key_link_end(keyring, index_key: &key->index_key, edit);
541
542	error:
543	if (key->type->preparse)
544	key->type->free_preparse(&prep);
545	return ret;
546	}
547
548	EXPORT_SYMBOL(key_instantiate_and_link);
549
550	/**
551	* key_reject_and_link - Negatively instantiate a key and link it into the keyring.
552	* @key: The key to instantiate.
553	* @timeout: The timeout on the negative key.
554	* @error: The error to return when the key is hit.
555	* @keyring: Keyring to create a link in on success (or NULL).
556	* @authkey: The authorisation token permitting instantiation.
557	*
558	* Negatively instantiate a key that's in the uninstantiated state and, if
559	* successful, set its timeout and stored error and link it in to the
560	* destination keyring if one is supplied. The key and any links to the key
561	* will be automatically garbage collected after the timeout expires.
562	*
563	* Negative keys are used to rate limit repeated request_key() calls by causing
564	* them to return the stored error code (typically ENOKEY) until the negative
565	* key expires.
566	*
567	* If successful, 0 is returned, the authorisation token is revoked and anyone
568	* waiting for the key is woken up. If the key was already instantiated,
569	* -EBUSY will be returned.
570	*/
571	int key_reject_and_link(struct key *key,
572	unsigned timeout,
573	unsigned error,
574	struct key *keyring,
575	struct key *authkey)
576	{
577	struct assoc_array_edit *edit = NULL;
578	int ret, awaken, link_ret = `0`;
579
580	key_check(key);
581	key_check(keyring);
582
583	awaken = `0`;
584	ret = -EBUSY;
585
586	if (keyring) {
587	if (keyring->restrict_link)
588	return -EPERM;
589
590	link_ret = __key_link_lock(keyring, index_key: &key->index_key);
591	if (link_ret == `0`) {
592	link_ret = __key_link_begin(keyring, index_key: &key->index_key, edit: &edit);
593	if (link_ret < `0`)
594	__key_link_end(keyring, index_key: &key->index_key, edit);
595	}
596	}
597
598	mutex_lock(&key_construction_mutex);
599
600	/ can't instantiate twice /
601	if (key->state == KEY_IS_UNINSTANTIATED) {
602	/ mark the key as being negatively instantiated /
603	atomic_inc(v: &key->user->nikeys);
604	mark_key_instantiated(key, reject_error: -error);
605	notify_key(key, subtype: NOTIFY_KEY_INSTANTIATED, aux: -error);
606	key_set_expiry(key, expiry: ktime_get_real_seconds() + timeout);
607
608	if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, addr: &key->flags))
609	awaken = `1`;
610
611	ret = `0`;
612
613	/ and link it into the destination keyring /
614	if (keyring && link_ret == `0`)
615	__key_link(keyring, key, edit: &edit);
616
617	/ disable the authorisation key /
618	if (authkey)
619	key_invalidate(key: authkey);
620	}
621
622	mutex_unlock(lock: &key_construction_mutex);
623
624	if (keyring && link_ret == `0`)
625	__key_link_end(keyring, index_key: &key->index_key, edit);
626
627	/ wake up anyone waiting for a key to be constructed /
628	if (awaken)
629	wake_up_bit(word: &key->flags, KEY_FLAG_USER_CONSTRUCT);
630
631	return ret == `0` ? link_ret : ret;
632	}
633	EXPORT_SYMBOL(key_reject_and_link);
634
635	/**
636	* key_put - Discard a reference to a key.
637	* @key: The key to discard a reference from.
638	*
639	* Discard a reference to a key, and when all the references are gone, we
640	* schedule the cleanup task to come and pull it out of the tree in process
641	* context at some later time.
642	*/
643	void key_put(struct key *key)
644	{
645	if (key) {
646	key_check(key);
647
648	if (refcount_dec_and_test(r: &key->usage))
649	schedule_work(work: &key_gc_work);
650	}
651	}
652	EXPORT_SYMBOL(key_put);
653
654	/*
655	* Find a key by its serial number.
