1
// SPDX-License-Identifier: GPL-2.0-or-later
2
/* Basic authentication token and access key management
3
 *
4
 * Copyright (C) 2004-2008 Red Hat, Inc. All Rights Reserved.
5
 * Written by David Howells ([email protected])
6
 */
7

8
#include <linux/export.h>
9
#include <linux/init.h>
10
#include <linux/poison.h>
11
#include <linux/sched.h>
12
#include <linux/slab.h>
13
#include <linux/security.h>
14
#include <linux/workqueue.h>
15
#include <linux/random.h>
16
#include <linux/err.h>
17
#include "internal.h"
18

19
struct kmem_cache *key_jar;
20
struct rb_root		key_serial_tree; /* tree of keys indexed by serial */
21
DEFINE_SPINLOCK(key_serial_lock);
22

23
struct rb_root	key_user_tree; /* tree of quota records indexed by UID */
24
DEFINE_SPINLOCK(key_user_lock);
25

26
unsigned int key_quota_root_maxkeys = 1000000;	/* root's key count quota */
27
unsigned int key_quota_root_maxbytes = 25000000; /* root's key space quota */
28
unsigned int key_quota_maxkeys = 200;		/* general key count quota */
29
unsigned int key_quota_maxbytes = 20000;	/* general key space quota */
30

31
static LIST_HEAD(key_types_list);
32
static DECLARE_RWSEM(key_types_sem);
33

34
/* We serialise key instantiation and link */
35
DEFINE_MUTEX(key_construction_mutex);
36

37
#ifdef KEY_DEBUGGING
38
void __key_check(const struct key *key)
39
{
40
	printk("__key_check: key %p {%08x} should be {%08x}\n",
41
	       key, key->magic, KEY_DEBUG_MAGIC);
42
	BUG();
43
}
44
#endif
45

46
/*
47
 * Get the key quota record for a user, allocating a new record if one doesn't
48
 * already exist.
49
 */
50
struct key_user *key_user_lookup(kuid_t uid)
51
{
52
	struct key_user *candidate = NULL, *user;
53
	struct rb_node *parent, **p;
54

55
try_again:
56
	parent = NULL;
57
	p = &key_user_tree.rb_node;
58
	spin_lock(&key_user_lock);
59

60
	/* search the tree for a user record with a matching UID */
61
	while (*p) {
62
		parent = *p;
63
		user = rb_entry(parent, struct key_user, node);
64

65
		if (uid_lt(uid, user->uid))
66
			p = &(*p)->rb_left;
67
		else if (uid_gt(uid, user->uid))
68
			p = &(*p)->rb_right;
69
		else
70
			goto found;
71
	}
72

73
	/* if we get here, we failed to find a match in the tree */
74
	if (!candidate) {
75
		/* allocate a candidate user record if we don't already have
76
		 * one */
77
		spin_unlock(&key_user_lock);
78

79
		user = NULL;
80
		candidate = kmalloc(sizeof(struct key_user), GFP_KERNEL);
81
		if (unlikely(!candidate))
82
			goto out;
83

84
		/* the allocation may have scheduled, so we need to repeat the
85
		 * search lest someone else added the record whilst we were
86
		 * asleep */
87
		goto try_again;
88
	}
89

90
	/* if we get here, then the user record still hadn't appeared on the
91
	 * second pass - so we use the candidate record */
92
	refcount_set(&candidate->usage, 1);
93
	atomic_set(&candidate->nkeys, 0);
94
	atomic_set(&candidate->nikeys, 0);
95
	candidate->uid = uid;
96
	candidate->qnkeys = 0;
97
	candidate->qnbytes = 0;
98
	spin_lock_init(&candidate->lock);
99
	mutex_init(&candidate->cons_lock);
100

101
	rb_link_node(&candidate->node, parent, p);
102
	rb_insert_color(&candidate->node, &key_user_tree);
103
	spin_unlock(&key_user_lock);
104
	user = candidate;
105
	goto out;
106

107
	/* okay - we found a user record for this UID */
108
found:
109
	refcount_inc(&user->usage);
110
	spin_unlock(&key_user_lock);
111
	kfree(candidate);
112
out:
113
	return user;
114
}
115

116
/*
117
 * Dispose of a user structure
118
 */
119
void key_user_put(struct key_user *user)
120
{
121
	if (refcount_dec_and_lock(&user->usage, &key_user_lock)) {
122
		rb_erase(&user->node, &key_user_tree);
123
		spin_unlock(&key_user_lock);
124

125
		kfree(user);
126
	}
127
}
128

129
/*
130
 * Allocate a serial number for a key.  These are assigned randomly to avoid
131
 * security issues through covert channel problems.
132
 */
133
static inline void key_alloc_serial(struct key *key)
134
{
135
	struct rb_node *parent, **p;
136
	struct key *xkey;
137

138
	/* propose a random serial number and look for a hole for it in the
139
	 * serial number tree */
140
	do {
141
		get_random_bytes(&key->serial, sizeof(key->serial));
142

143
		key->serial >>= 1; /* negative numbers are not permitted */
144
	} while (key->serial < 3);
145

146
	spin_lock(&key_serial_lock);
147

148
attempt_insertion:
149
	parent = NULL;
150
	p = &key_serial_tree.rb_node;
151

152
	while (*p) {
153
		parent = *p;
154
		xkey = rb_entry(parent, struct key, serial_node);
155

156
		if (key->serial < xkey->serial)
157
			p = &(*p)->rb_left;
158
		else if (key->serial > xkey->serial)
159
			p = &(*p)->rb_right;
160
		else
161
			goto serial_exists;
162
	}
163

164
	/* we've found a suitable hole - arrange for this key to occupy it */
165
	rb_link_node(&key->serial_node, parent, p);
166
	rb_insert_color(&key->serial_node, &key_serial_tree);
167

