Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
awilliam
GitHub Repository: awilliam/linux-vfio
 Path: blob/master/security/keys/permission.c
10814 views
1
/* Key permission checking

2
 *

3
 * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved.

4
 * Written by David Howells ([email protected])

5
 *

6
 * This program is free software; you can redistribute it and/or

7
 * modify it under the terms of the GNU General Public License

8
 * as published by the Free Software Foundation; either version

9
 * 2 of the License, or (at your option) any later version.

10
 */

11


12
#include <linux/module.h>

13
#include <linux/security.h>

14
#include "internal.h"

15


16
/**

17
 * key_task_permission - Check a key can be used

18
 * @key_ref: The key to check.

19
 * @cred: The credentials to use.

20
 * @perm: The permissions to check for.

21
 *

22
 * Check to see whether permission is granted to use a key in the desired way,

23
 * but permit the security modules to override.

24
 *

25
 * The caller must hold either a ref on cred or must hold the RCU readlock.

26
 *

27
 * Returns 0 if successful, -EACCES if access is denied based on the

28
 * permissions bits or the LSM check.

29
 */

30
int key_task_permission(const key_ref_t key_ref, const struct cred *cred,

31
			key_perm_t perm)

32
{

33
	struct key *key;

34
	key_perm_t kperm;

35
	int ret;

36


37
	key = key_ref_to_ptr(key_ref);

38


39
	if (key->user->user_ns != cred->user->user_ns)

40
		goto use_other_perms;

41


42
	/* use the second 8-bits of permissions for keys the caller owns */

43
	if (key->uid == cred->fsuid) {

44
		kperm = key->perm >> 16;

45
		goto use_these_perms;

46
	}

47


48
	/* use the third 8-bits of permissions for keys the caller has a group

49
	 * membership in common with */

50
	if (key->gid != -1 && key->perm & KEY_GRP_ALL) {

51
		if (key->gid == cred->fsgid) {

52
			kperm = key->perm >> 8;

53
			goto use_these_perms;

54
		}

55


56
		ret = groups_search(cred->group_info, key->gid);

57
		if (ret) {

58
			kperm = key->perm >> 8;

59
			goto use_these_perms;

60
		}

61
	}

62


63
use_other_perms:

64


65
	/* otherwise use the least-significant 8-bits */

66
	kperm = key->perm;

67


68
use_these_perms:

69


70
	/* use the top 8-bits of permissions for keys the caller possesses

71
	 * - possessor permissions are additive with other permissions

72
	 */

73
	if (is_key_possessed(key_ref))

74
		kperm |= key->perm >> 24;

75


76
	kperm = kperm & perm & KEY_ALL;

77


78
	if (kperm != perm)

79
		return -EACCES;

80


81
	/* let LSM be the final arbiter */

82
	return security_key_permission(key_ref, cred, perm);

83
}

84
EXPORT_SYMBOL(key_task_permission);

85


86
/**

87
 * key_validate - Validate a key.

88
 * @key: The key to be validated.

89
 *

90
 * Check that a key is valid, returning 0 if the key is okay, -EKEYREVOKED if

91
 * the key's type has been removed or if the key has been revoked or

92
 * -EKEYEXPIRED if the key has expired.

93
 */

94
int key_validate(struct key *key)

95
{

96
	struct timespec now;

97
	int ret = 0;

98


99
	if (key) {

100
		/* check it's still accessible */

101
		ret = -EKEYREVOKED;

102
		if (test_bit(KEY_FLAG_REVOKED, &key->flags) ||

103
		    test_bit(KEY_FLAG_DEAD, &key->flags))

104
			goto error;

105


106
		/* check it hasn't expired */

107
		ret = 0;

108
		if (key->expiry) {

109
			now = current_kernel_time();

110
			if (now.tv_sec >= key->expiry)

111
				ret = -EKEYEXPIRED;

112
		}

113
	}

114


115
error:

116
	return ret;

117
}

118
EXPORT_SYMBOL(key_validate);

119


120