656	*/
657	struct key *key_lookup(key_serial_t id)
658	{
659	struct rb_node *n;
660	struct key *key;
661
662	spin_lock(lock: &key_serial_lock);
663
664	/ search the tree for the specified key /
665	n = key_serial_tree.rb_node;
666	while (n) {
667	key = rb_entry(n, struct key, serial_node);
668
669	if (id < key->serial)
670	n = n->rb_left;
671	else if (id > key->serial)
672	n = n->rb_right;
673	else
674	goto found;
675	}
676
677	not_found:
678	key = ERR_PTR(error: -ENOKEY);
679	goto error;
680
681	found:
682	/ A key is allowed to be looked up only if someone still owns a*
683	* reference to it - otherwise it's awaiting the gc.
684	*/
685	if (!refcount_inc_not_zero(r: &key->usage))
686	goto not_found;
687
688	error:
689	spin_unlock(lock: &key_serial_lock);
690	return key;
691	}
692	EXPORT_SYMBOL(key_lookup);
693
694	/*
695	* Find and lock the specified key type against removal.
696	*
697	* We return with the sem read-locked if successful. If the type wasn't
698	* available -ENOKEY is returned instead.
699	*/
700	struct key_type key_type_lookup(const* char *type)
701	{
702	struct key_type *ktype;
703
704	down_read(sem: &key_types_sem);
705
706	/ look up the key type to see if it's one of the registered kernel*
707	* types */
708	list_for_each_entry(ktype, &key_types_list, link) {
709	if (strcmp(ktype->name, type) == `0`)
710	goto found_kernel_type;
711	}
712
713	up_read(sem: &key_types_sem);
714	ktype = ERR_PTR(error: -ENOKEY);
715
716	found_kernel_type:
717	return ktype;
718	}
719
720	void key_set_timeout(struct key key, unsigned* timeout)
721	{
722	time64_t expiry = TIME64_MAX;
723
724	/ make the changes with the locks held to prevent races /
725	down_write(sem: &key->sem);
726
727	if (timeout > `0`)
728	expiry = ktime_get_real_seconds() + timeout;
729	key_set_expiry(key, expiry);
730
731	up_write(sem: &key->sem);
732	}
733	EXPORT_SYMBOL_GPL(key_set_timeout);
734
735	/*
736	* Unlock a key type locked by key_type_lookup().
737	*/
738	void key_type_put(struct key_type *ktype)
739	{
740	up_read(sem: &key_types_sem);
741	}
742
743	/*
744	* Attempt to update an existing key.
745	*
746	* The key is given to us with an incremented refcount that we need to discard
747	* if we get an error.
748	*/
749	static inline key_ref_t __key_update(key_ref_t key_ref,
750	struct key_preparsed_payload *prep)
751	{
752	struct key *key = key_ref_to_ptr(key_ref);
753	int ret;
754
755	/ need write permission on the key to update it /
756	ret = key_permission(key_ref, need_perm: KEY_NEED_WRITE);
757	if (ret < `0`)
758	goto error;
759
760	ret = -EEXIST;
761	if (!key->type->update)
762	goto error;
763
764	down_write(sem: &key->sem);
765
766	ret = key->type->update(key, prep);
767	if (ret == `0`) {
768	/ Updating a negative key positively instantiates it /
769	mark_key_instantiated(key, reject_error: `0`);
770	notify_key(key, subtype: NOTIFY_KEY_UPDATED, aux: `0`);
771	}
772
773	up_write(sem: &key->sem);
774
775	if (ret < `0`)
776	goto error;
777	out:
778	return key_ref;
779
780	error:
781	key_put(key);
782	key_ref = ERR_PTR(error: ret);
783	goto out;
784	}
785
786	/*
787	* Create or potentially update a key. The combined logic behind
788	* key_create_or_update() and key_create()
789	*/
790	static key_ref_t __key_create_or_update(key_ref_t keyring_ref,
791	const char *type,
792	const char *description,
793	const void *payload,
794	size_t plen,
795	key_perm_t perm,
796	unsigned long flags,
797	bool allow_update)
798	{
799	struct keyring_index_key index_key = {
800	.description = description,
801	};
802	struct key_preparsed_payload prep;
803	struct assoc_array_edit *edit = NULL;
804	const struct cred *cred = current_cred();
805	struct key keyring, key = NULL;
806	key_ref_t key_ref;
807	int ret;
808	struct key_restriction *restrict_link = NULL;
809
810	/ look up the key type to see if it's one of the registered kernel*
811	* types */
812	index_key.type = key_type_lookup(type);
813	if (IS_ERR(ptr: index_key.type)) {