168
	spin_unlock(&key_serial_lock);
169
	return;
170

171
	/* we found a key with the proposed serial number - walk the tree from
172
	 * that point looking for the next unused serial number */
173
serial_exists:
174
	for (;;) {
175
		key->serial++;
176
		if (key->serial < 3) {
177
			key->serial = 3;
178
			goto attempt_insertion;
179
		}
180

181
		parent = rb_next(parent);
182
		if (!parent)
183
			goto attempt_insertion;
184

185
		xkey = rb_entry(parent, struct key, serial_node);
186
		if (key->serial < xkey->serial)
187
			goto attempt_insertion;
188
	}
189
}
190

191
/**
192
 * key_alloc - Allocate a key of the specified type.
193
 * @type: The type of key to allocate.
194
 * @desc: The key description to allow the key to be searched out.
195
 * @uid: The owner of the new key.
196
 * @gid: The group ID for the new key's group permissions.
197
 * @cred: The credentials specifying UID namespace.
198
 * @perm: The permissions mask of the new key.
199
 * @flags: Flags specifying quota properties.
200
 * @restrict_link: Optional link restriction for new keyrings.
201
 *
202
 * Allocate a key of the specified type with the attributes given.  The key is
203
 * returned in an uninstantiated state and the caller needs to instantiate the
204
 * key before returning.
205
 *
206
 * The restrict_link structure (if not NULL) will be freed when the
207
 * keyring is destroyed, so it must be dynamically allocated.
208
 *
209
 * The user's key count quota is updated to reflect the creation of the key and
210
 * the user's key data quota has the default for the key type reserved.  The
211
 * instantiation function should amend this as necessary.  If insufficient
212
 * quota is available, -EDQUOT will be returned.
213
 *
214
 * The LSM security modules can prevent a key being created, in which case
215
 * -EACCES will be returned.
216
 *
217
 * Returns a pointer to the new key if successful and an error code otherwise.
218
 *
219
 * Note that the caller needs to ensure the key type isn't uninstantiated.
220
 * Internally this can be done by locking key_types_sem.  Externally, this can
221
 * be done by either never unregistering the key type, or making sure
222
 * key_alloc() calls don't race with module unloading.
223
 */
224
struct key *key_alloc(struct key_type *type, const char *desc,
225
		      kuid_t uid, kgid_t gid, const struct cred *cred,
226
		      key_perm_t perm, unsigned long flags,
227
		      struct key_restriction *restrict_link)
228
{
229
	struct key_user *user = NULL;
230
	struct key *key;
231
	size_t desclen, quotalen;
232
	int ret;
233
	unsigned long irqflags;
234

235
	key = ERR_PTR(-EINVAL);
236
	if (!desc || !*desc)
237
		goto error;
238

239
	if (type->vet_description) {
240
		ret = type->vet_description(desc);
241
		if (ret < 0) {
242
			key = ERR_PTR(ret);
243
			goto error;
244
		}
245
	}
246

247
	desclen = strlen(desc);
248
	quotalen = desclen + 1 + type->def_datalen;
249

250
	/* get hold of the key tracking for this user */
251
	user = key_user_lookup(uid);
252
	if (!user)
253
		goto no_memory_1;
254

255
	/* check that the user's quota permits allocation of another key and
256
	 * its description */
257
	if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) {
258
		unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ?
259
			key_quota_root_maxkeys : key_quota_maxkeys;
260
		unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ?
261
			key_quota_root_maxbytes : key_quota_maxbytes;
262

263
		spin_lock_irqsave(&user->lock, irqflags);
264
		if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) {
265
			if (user->qnkeys + 1 > maxkeys ||
266
			    user->qnbytes + quotalen > maxbytes ||
267
			    user->qnbytes + quotalen < user->qnbytes)
268
				goto no_quota;
269
		}
270

271
		user->qnkeys++;
272
		user->qnbytes += quotalen;
273
		spin_unlock_irqrestore(&user->lock, irqflags);
274
	}
275

276
	/* allocate and initialise the key and its description */
277
	key = kmem_cache_zalloc(key_jar, GFP_KERNEL);
278
	if (!key)
279
		goto no_memory_2;
280

281
	key->index_key.desc_len = desclen;
282
	key->index_key.description = kmemdup(desc, desclen + 1, GFP_KERNEL);
283
	if (!key->index_key.description)
284
		goto no_memory_3;
285
	key->index_key.type = type;
286
	key_set_index_key(&key->index_key);
287

288
	refcount_set(&key->usage, 1);
289
	init_rwsem(&key->sem);
290
	lockdep_set_class(&key->sem, &type->lock_class);
291
	key->user = user;
292
	key->quotalen = quotalen;
293
	key->datalen = type->def_datalen;
294
	key->uid = uid;
295
	key->gid = gid;
296
	key->perm = perm;
297
	key->expiry = TIME64_MAX;
298
	key->restrict_link = restrict_link;
299
	key->last_used_at = ktime_get_real_seconds();
300

301
	key->flags |= 1 << KEY_FLAG_USER_ALIVE;
302
	if (!(flags & KEY_ALLOC_NOT_IN_QUOTA))
303
		key->flags |= 1 << KEY_FLAG_IN_QUOTA;
304
	if (flags & KEY_ALLOC_BUILT_IN)
305
		key->flags |= 1 << KEY_FLAG_BUILTIN;
306
	if (flags & KEY_ALLOC_UID_KEYRING)
307
		key->flags |= 1 << KEY_FLAG_UID_KEYRING;
308
	if (flags & KEY_ALLOC_SET_KEEP)
309
		key->flags |= 1 << KEY_FLAG_KEEP;
310

