1 | // SPDX-License-Identifier: GPL-2.0-or-later |
2 | /* General persistent per-UID keyrings register |
3 | * |
4 | * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved. |
5 | * Written by David Howells (dhowells@redhat.com) |
6 | */ |
7 | |
8 | #include <linux/user_namespace.h> |
9 | #include <linux/cred.h> |
10 | |
11 | #include "internal.h" |
12 | |
13 | unsigned persistent_keyring_expiry = 3 * 24 * 3600; /* Expire after 3 days of non-use */ |
14 | |
15 | /* |
16 | * Create the persistent keyring register for the current user namespace. |
17 | * |
18 | * Called with the namespace's sem locked for writing. |
19 | */ |
20 | static int key_create_persistent_register(struct user_namespace *ns) |
21 | { |
22 | struct key *reg = keyring_alloc(description: ".persistent_register" , |
23 | KUIDT_INIT(0), KGIDT_INIT(0), |
24 | current_cred(), |
25 | perm: ((KEY_POS_ALL & ~KEY_POS_SETATTR) | |
26 | KEY_USR_VIEW | KEY_USR_READ), |
27 | KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); |
28 | if (IS_ERR(ptr: reg)) |
29 | return PTR_ERR(ptr: reg); |
30 | |
31 | ns->persistent_keyring_register = reg; |
32 | return 0; |
33 | } |
34 | |
35 | /* |
36 | * Create the persistent keyring for the specified user. |
37 | * |
38 | * Called with the namespace's sem locked for writing. |
39 | */ |
40 | static key_ref_t key_create_persistent(struct user_namespace *ns, kuid_t uid, |
41 | struct keyring_index_key *index_key) |
42 | { |
43 | struct key *persistent; |
44 | key_ref_t reg_ref, persistent_ref; |
45 | |
46 | if (!ns->persistent_keyring_register) { |
47 | long err = key_create_persistent_register(ns); |
48 | if (err < 0) |
49 | return ERR_PTR(error: err); |
50 | } else { |
51 | reg_ref = make_key_ref(key: ns->persistent_keyring_register, possession: true); |
52 | persistent_ref = find_key_to_update(keyring_ref: reg_ref, index_key); |
53 | if (persistent_ref) |
54 | return persistent_ref; |
55 | } |
56 | |
57 | persistent = keyring_alloc(description: index_key->description, |
58 | uid, INVALID_GID, current_cred(), |
59 | perm: ((KEY_POS_ALL & ~KEY_POS_SETATTR) | |
60 | KEY_USR_VIEW | KEY_USR_READ), |
61 | KEY_ALLOC_NOT_IN_QUOTA, NULL, |
62 | dest: ns->persistent_keyring_register); |
63 | if (IS_ERR(ptr: persistent)) |
64 | return ERR_CAST(ptr: persistent); |
65 | |
66 | return make_key_ref(key: persistent, possession: true); |
67 | } |
68 | |
69 | /* |
70 | * Get the persistent keyring for a specific UID and link it to the nominated |
71 | * keyring. |
72 | */ |
73 | static long key_get_persistent(struct user_namespace *ns, kuid_t uid, |
74 | key_ref_t dest_ref) |
75 | { |
76 | struct keyring_index_key index_key; |
77 | struct key *persistent; |
78 | key_ref_t reg_ref, persistent_ref; |
79 | char buf[32]; |
80 | long ret; |
81 | |
82 | /* Look in the register if it exists */ |
83 | memset(&index_key, 0, sizeof(index_key)); |
84 | index_key.type = &key_type_keyring; |
85 | index_key.description = buf; |
86 | index_key.desc_len = sprintf(buf, fmt: "_persistent.%u" , from_kuid(to: ns, uid)); |
87 | key_set_index_key(index_key: &index_key); |
88 | |
89 | if (ns->persistent_keyring_register) { |
90 | reg_ref = make_key_ref(key: ns->persistent_keyring_register, possession: true); |
91 | down_read(sem: &ns->keyring_sem); |
92 | persistent_ref = find_key_to_update(keyring_ref: reg_ref, index_key: &index_key); |
93 | up_read(sem: &ns->keyring_sem); |
94 | |
95 | if (persistent_ref) |
96 | goto found; |
97 | } |
98 | |
99 | /* It wasn't in the register, so we'll need to create it. We might |
100 | * also need to create the register. |
101 | */ |
102 | down_write(sem: &ns->keyring_sem); |
103 | persistent_ref = key_create_persistent(ns, uid, index_key: &index_key); |
104 | up_write(sem: &ns->keyring_sem); |
105 | if (!IS_ERR(ptr: persistent_ref)) |
106 | goto found; |
107 | |
108 | return PTR_ERR(ptr: persistent_ref); |
109 | |
110 | found: |
111 | ret = key_task_permission(key_ref: persistent_ref, current_cred(), need_perm: KEY_NEED_LINK); |
112 | if (ret == 0) { |
113 | persistent = key_ref_to_ptr(key_ref: persistent_ref); |
114 | ret = key_link(keyring: key_ref_to_ptr(key_ref: dest_ref), key: persistent); |
115 | if (ret == 0) { |
116 | key_set_timeout(persistent, persistent_keyring_expiry); |
117 | ret = persistent->serial; |
118 | } |
119 | } |
120 | |
121 | key_ref_put(key_ref: persistent_ref); |
122 | return ret; |
123 | } |
124 | |
125 | /* |
126 | * Get the persistent keyring for a specific UID and link it to the nominated |
127 | * keyring. |
128 | */ |
129 | long keyctl_get_persistent(uid_t _uid, key_serial_t destid) |
130 | { |
131 | struct user_namespace *ns = current_user_ns(); |
132 | key_ref_t dest_ref; |
133 | kuid_t uid; |
134 | long ret; |
135 | |
136 | /* -1 indicates the current user */ |
137 | if (_uid == (uid_t)-1) { |
138 | uid = current_uid(); |
139 | } else { |
140 | uid = make_kuid(from: ns, uid: _uid); |
141 | if (!uid_valid(uid)) |
142 | return -EINVAL; |
143 | |
144 | /* You can only see your own persistent cache if you're not |
145 | * sufficiently privileged. |
146 | */ |
147 | if (!uid_eq(left: uid, current_uid()) && |
148 | !uid_eq(left: uid, current_euid()) && |
149 | !ns_capable(ns, CAP_SETUID)) |
150 | return -EPERM; |
151 | } |
152 | |
153 | /* There must be a destination keyring */ |
154 | dest_ref = lookup_user_key(id: destid, flags: KEY_LOOKUP_CREATE, need_perm: KEY_NEED_WRITE); |
155 | if (IS_ERR(ptr: dest_ref)) |
156 | return PTR_ERR(ptr: dest_ref); |
157 | if (key_ref_to_ptr(key_ref: dest_ref)->type != &key_type_keyring) { |
158 | ret = -ENOTDIR; |
159 | goto out_put_dest; |
160 | } |
161 | |
162 | ret = key_get_persistent(ns, uid, dest_ref); |
163 | |
164 | out_put_dest: |
165 | key_ref_put(key_ref: dest_ref); |
166 | return ret; |
167 | } |
168 | |