814	key_ref = ERR_PTR(error: -ENODEV);
815	goto error;
816	}
817
818	key_ref = ERR_PTR(error: -EINVAL);
819	if (!index_key.type->instantiate \|\|
820	(!index_key.description && !index_key.type->preparse))
821	goto error_put_type;
822
823	keyring = key_ref_to_ptr(key_ref: keyring_ref);
824
825	key_check(keyring);
826
827	if (!(flags & KEY_ALLOC_BYPASS_RESTRICTION))
828	restrict_link = keyring->restrict_link;
829
830	key_ref = ERR_PTR(error: -ENOTDIR);
831	if (keyring->type != &key_type_keyring)
832	goto error_put_type;
833
834	memset(&prep, `0`, sizeof(prep));
835	prep.orig_description = description;
836	prep.data = payload;
837	prep.datalen = plen;
838	prep.quotalen = index_key.type->def_datalen;
839	prep.expiry = TIME64_MAX;
840	if (index_key.type->preparse) {
841	ret = index_key.type->preparse(&prep);
842	if (ret < `0`) {
843	key_ref = ERR_PTR(error: ret);
844	goto error_free_prep;
845	}
846	if (!index_key.description)
847	index_key.description = prep.description;
848	key_ref = ERR_PTR(error: -EINVAL);
849	if (!index_key.description)
850	goto error_free_prep;
851	}
852	index_key.desc_len = strlen(index_key.description);
853	key_set_index_key(index_key: &index_key);
854
855	ret = __key_link_lock(keyring, index_key: &index_key);
856	if (ret < `0`) {
857	key_ref = ERR_PTR(error: ret);
858	goto error_free_prep;
859	}
860
861	ret = __key_link_begin(keyring, index_key: &index_key, edit: &edit);
862	if (ret < `0`) {
863	key_ref = ERR_PTR(error: ret);
864	goto error_link_end;
865	}
866
867	if (restrict_link && restrict_link->check) {
868	ret = restrict_link->check(keyring, index_key.type,
869	&prep.payload, restrict_link->key);
870	if (ret < `0`) {
871	key_ref = ERR_PTR(error: ret);
872	goto error_link_end;
873	}
874	}
875
876	/ if we're going to allocate a new key, we're going to have*
877	* to modify the keyring */
878	ret = key_permission(key_ref: keyring_ref, need_perm: KEY_NEED_WRITE);
879	if (ret < `0`) {
880	key_ref = ERR_PTR(error: ret);
881	goto error_link_end;
882	}
883
884	/ if it's requested and possible to update this type of key, search*
885	* for an existing key of the same type and description in the
886	* destination keyring and update that instead if possible
887	*/
888	if (allow_update) {
889	if (index_key.type->update) {
890	key_ref = find_key_to_update(keyring_ref, index_key: &index_key);
891	if (key_ref)
892	goto found_matching_key;
893	}
894	} else {
895	key_ref = find_key_to_update(keyring_ref, index_key: &index_key);
896	if (key_ref) {
897	key_ref_put(key_ref);
898	key_ref = ERR_PTR(error: -EEXIST);
899	goto error_link_end;
900	}
901	}
902
903	/ if the client doesn't provide, decide on the permissions we want /
904	if (perm == KEY_PERM_UNDEF) {
905	perm = KEY_POS_VIEW \| KEY_POS_SEARCH \| KEY_POS_LINK \| KEY_POS_SETATTR;
906	perm \|= KEY_USR_VIEW;
907
908	if (index_key.type->read)
909	perm \|= KEY_POS_READ;
910
911	if (index_key.type == &key_type_keyring \|\|
912	index_key.type->update)
913	perm \|= KEY_POS_WRITE;
914	}
915
916	/ allocate a new key /
917	key = key_alloc(index_key.type, index_key.description,
918	cred->fsuid, cred->fsgid, cred, perm, flags, NULL);
919	if (IS_ERR(ptr: key)) {
920	key_ref = ERR_CAST(ptr: key);
921	goto error_link_end;
922	}
923
924	/ instantiate it and link it into the target keyring /
925	ret = __key_instantiate_and_link(key, prep: &prep, keyring, NULL, edit: &edit);
926	if (ret < `0`) {
927	key_put(key);
928	key_ref = ERR_PTR(error: ret);
929	goto error_link_end;
930	}
931
932	security_key_post_create_or_update(keyring, key, payload, payload_len: plen, flags,
933	create: true);
934
935	key_ref = make_key_ref(key, possession: is_key_possessed(key_ref: keyring_ref));
936
937	error_link_end:
938	__key_link_end(keyring, index_key: &index_key, edit);
939	error_free_prep:
940	if (index_key.type->preparse)
941	index_key.type->free_preparse(&prep);
942	error_put_type:
943	key_type_put(ktype: index_key.type);