311
#ifdef KEY_DEBUGGING
312
	key->magic = KEY_DEBUG_MAGIC;
313
#endif
314

315
	/* let the security module know about the key */
316
	ret = security_key_alloc(key, cred, flags);
317
	if (ret < 0)
318
		goto security_error;
319

320
	/* publish the key by giving it a serial number */
321
	refcount_inc(&key->domain_tag->usage);
322
	atomic_inc(&user->nkeys);
323
	key_alloc_serial(key);
324

325
error:
326
	return key;
327

328
security_error:
329
	kfree(key->description);
330
	kmem_cache_free(key_jar, key);
331
	if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) {
332
		spin_lock_irqsave(&user->lock, irqflags);
333
		user->qnkeys--;
334
		user->qnbytes -= quotalen;
335
		spin_unlock_irqrestore(&user->lock, irqflags);
336
	}
337
	key_user_put(user);
338
	key = ERR_PTR(ret);
339
	goto error;
340

341
no_memory_3:
342
	kmem_cache_free(key_jar, key);
343
no_memory_2:
344
	if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) {
345
		spin_lock_irqsave(&user->lock, irqflags);
346
		user->qnkeys--;
347
		user->qnbytes -= quotalen;
348
		spin_unlock_irqrestore(&user->lock, irqflags);
349
	}
350
	key_user_put(user);
351
no_memory_1:
352
	key = ERR_PTR(-ENOMEM);
353
	goto error;
354

355
no_quota:
356
	spin_unlock_irqrestore(&user->lock, irqflags);
357
	key_user_put(user);
358
	key = ERR_PTR(-EDQUOT);
359
	goto error;
360
}
361
EXPORT_SYMBOL(key_alloc);
362

363
/**
364
 * key_payload_reserve - Adjust data quota reservation for the key's payload
365
 * @key: The key to make the reservation for.
366
 * @datalen: The amount of data payload the caller now wants.
367
 *
368
 * Adjust the amount of the owning user's key data quota that a key reserves.
369
 * If the amount is increased, then -EDQUOT may be returned if there isn't
370
 * enough free quota available.
371
 *
372
 * If successful, 0 is returned.
373
 */
374
int key_payload_reserve(struct key *key, size_t datalen)
375
{
376
	int delta = (int)datalen - key->datalen;
377
	int ret = 0;
378

379
	key_check(key);
380

381
	/* contemplate the quota adjustment */
382
	if (delta != 0 && test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
383
		unsigned maxbytes = uid_eq(key->user->uid, GLOBAL_ROOT_UID) ?
384
			key_quota_root_maxbytes : key_quota_maxbytes;
385
		unsigned long flags;
386

387
		spin_lock_irqsave(&key->user->lock, flags);
388

389
		if (delta > 0 &&
390
		    (key->user->qnbytes + delta > maxbytes ||
391
		     key->user->qnbytes + delta < key->user->qnbytes)) {
392
			ret = -EDQUOT;
393
		}
394
		else {
395
			key->user->qnbytes += delta;
396
			key->quotalen += delta;
397
		}
398
		spin_unlock_irqrestore(&key->user->lock, flags);
399
	}
400

401
	/* change the recorded data length if that didn't generate an error */
402
	if (ret == 0)
403
		key->datalen = datalen;
404

405
	return ret;
406
}
407
EXPORT_SYMBOL(key_payload_reserve);
408

409
/*
410
 * Change the key state to being instantiated.
411
 */
412
static void mark_key_instantiated(struct key *key, int reject_error)
413
{
414
	/* Commit the payload before setting the state; barrier versus
415
	 * key_read_state().
416
	 */
417
	smp_store_release(&key->state,
418
			  (reject_error < 0) ? reject_error : KEY_IS_POSITIVE);
419
}
420

421
/*
422
 * Instantiate a key and link it into the target keyring atomically.  Must be
423
 * called with the target keyring's semaphore writelocked.  The target key's
424
 * semaphore need not be locked as instantiation is serialised by
425
 * key_construction_mutex.
426
 */
427
static int __key_instantiate_and_link(struct key *key,
428
				      struct key_preparsed_payload *prep,
429
				      struct key *keyring,
430
				      struct key *authkey,
431
				      struct assoc_array_edit **_edit)
432
{
433
	int ret, awaken;
434

435
	key_check(key);
436
	key_check(keyring);
437

438
	awaken = 0;
439
	ret = -EBUSY;
440

441
	mutex_lock(&key_construction_mutex);
442

443
	/* can't instantiate twice */
444
	if (key->state == KEY_IS_UNINSTANTIATED) {
445
		/* instantiate the key */
446
		ret = key->type->instantiate(key, prep);
447

448
		if (ret == 0) {
449
			/* mark the key as being instantiated */
450
			atomic_inc(&key->user->nikeys);
451
			mark_key_instantiated(key, 0);
452
			notify_key(key, NOTIFY_KEY_INSTANTIATED, 0);
453

454
			if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags))
455
				awaken = 1;
456

457
			/* and link it into the destination keyring */
458
			if (keyring) {
459
				if (test_bit(KEY_FLAG_KEEP, &keyring->flags))
460
					set_bit(KEY_FLAG_KEEP, &key->flags);
461

462
				__key_link(keyring, key, _edit);
463
			}
464

465
			/* disable the authorisation key */
466
			if (authkey)
467
				key_invalidate(authkey);
468

469
			if (prep->expiry != TIME64_MAX)
470
				key_set_expiry(key, prep->expiry);
471
		}
472
	}
473

474
	mutex_unlock(&key_construction_mutex);
475

476
	/* wake up anyone waiting for a key to be constructed */
477
	if (awaken)
478
		wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT);
479

480
	return ret;
481
}
482

483
/**
484
 * key_instantiate_and_link - Instantiate a key and link it into the keyring.
485
 * @key: The key to instantiate.
486
 * @data: The data to use to instantiate the keyring.
487
 * @datalen: The length of @data.
488
 * @keyring: Keyring to create a link in on success (or NULL).
489
 * @authkey: The authorisation token permitting instantiation.
490
 *
491
 * Instantiate a key that's in the uninstantiated state using the provided data
492
 * and, if successful, link it in to the destination keyring if one is
493
 * supplied.
494
 *
495
 * If successful, 0 is returned, the authorisation token is revoked and anyone
496
 * waiting for the key is woken up.  If the key was already instantiated,
497
 * -EBUSY will be returned.
498
 */
499
int key_instantiate_and_link(struct key *key,
500
			     const void *data,
501
			     size_t datalen,
502
			     struct key *keyring,
503
			     struct key *authkey)
504
{
505
	struct key_preparsed_payload prep;
506
	struct assoc_array_edit *edit = NULL;
507
	int ret;
508

509
	memset(&prep, 0, sizeof(prep));
510
	prep.orig_description = key->description;
511
	prep.data = data;
512
	prep.datalen = datalen;
513
	prep.quotalen = key->type->def_datalen;
514
	prep.expiry = TIME64_MAX;
515
	if (key->type->preparse) {
516
		ret = key->type->preparse(&prep);
517
		if (ret < 0)
518
			goto error;
519
	}
520

521
	if (keyring) {
522
		ret = __key_link_lock(keyring, &key->index_key);
523
		if (ret < 0)
524
			goto error;
525

526
		ret = __key_link_begin(keyring, &key->index_key, &edit);
527
		if (ret < 0)
528
			goto error_link_end;
529

530
		if (keyring->restrict_link && keyring->restrict_link->check) {
531
			struct key_restriction *keyres = keyring->restrict_link;
532

533
			ret = keyres->check(keyring, key->type, &prep.payload,
534
					    keyres->key);
535
			if (ret < 0)
536
				goto error_link_end;
537
		}
538
	}
539

540
	ret = __key_instantiate_and_link(key, &prep, keyring, authkey, &edit);
541

542
error_link_end:
543
	if (keyring)
544
		__key_link_end(keyring, &key->index_key, edit);
545

546
error:
547
	if (key->type->preparse)
548
		key->type->free_preparse(&prep);
549
	return ret;
550
}
551

552
EXPORT_SYMBOL(key_instantiate_and_link);
553

554
/**
555
 * key_reject_and_link - Negatively instantiate a key and link it into the keyring.
556
 * @key: The key to instantiate.
557
 * @timeout: The timeout on the negative key.
558
 * @error: The error to return when the key is hit.
559
 * @keyring: Keyring to create a link in on success (or NULL).
560
 * @authkey: The authorisation token permitting instantiation.
561
 *
562
 * Negatively instantiate a key that's in the uninstantiated state and, if
563
 * successful, set its timeout and stored error and link it in to the
564
 * destination keyring if one is supplied.  The key and any links to the key
565
 * will be automatically garbage collected after the timeout expires.
566
 *
567
 * Negative keys are used to rate limit repeated request_key() calls by causing
568
 * them to return the stored error code (typically ENOKEY) until the negative
569
 * key expires.
570
 *
571
 * If successful, 0 is returned, the authorisation token is revoked and anyone
572
 * waiting for the key is woken up.  If the key was already instantiated,
573
 * -EBUSY will be returned.
574
 */
575
int key_reject_and_link(struct key *key,
576
			unsigned timeout,
577
			unsigned error,
578
			struct key *keyring,
579
			struct key *authkey)
580
{
581
	struct assoc_array_edit *edit = NULL;
582
	int ret, awaken, link_ret = 0;
583

584
	key_check(key);
585
	key_check(keyring);
586

587
	awaken = 0;
588
	ret = -EBUSY;
589

590
	if (keyring) {
591
		if (keyring->restrict_link)
592
			return -EPERM;
593

594
		link_ret = __key_link_lock(keyring, &key->index_key);
595
		if (link_ret == 0) {
596
			link_ret = __key_link_begin(keyring, &key->index_key, &edit);
597
			if (link_ret < 0)
598
				__key_link_end(keyring, &key->index_key, edit);
599
		}
600
	}
601

602
	mutex_lock(&key_construction_mutex);
603

604
	/* can't instantiate twice */
605
	if (key->state == KEY_IS_UNINSTANTIATED) {
606
		/* mark the key as being negatively instantiated */
607
		atomic_inc(&key->user->nikeys);
608
		mark_key_instantiated(key, -error);
609
		notify_key(key, NOTIFY_KEY_INSTANTIATED, -error);
610
		key_set_expiry(key, ktime_get_real_seconds() + timeout);
611

612
		if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags))
613
			awaken = 1;
614

615
		ret = 0;
616

617
		/* and link it into the destination keyring */
618
		if (keyring && link_ret == 0)
619
			__key_link(keyring, key, &edit);
620

621
		/* disable the authorisation key */
622
		if (authkey)
623
			key_invalidate(authkey);
624
	}
625

626
	mutex_unlock(&key_construction_mutex);
627

628
	if (keyring && link_ret == 0)
629
		__key_link_end(keyring, &key->index_key, edit);
630

631
	/* wake up anyone waiting for a key to be constructed */
632
	if (awaken)
633
		wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT);
634

635
	return ret == 0 ? link_ret : ret;
636
}
637
EXPORT_SYMBOL(key_reject_and_link);
638

639
/**
640
 * key_put - Discard a reference to a key.
641
 * @key: The key to discard a reference from.
642
 *
643
 * Discard a reference to a key, and when all the references are gone, we
644
 * schedule the cleanup task to come and pull it out of the tree in process
645
 * context at some later time.
646
 */
647
void key_put(struct key *key)
648
{
649
	if (key) {
650
		key_check(key);
651