944	error:
945	return key_ref;
946
947	found_matching_key:
948	/ we found a matching key, so we're going to try to update it*
949	* - we can drop the locks first as we have the key pinned
950	*/
951	__key_link_end(keyring, index_key: &index_key, edit);
952
953	key = key_ref_to_ptr(key_ref);
954	if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) {
955	ret = wait_for_key_construction(key, intr: true);
956	if (ret < `0`) {
957	key_ref_put(key_ref);
958	key_ref = ERR_PTR(error: ret);
959	goto error_free_prep;
960	}
961	}
962
963	key_ref = __key_update(key_ref, prep: &prep);
964
965	if (!IS_ERR(ptr: key_ref))
966	security_key_post_create_or_update(keyring, key, payload, payload_len: plen,
967	flags, create: false);
968
969	goto error_free_prep;
970	}
971
972	/**
973	* key_create_or_update - Update or create and instantiate a key.
974	* @keyring_ref: A pointer to the destination keyring with possession flag.
975	* @type: The type of key.
976	* @description: The searchable description for the key.
977	* @payload: The data to use to instantiate or update the key.
978	* @plen: The length of @payload.
979	* @perm: The permissions mask for a new key.
980	* @flags: The quota flags for a new key.
981	*
982	* Search the destination keyring for a key of the same description and if one
983	* is found, update it, otherwise create and instantiate a new one and create a
984	* link to it from that keyring.
985	*
986	* If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be
987	* concocted.
988	*
989	* Returns a pointer to the new key if successful, -ENODEV if the key type
990	* wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the
991	* caller isn't permitted to modify the keyring or the LSM did not permit
992	* creation of the key.
993	*
994	* On success, the possession flag from the keyring ref will be tacked on to
995	* the key ref before it is returned.
996	*/
997	key_ref_t key_create_or_update(key_ref_t keyring_ref,
998	const char *type,
999	const char *description,
1000	const void *payload,
1001	size_t plen,
1002	key_perm_t perm,
1003	unsigned long flags)
1004	{
1005	return __key_create_or_update(keyring_ref, type, description, payload,
1006	plen, perm, flags, allow_update: true);
1007	}
1008	EXPORT_SYMBOL(key_create_or_update);
1009
1010	/**
1011	* key_create - Create and instantiate a key.
1012	* @keyring_ref: A pointer to the destination keyring with possession flag.
1013	* @type: The type of key.
1014	* @description: The searchable description for the key.
1015	* @payload: The data to use to instantiate or update the key.
1016	* @plen: The length of @payload.
1017	* @perm: The permissions mask for a new key.
1018	* @flags: The quota flags for a new key.
1019	*
1020	* Create and instantiate a new key and link to it from the destination keyring.
1021	*
1022	* If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be
1023	* concocted.
1024	*
1025	* Returns a pointer to the new key if successful, -EEXIST if a key with the
1026	* same description already exists, -ENODEV if the key type wasn't available,
1027	* -ENOTDIR if the keyring wasn't a keyring, -EACCES if the caller isn't
1028	* permitted to modify the keyring or the LSM did not permit creation of the
1029	* key.
1030	*
1031	* On success, the possession flag from the keyring ref will be tacked on to
1032	* the key ref before it is returned.
1033	*/
1034	key_ref_t key_create(key_ref_t keyring_ref,
1035	const char *type,
1036	const char *description,
1037	const void *payload,
1038	size_t plen,
1039	key_perm_t perm,
1040	unsigned long flags)
1041	{
1042	return __key_create_or_update(keyring_ref, type, description, payload,
1043	plen, perm, flags, allow_update: false);
1044	}
1045	EXPORT_SYMBOL(key_create);
1046
1047	/**
1048	* key_update - Update a key's contents.
1049	* @key_ref: The pointer (plus possession flag) to the key.
1050	* @payload: The data to be used to update the key.
1051	* @plen: The length of @payload.