652
		if (refcount_dec_and_test(&key->usage)) {
653
			unsigned long flags;
654

655
			/* deal with the user's key tracking and quota */
656
			if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
657
				spin_lock_irqsave(&key->user->lock, flags);
658
				key->user->qnkeys--;
659
				key->user->qnbytes -= key->quotalen;
660
				spin_unlock_irqrestore(&key->user->lock, flags);
661
			}
662
			/* Mark key as safe for GC after key->user done. */
663
			clear_bit_unlock(KEY_FLAG_USER_ALIVE, &key->flags);
664
			schedule_work(&key_gc_work);
665
		}
666
	}
667
}
668
EXPORT_SYMBOL(key_put);
669

670
/*
671
 * Find a key by its serial number.
672
 */
673
struct key *key_lookup(key_serial_t id)
674
{
675
	struct rb_node *n;
676
	struct key *key;
677

678
	spin_lock(&key_serial_lock);
679

680
	/* search the tree for the specified key */
681
	n = key_serial_tree.rb_node;
682
	while (n) {
683
		key = rb_entry(n, struct key, serial_node);
684

685
		if (id < key->serial)
686
			n = n->rb_left;
687
		else if (id > key->serial)
688
			n = n->rb_right;
689
		else
690
			goto found;
691
	}
692

693
not_found:
694
	key = ERR_PTR(-ENOKEY);
695
	goto error;
696

697
found:
698
	/* A key is allowed to be looked up only if someone still owns a
699
	 * reference to it - otherwise it's awaiting the gc.
700
	 */
701
	if (!refcount_inc_not_zero(&key->usage))
702
		goto not_found;
703

704
error:
705
	spin_unlock(&key_serial_lock);
706
	return key;
707
}
708
EXPORT_SYMBOL(key_lookup);
709

710
/*
711
 * Find and lock the specified key type against removal.
712
 *
713
 * We return with the sem read-locked if successful.  If the type wasn't
714
 * available -ENOKEY is returned instead.
715
 */
716
struct key_type *key_type_lookup(const char *type)
717
{
718
	struct key_type *ktype;
719

720
	down_read(&key_types_sem);
721

722
	/* look up the key type to see if it's one of the registered kernel
723
	 * types */
724
	list_for_each_entry(ktype, &key_types_list, link) {
725
		if (strcmp(ktype->name, type) == 0)
726
			goto found_kernel_type;
727
	}
728

729
	up_read(&key_types_sem);
730
	ktype = ERR_PTR(-ENOKEY);
731

732
found_kernel_type:
733
	return ktype;
734
}
735

736
void key_set_timeout(struct key *key, unsigned timeout)
737
{
738
	time64_t expiry = TIME64_MAX;
739

740
	/* make the changes with the locks held to prevent races */
741
	down_write(&key->sem);
742

743
	if (timeout > 0)
744
		expiry = ktime_get_real_seconds() + timeout;
745
	key_set_expiry(key, expiry);
746

747
	up_write(&key->sem);
748
}
749
EXPORT_SYMBOL_GPL(key_set_timeout);
750

751
/*
752
 * Unlock a key type locked by key_type_lookup().
753
 */
754
void key_type_put(struct key_type *ktype)
755
{
756
	up_read(&key_types_sem);
757
}
758

759
/*
760
 * Attempt to update an existing key.
761
 *
762
 * The key is given to us with an incremented refcount that we need to discard
763
 * if we get an error.
764
 */
765
static inline key_ref_t __key_update(key_ref_t key_ref,
766
				     struct key_preparsed_payload *prep)
767
{
768
	struct key *key = key_ref_to_ptr(key_ref);
769
	int ret;
770

771
	/* need write permission on the key to update it */
772
	ret = key_permission(key_ref, KEY_NEED_WRITE);
773
	if (ret < 0)
774
		goto error;
775

776
	ret = -EEXIST;
777
	if (!key->type->update)
778
		goto error;
779

780
	down_write(&key->sem);
781

782
	ret = key->type->update(key, prep);
783
	if (ret == 0) {
784
		/* Updating a negative key positively instantiates it */
785
		mark_key_instantiated(key, 0);
786
		notify_key(key, NOTIFY_KEY_UPDATED, 0);
787
	}
788

789
	up_write(&key->sem);
790

791
	if (ret < 0)
792
		goto error;
793
out:
794
	return key_ref;
795

796
error:
797
	key_put(key);
798
	key_ref = ERR_PTR(ret);
799
	goto out;
800
}
801

802
/*
803
 * Create or potentially update a key. The combined logic behind
804
 * key_create_or_update() and key_create()
805
 */
806
static key_ref_t __key_create_or_update(key_ref_t keyring_ref,
807
					const char *type,
808
					const char *description,
809
					const void *payload,
810
					size_t plen,
811
					key_perm_t perm,
812
					unsigned long flags,
813
					bool allow_update)
814
{
815
	struct keyring_index_key index_key = {
816
		.description	= description,
817
	};
818
	struct key_preparsed_payload prep;
819
	struct assoc_array_edit *edit = NULL;
820
	const struct cred *cred = current_cred();
821
	struct key *keyring, *key = NULL;
822
	key_ref_t key_ref;
823
	int ret;
824
	struct key_restriction *restrict_link = NULL;
825

826
	/* look up the key type to see if it's one of the registered kernel
827
	 * types */
828
	index_key.type = key_type_lookup(type);
829
	if (IS_ERR(index_key.type)) {
830
		key_ref = ERR_PTR(-ENODEV);
831
		goto error;
832
	}
833

834
	key_ref = ERR_PTR(-EINVAL);
835
	if (!index_key.type->instantiate ||
836
	    (!index_key.description && !index_key.type->preparse))
837
		goto error_put_type;
838

839
	keyring = key_ref_to_ptr(keyring_ref);
840

841
	key_check(keyring);
842

843
	if (!(flags & KEY_ALLOC_BYPASS_RESTRICTION))
844
		restrict_link = keyring->restrict_link;
845

846
	key_ref = ERR_PTR(-ENOTDIR);
847
	if (keyring->type != &key_type_keyring)
848
		goto error_put_type;
849

850
	memset(&prep, 0, sizeof(prep));
851
	prep.orig_description = description;
852
	prep.data = payload;
853
	prep.datalen = plen;
854
	prep.quotalen = index_key.type->def_datalen;
855
	prep.expiry = TIME64_MAX;
856
	if (index_key.type->preparse) {
857
		ret = index_key.type->preparse(&prep);
858
		if (ret < 0) {
859
			key_ref = ERR_PTR(ret);
860
			goto error_free_prep;
861
		}
862
		if (!index_key.description)
863
			index_key.description = prep.description;
864
		key_ref = ERR_PTR(-EINVAL);
865
		if (!index_key.description)
866
			goto error_free_prep;
867
	}
868
	index_key.desc_len = strlen(index_key.description);
869
	key_set_index_key(&index_key);
870

871
	ret = __key_link_lock(keyring, &index_key);
872
	if (ret < 0) {
873
		key_ref = ERR_PTR(ret);
874
		goto error_free_prep;
875
	}
876

877
	ret = __key_link_begin(keyring, &index_key, &edit);
878
	if (ret < 0) {
879
		key_ref = ERR_PTR(ret);
880
		goto error_link_end;
881
	}
882

883
	if (restrict_link && restrict_link->check) {
884
		ret = restrict_link->check(keyring, index_key.type,
885
					   &prep.payload, restrict_link->key);
886
		if (ret < 0) {
887
			key_ref = ERR_PTR(ret);
888
			goto error_link_end;
889
		}
890
	}
891

892
	/* if we're going to allocate a new key, we're going to have
893
	 * to modify the keyring */
894
	ret = key_permission(keyring_ref, KEY_NEED_WRITE);
895
	if (ret < 0) {
896
		key_ref = ERR_PTR(ret);
897
		goto error_link_end;
898
	}
899

900
	/* if it's requested and possible to update this type of key, search
901
	 * for an existing key of the same type and description in the
902
	 * destination keyring and update that instead if possible
903
	 */
904
	if (allow_update) {
905
		if (index_key.type->update) {
906
			key_ref = find_key_to_update(keyring_ref, &index_key);
907
			if (key_ref)
908
				goto found_matching_key;
909
		}
910
	} else {
911
		key_ref = find_key_to_update(keyring_ref, &index_key);
912
		if (key_ref) {
913
			key_ref_put(key_ref);
914
			key_ref = ERR_PTR(-EEXIST);
915
			goto error_link_end;
916
		}
917
	}
918

919
	/* if the client doesn't provide, decide on the permissions we want */
920
	if (perm == KEY_PERM_UNDEF) {
921
		perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
922
		perm |= KEY_USR_VIEW;
923

924
		if (index_key.type->read)
925
			perm |= KEY_POS_READ;
926

927
		if (index_key.type == &key_type_keyring ||
928
		    index_key.type->update)
929
			perm |= KEY_POS_WRITE;
930
	}
931

932
	/* allocate a new key */
933
	key = key_alloc(index_key.type, index_key.description,
934
			cred->fsuid, cred->fsgid, cred, perm, flags, NULL);
935
	if (IS_ERR(key)) {
936
		key_ref = ERR_CAST(key);
937
		goto error_link_end;
938
	}
939

940
	/* instantiate it and link it into the target keyring */
941
	ret = __key_instantiate_and_link(key, &prep, keyring, NULL, &edit);
942
	if (ret < 0) {
943
		key_put(key);
944
		key_ref = ERR_PTR(ret);
945
		goto error_link_end;
946
	}
947

948
	security_key_post_create_or_update(keyring, key, payload, plen, flags,
949
					   true);
950

951
	key_ref = make_key_ref(key, is_key_possessed(keyring_ref));
952

953
error_link_end:
954
	__key_link_end(keyring, &index_key, edit);
955
error_free_prep:
956
	if (index_key.type->preparse)
957
		index_key.type->free_preparse(&prep);
958
error_put_type:
959
	key_type_put(index_key.type);
960
error:
961
	return key_ref;
962

963
 found_matching_key:
964
	/* we found a matching key, so we're going to try to update it
965
	 * - we can drop the locks first as we have the key pinned
966
	 */
967
	__key_link_end(keyring, &index_key, edit);
968

969
	key = key_ref_to_ptr(key_ref);
970
	if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) {
971
		ret = wait_for_key_construction(key, true);
972
		if (ret < 0) {
973
			key_ref_put(key_ref);
974
			key_ref = ERR_PTR(ret);
975
			goto error_free_prep;
976
		}
977
	}
978

979
	key_ref = __key_update(key_ref, &prep);
980

981
	if (!IS_ERR(key_ref))
982
		security_key_post_create_or_update(keyring, key, payload, plen,
983
						   flags, false);
984