1052	*
1053	* Attempt to update the contents of a key with the given payload data. The
1054	* caller must be granted Write permission on the key. Negative keys can be
1055	* instantiated by this method.
1056	*
1057	* Returns 0 on success, -EACCES if not permitted and -EOPNOTSUPP if the key
1058	* type does not support updating. The key type may return other errors.
1059	*/
1060	int key_update(key_ref_t key_ref, const void *payload, size_t plen)
1061	{
1062	struct key_preparsed_payload prep;
1063	struct key *key = key_ref_to_ptr(key_ref);
1064	int ret;
1065
1066	key_check(key);
1067
1068	/ the key must be writable /
1069	ret = key_permission(key_ref, need_perm: KEY_NEED_WRITE);
1070	if (ret < `0`)
1071	return ret;
1072
1073	/ attempt to update it if supported /
1074	if (!key->type->update)
1075	return -EOPNOTSUPP;
1076
1077	memset(&prep, `0`, sizeof(prep));
1078	prep.data = payload;
1079	prep.datalen = plen;
1080	prep.quotalen = key->type->def_datalen;
1081	prep.expiry = TIME64_MAX;
1082	if (key->type->preparse) {
1083	ret = key->type->preparse(&prep);
1084	if (ret < `0`)
1085	goto error;
1086	}
1087
1088	down_write(sem: &key->sem);
1089
1090	ret = key->type->update(key, &prep);
1091	if (ret == `0`) {
1092	/ Updating a negative key positively instantiates it /
1093	mark_key_instantiated(key, reject_error: `0`);
1094	notify_key(key, subtype: NOTIFY_KEY_UPDATED, aux: `0`);
1095	}
1096
1097	up_write(sem: &key->sem);
1098
1099	error:
1100	if (key->type->preparse)
1101	key->type->free_preparse(&prep);
1102	return ret;
1103	}
1104	EXPORT_SYMBOL(key_update);
1105
1106	/**
1107	* key_revoke - Revoke a key.
1108	* @key: The key to be revoked.
1109	*
1110	* Mark a key as being revoked and ask the type to free up its resources. The
1111	* revocation timeout is set and the key and all its links will be
1112	* automatically garbage collected after key_gc_delay amount of time if they
1113	* are not manually dealt with first.
1114	*/
1115	void key_revoke(struct key *key)
1116	{
1117	time64_t time;
1118
1119	key_check(key);
1120
1121	/ make sure no one's trying to change or use the key when we mark it*
1122	* - we tell lockdep that we might nest because we might be revoking an
1123	* authorisation key whilst holding the sem on a key we've just
1124	* instantiated
1125	*/
1126	down_write_nested(sem: &key->sem, subclass: `1`);
1127	if (!test_and_set_bit(KEY_FLAG_REVOKED, addr: &key->flags)) {
1128	notify_key(key, subtype: NOTIFY_KEY_REVOKED, aux: `0`);
1129	if (key->type->revoke)
1130	key->type->revoke(key);
1131
1132	/ set the death time to no more than the expiry time /
1133	time = ktime_get_real_seconds();
1134	if (key->revoked_at == `0` \|\| key->revoked_at > time) {
1135	key->revoked_at = time;
1136	key_schedule_gc(gc_at: key->revoked_at + key_gc_delay);
1137	}
1138	}
1139
1140	up_write(sem: &key->sem);
1141	}
1142	EXPORT_SYMBOL(key_revoke);
1143
1144	/**
1145	* key_invalidate - Invalidate a key.
1146	* @key: The key to be invalidated.
1147	*
1148	* Mark a key as being invalidated and have it cleaned up immediately. The key
1149	* is ignored by all searches and other operations from this point.
1150	*/
1151	void key_invalidate(struct key *key)
1152	{
1153	kenter("%d", key_serial(key));
1154
1155	key_check(key);
1156
1157	if (!test_bit(KEY_FLAG_INVALIDATED, &key->flags)) {
1158	down_write_nested(sem: &key->sem, subclass: `1`);
1159	if (!test_and_set_bit(KEY_FLAG_INVALIDATED, addr: &key->flags)) {
1160	notify_key(key, subtype: NOTIFY_KEY_INVALIDATED, aux: `0`);
1161	key_schedule_gc_links();
1162	}
1163	up_write(sem: &key->sem);
1164	}
1165	}
1166	EXPORT_SYMBOL(key_invalidate);
1167
1168	/**
1169	* generic_key_instantiate - Simple instantiation of a key from preparsed data
1170	* @key: The key to be instantiated
1171	* @prep: The preparsed data to load.
1172	*
1173	* Instantiate a key from preparsed data. We assume we can just copy the data
1174	* in directly and clear the old pointers.
1175	*
1176	* This can be pointed to directly by the key type instantiate op pointer.
1177	*/
1178	int generic_key_instantiate(struct key key, struct* key_preparsed_payload *prep)
1179	{
1180	int ret;
1181
1182	pr_devel("==>%s()\n", __func__);
1183
1184	ret = key_payload_reserve(key, prep->quotalen);
1185	if (ret == `0`) {
1186	rcu_assign_keypointer(key, prep->payload.data[`0`]);
1187	key->payload.data[`1`] = prep->payload.data[`1`];
1188	key->payload.data[`2`] = prep->payload.data[`2`];
1189	key->payload.data[`3`] = prep->payload.data[`3`];
1190	prep->payload.data[`0`] = NULL;
1191	prep->payload.data[`1`] = NULL;
1192	prep->payload.data[`2`] = NULL;
1193	prep->payload.data[`3`] = NULL;
1194	}
1195	pr_devel("<==%s() = %d\n", __func__, ret);
1196	return ret;
1197	}
1198	EXPORT_SYMBOL(generic_key_instantiate);
1199
1200	/**
1201	* register_key_type - Register a type of key.
1202	* @ktype: The new key type.
1203	*
1204	* Register a new key type.
1205	*
1206	* Returns 0 on success or -EEXIST if a type of this name already exists.
1207	*/
1208	int register_key_type(struct key_type *ktype)
1209	{
1210	struct key_type *p;
1211	int ret;
1212
1213	memset(&ktype->lock_class, `0`, sizeof(ktype->lock_class));
1214
1215	ret = -EEXIST;
1216	down_write(sem: &key_types_sem);
1217
1218	/ disallow key types with the same name /
1219	list_for_each_entry(p, &key_types_list, link) {
1220	if (strcmp(p->name, ktype->name) == `0`)
1221	goto out;
1222	}
1223
1224	/ store the type /
1225	list_add(new: &ktype->link, head: &key_types_list);
1226
1227	pr_notice("Key type %s registered\n", ktype->name);
1228	ret = `0`;
1229
1230	out:
1231	up_write(sem: &key_types_sem);
1232	return ret;
1233	}
1234	EXPORT_SYMBOL(register_key_type);
1235
1236	/**
1237	* unregister_key_type - Unregister a type of key.
1238	* @ktype: The key type.
1239	*
1240	* Unregister a key type and mark all the extant keys of this type as dead.
1241	* Those keys of this type are then destroyed to get rid of their payloads and
1242	* they and their links will be garbage collected as soon as possible.
1243	*/
1244	void unregister_key_type(struct key_type *ktype)
1245	{
1246	down_write(sem: &key_types_sem);
1247	list_del_init(entry: &ktype->link);
1248	downgrade_write(sem: &key_types_sem);
1249	key_gc_keytype(ktype);
1250	pr_notice("Key type %s unregistered\n", ktype->name);
1251	up_read(sem: &key_types_sem);
1252	}
1253	EXPORT_SYMBOL(unregister_key_type);
1254
1255	/*
1256	* Initialise the key management state.
1257	*/
1258	void __init key_init(void)
1259	{
1260	/ allocate a slab in which we can store keys /
1261	key_jar = kmem_cache_create(name: "key_jar", size: sizeof(struct key),
1262	align: `0`, SLAB_HWCACHE_ALIGN\|SLAB_PANIC, NULL);
1263
1264	/ add the special key types /
1265	list_add_tail(new: &key_type_keyring.link, head: &key_types_list);
1266	list_add_tail(new: &key_type_dead.link, head: &key_types_list);
1267	list_add_tail(new: &key_type_user.link, head: &key_types_list);
1268	list_add_tail(new: &key_type_logon.link, head: &key_types_list);
1269
1270	/ record the root user tracking /
1271	rb_link_node(node: &root_key_user.node,
1272	NULL,
1273	rb_link: &key_user_tree.rb_node);
1274
1275	rb_insert_color(&root_key_user.node,
1276	&key_user_tree);
1277	}
1278

source code of linux/security/keys/key.c