985
	goto error_free_prep;
986
}
987

988
/**
989
 * key_create_or_update - Update or create and instantiate a key.
990
 * @keyring_ref: A pointer to the destination keyring with possession flag.
991
 * @type: The type of key.
992
 * @description: The searchable description for the key.
993
 * @payload: The data to use to instantiate or update the key.
994
 * @plen: The length of @payload.
995
 * @perm: The permissions mask for a new key.
996
 * @flags: The quota flags for a new key.
997
 *
998
 * Search the destination keyring for a key of the same description and if one
999
 * is found, update it, otherwise create and instantiate a new one and create a
1000
 * link to it from that keyring.
1001
 *
1002
 * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be
1003
 * concocted.
1004
 *
1005
 * Returns a pointer to the new key if successful, -ENODEV if the key type
1006
 * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the
1007
 * caller isn't permitted to modify the keyring or the LSM did not permit
1008
 * creation of the key.
1009
 *
1010
 * On success, the possession flag from the keyring ref will be tacked on to
1011
 * the key ref before it is returned.
1012
 */
1013
key_ref_t key_create_or_update(key_ref_t keyring_ref,
1014
			       const char *type,
1015
			       const char *description,
1016
			       const void *payload,
1017
			       size_t plen,
1018
			       key_perm_t perm,
1019
			       unsigned long flags)
1020
{
1021
	return __key_create_or_update(keyring_ref, type, description, payload,
1022
				      plen, perm, flags, true);
1023
}
1024
EXPORT_SYMBOL(key_create_or_update);
1025

1026
/**
1027
 * key_create - Create and instantiate a key.
1028
 * @keyring_ref: A pointer to the destination keyring with possession flag.
1029
 * @type: The type of key.
1030
 * @description: The searchable description for the key.
1031
 * @payload: The data to use to instantiate or update the key.
1032
 * @plen: The length of @payload.
1033
 * @perm: The permissions mask for a new key.
1034
 * @flags: The quota flags for a new key.
1035
 *
1036
 * Create and instantiate a new key and link to it from the destination keyring.
1037
 *
1038
 * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be
1039
 * concocted.
1040
 *
1041
 * Returns a pointer to the new key if successful, -EEXIST if a key with the
1042
 * same description already exists, -ENODEV if the key type wasn't available,
1043
 * -ENOTDIR if the keyring wasn't a keyring, -EACCES if the caller isn't
1044
 * permitted to modify the keyring or the LSM did not permit creation of the
1045
 * key.
1046
 *
1047
 * On success, the possession flag from the keyring ref will be tacked on to
1048
 * the key ref before it is returned.
1049
 */
1050
key_ref_t key_create(key_ref_t keyring_ref,
1051
		     const char *type,
1052
		     const char *description,
1053
		     const void *payload,
1054
		     size_t plen,
1055
		     key_perm_t perm,
1056
		     unsigned long flags)
1057
{
1058
	return __key_create_or_update(keyring_ref, type, description, payload,
1059
				      plen, perm, flags, false);
1060
}
1061
EXPORT_SYMBOL(key_create);
1062

1063
/**
1064
 * key_update - Update a key's contents.
1065
 * @key_ref: The pointer (plus possession flag) to the key.
1066
 * @payload: The data to be used to update the key.
1067
 * @plen: The length of @payload.
1068
 *
1069
 * Attempt to update the contents of a key with the given payload data.  The
1070
 * caller must be granted Write permission on the key.  Negative keys can be
1071
 * instantiated by this method.
1072
 *
1073
 * Returns 0 on success, -EACCES if not permitted and -EOPNOTSUPP if the key
1074
 * type does not support updating.  The key type may return other errors.
1075
 */
1076
int key_update(key_ref_t key_ref, const void *payload, size_t plen)
1077
{
1078
	struct key_preparsed_payload prep;
1079
	struct key *key = key_ref_to_ptr(key_ref);
1080
	int ret;
1081

1082
	key_check(key);
1083

1084
	/* the key must be writable */
1085
	ret = key_permission(key_ref, KEY_NEED_WRITE);
1086
	if (ret < 0)
1087
		return ret;
1088

1089
	/* attempt to update it if supported */
1090
	if (!key->type->update)
1091
		return -EOPNOTSUPP;
1092

1093
	memset(&prep, 0, sizeof(prep));
1094
	prep.data = payload;
1095
	prep.datalen = plen;
1096
	prep.quotalen = key->type->def_datalen;
1097
	prep.expiry = TIME64_MAX;
1098
	if (key->type->preparse) {
1099
		ret = key->type->preparse(&prep);
1100
		if (ret < 0)
1101
			goto error;
1102
	}
1103

1104
	down_write(&key->sem);
1105

1106
	ret = key->type->update(key, &prep);
1107
	if (ret == 0) {
1108
		/* Updating a negative key positively instantiates it */
1109
		mark_key_instantiated(key, 0);
1110
		notify_key(key, NOTIFY_KEY_UPDATED, 0);
1111
	}
1112

1113
	up_write(&key->sem);
1114

1115
error:
1116
	if (key->type->preparse)
1117
		key->type->free_preparse(&prep);
1118
	return ret;
1119
}
1120
EXPORT_SYMBOL(key_update);
1121

1122
/**
1123
 * key_revoke - Revoke a key.
1124
 * @key: The key to be revoked.
1125
 *
1126
 * Mark a key as being revoked and ask the type to free up its resources.  The
1127
 * revocation timeout is set and the key and all its links will be
1128
 * automatically garbage collected after key_gc_delay amount of time if they
1129
 * are not manually dealt with first.
1130
 */
1131
void key_revoke(struct key *key)
1132
{
1133
	time64_t time;
1134

1135
	key_check(key);
1136

1137
	/* make sure no one's trying to change or use the key when we mark it
1138
	 * - we tell lockdep that we might nest because we might be revoking an
1139
	 *   authorisation key whilst holding the sem on a key we've just
1140
	 *   instantiated
1141
	 */
1142
	down_write_nested(&key->sem, 1);
1143
	if (!test_and_set_bit(KEY_FLAG_REVOKED, &key->flags)) {
1144
		notify_key(key, NOTIFY_KEY_REVOKED, 0);
1145
		if (key->type->revoke)
1146
			key->type->revoke(key);
1147

1148
		/* set the death time to no more than the expiry time */
1149
		time = ktime_get_real_seconds();
1150
		if (key->revoked_at == 0 || key->revoked_at > time) {
1151
			key->revoked_at = time;
1152
			key_schedule_gc(key->revoked_at + key_gc_delay);
1153
		}
1154
	}
1155

1156
	up_write(&key->sem);
1157
}
1158
EXPORT_SYMBOL(key_revoke);
1159

1160
/**
1161
 * key_invalidate - Invalidate a key.
1162
 * @key: The key to be invalidated.
1163
 *
1164
 * Mark a key as being invalidated and have it cleaned up immediately.  The key
1165
 * is ignored by all searches and other operations from this point.
1166
 */
1167
void key_invalidate(struct key *key)
1168
{
1169
	kenter("%d", key_serial(key));
1170

1171
	key_check(key);
1172

1173
	if (!test_bit(KEY_FLAG_INVALIDATED, &key->flags)) {
1174
		down_write_nested(&key->sem, 1);
1175
		if (!test_and_set_bit(KEY_FLAG_INVALIDATED, &key->flags)) {
1176
			notify_key(key, NOTIFY_KEY_INVALIDATED, 0);
1177
			key_schedule_gc_links();
1178
		}
1179
		up_write(&key->sem);
1180
	}
1181
}
1182
EXPORT_SYMBOL(key_invalidate);
1183

1184
/**
1185
 * generic_key_instantiate - Simple instantiation of a key from preparsed data
1186
 * @key: The key to be instantiated
1187
 * @prep: The preparsed data to load.
1188
 *
1189
 * Instantiate a key from preparsed data.  We assume we can just copy the data
1190
 * in directly and clear the old pointers.
1191
 *
1192
 * This can be pointed to directly by the key type instantiate op pointer.
1193
 */
1194
int generic_key_instantiate(struct key *key, struct key_preparsed_payload *prep)
1195
{
1196
	int ret;
1197

1198
	pr_devel("==>%s()\n", __func__);
1199

1200
	ret = key_payload_reserve(key, prep->quotalen);
1201
	if (ret == 0) {
1202
		rcu_assign_keypointer(key, prep->payload.data[0]);
1203
		key->payload.data[1] = prep->payload.data[1];
1204
		key->payload.data[2] = prep->payload.data[2];
1205
		key->payload.data[3] = prep->payload.data[3];
1206
		prep->payload.data[0] = NULL;
1207
		prep->payload.data[1] = NULL;
1208
		prep->payload.data[2] = NULL;
1209
		prep->payload.data[3] = NULL;
1210
	}
1211
	pr_devel("<==%s() = %d\n", __func__, ret);
1212
	return ret;
1213
}
1214
EXPORT_SYMBOL(generic_key_instantiate);
1215

1216
/**
1217
 * register_key_type - Register a type of key.
1218
 * @ktype: The new key type.
1219
 *
1220
 * Register a new key type.
1221
 *
1222
 * Returns 0 on success or -EEXIST if a type of this name already exists.
1223
 */
1224
int register_key_type(struct key_type *ktype)
1225
{
1226
	struct key_type *p;
1227
	int ret;
1228

1229
	memset(&ktype->lock_class, 0, sizeof(ktype->lock_class));
1230

1231
	ret = -EEXIST;
1232
	down_write(&key_types_sem);
1233

1234
	/* disallow key types with the same name */
1235
	list_for_each_entry(p, &key_types_list, link) {
1236
		if (strcmp(p->name, ktype->name) == 0)
1237
			goto out;
1238
	}
1239

1240
	/* store the type */
1241
	list_add(&ktype->link, &key_types_list);
1242

1243
	pr_notice("Key type %s registered\n", ktype->name);
1244
	ret = 0;
1245

1246
out:
1247
	up_write(&key_types_sem);
1248
	return ret;
1249
}
1250
EXPORT_SYMBOL(register_key_type);
1251

1252
/**
1253
 * unregister_key_type - Unregister a type of key.
1254
 * @ktype: The key type.
1255
 *
1256
 * Unregister a key type and mark all the extant keys of this type as dead.
1257
 * Those keys of this type are then destroyed to get rid of their payloads and
1258
 * they and their links will be garbage collected as soon as possible.
1259
 */
1260
void unregister_key_type(struct key_type *ktype)
1261
{
1262
	down_write(&key_types_sem);
1263
	list_del_init(&ktype->link);
1264
	downgrade_write(&key_types_sem);
1265
	key_gc_keytype(ktype);
1266
	pr_notice("Key type %s unregistered\n", ktype->name);
1267
	up_read(&key_types_sem);
1268
}
1269
EXPORT_SYMBOL(unregister_key_type);
1270

1271
/*
1272
 * Initialise the key management state.
1273
 */
1274
void __init key_init(void)
1275
{
1276
	/* allocate a slab in which we can store keys */
1277
	key_jar = kmem_cache_create("key_jar", sizeof(struct key),
1278
			0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
1279

1280
	/* add the special key types */
1281
	list_add_tail(&key_type_keyring.link, &key_types_list);
1282
	list_add_tail(&key_type_dead.link, &key_types_list);
1283
	list_add_tail(&key_type_user.link, &key_types_list);
1284
	list_add_tail(&key_type_logon.link, &key_types_list);
1285

1286
	/* record the root user tracking */
1287
	rb_link_node(&root_key_user.node,
1288
		     NULL,
1289
		     &key_user_tree.rb_node);
1290

1291
	rb_insert_color(&root_key_user.node,
1292
			&key_user_tree);
1293
}
1294

1295