diff options
Diffstat (limited to 'security/keys/permission.c')
| -rw-r--r-- | security/keys/permission.c | 361 |
1 files changed, 36 insertions, 325 deletions
diff --git a/security/keys/permission.c b/security/keys/permission.c index fd8a5dc6910a..085f907b64ac 100644 --- a/security/keys/permission.c +++ b/security/keys/permission.c @@ -7,67 +7,13 @@ #include <linux/export.h> #include <linux/security.h> -#include <linux/user_namespace.h> -#include <linux/uaccess.h> #include "internal.h" -struct key_acl default_key_acl = { - .usage = REFCOUNT_INIT(1), - .nr_ace = 2, - .possessor_viewable = true, - .aces = { - KEY_POSSESSOR_ACE(KEY_ACE__PERMS & ~KEY_ACE_JOIN), - KEY_OWNER_ACE(KEY_ACE_VIEW), - } -}; -EXPORT_SYMBOL(default_key_acl); - -struct key_acl joinable_keyring_acl = { - .usage = REFCOUNT_INIT(1), - .nr_ace = 2, - .possessor_viewable = true, - .aces = { - KEY_POSSESSOR_ACE(KEY_ACE__PERMS & ~KEY_ACE_JOIN), - KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_LINK | KEY_ACE_JOIN), - } -}; -EXPORT_SYMBOL(joinable_keyring_acl); - -struct key_acl internal_key_acl = { - .usage = REFCOUNT_INIT(1), - .nr_ace = 2, - .aces = { - KEY_POSSESSOR_ACE(KEY_ACE_SEARCH), - KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_SEARCH), - } -}; -EXPORT_SYMBOL(internal_key_acl); - -struct key_acl internal_keyring_acl = { - .usage = REFCOUNT_INIT(1), - .nr_ace = 2, - .aces = { - KEY_POSSESSOR_ACE(KEY_ACE_SEARCH), - KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_SEARCH), - } -}; -EXPORT_SYMBOL(internal_keyring_acl); - -struct key_acl internal_writable_keyring_acl = { - .usage = REFCOUNT_INIT(1), - .nr_ace = 2, - .aces = { - KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_WRITE), - KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_WRITE | KEY_ACE_SEARCH), - } -}; -EXPORT_SYMBOL(internal_writable_keyring_acl); - /** * key_task_permission - Check a key can be used * @key_ref: The key to check. * @cred: The credentials to use. - * @desired_perm: The permission to check for. + * @perm: The permissions to check for. * * Check to see whether permission is granted to use a key in the desired way, * but permit the security modules to override. @@ -78,73 +24,53 @@ EXPORT_SYMBOL(internal_writable_keyring_acl); * permissions bits or the LSM check. */ int key_task_permission(const key_ref_t key_ref, const struct cred *cred, - unsigned int desired_perm) + unsigned perm) { - const struct key_acl *acl; - const struct key *key; - unsigned int allow = 0; - int i; - - BUILD_BUG_ON(KEY_NEED_VIEW != KEY_ACE_VIEW || - KEY_NEED_READ != KEY_ACE_READ || - KEY_NEED_WRITE != KEY_ACE_WRITE || - KEY_NEED_SEARCH != KEY_ACE_SEARCH || - KEY_NEED_LINK != KEY_ACE_LINK || - KEY_NEED_SETSEC != KEY_ACE_SET_SECURITY || - KEY_NEED_INVAL != KEY_ACE_INVAL || - KEY_NEED_REVOKE != KEY_ACE_REVOKE || - KEY_NEED_JOIN != KEY_ACE_JOIN || - KEY_NEED_CLEAR != KEY_ACE_CLEAR); + struct key *key; + key_perm_t kperm; + int ret; key = key_ref_to_ptr(key_ref); - rcu_read_lock(); - - acl = rcu_dereference(key->acl); - if (!acl || acl->nr_ace == 0) - goto no_access_rcu; + /* use the second 8-bits of permissions for keys the caller owns */ + if (uid_eq(key->uid, cred->fsuid)) { + kperm = key->perm >> 16; + goto use_these_perms; + } - for (i = 0; i < acl->nr_ace; i++) { - const struct key_ace *ace = &acl->aces[i]; + /* use the third 8-bits of permissions for keys the caller has a group + * membership in common with */ + if (gid_valid(key->gid) && key->perm & KEY_GRP_ALL) { + if (gid_eq(key->gid, cred->fsgid)) { + kperm = key->perm >> 8; + goto use_these_perms; + } - switch (ace->type) { - case KEY_ACE_SUBJ_STANDARD: - switch (ace->subject_id) { - case KEY_ACE_POSSESSOR: - if (is_key_possessed(key_ref)) - allow |= ace->perm; - break; - case KEY_ACE_OWNER: - if (uid_eq(key->uid, cred->fsuid)) - allow |= ace->perm; - break; - case KEY_ACE_GROUP: - if (gid_valid(key->gid)) { - if (gid_eq(key->gid, cred->fsgid)) - allow |= ace->perm; - else if (groups_search(cred->group_info, key->gid)) - allow |= ace->perm; - } - break; - case KEY_ACE_EVERYONE: - allow |= ace->perm; - break; - } - break; + ret = groups_search(cred->group_info, key->gid); + if (ret) { + kperm = key->perm >> 8; + goto use_these_perms; } } - rcu_read_unlock(); + /* otherwise use the least-significant 8-bits */ + kperm = key->perm; + +use_these_perms: - if (!(allow & desired_perm)) - goto no_access; + /* use the top 8-bits of permissions for keys the caller possesses + * - possessor permissions are additive with other permissions + */ + if (is_key_possessed(key_ref)) + kperm |= key->perm >> 24; - return security_key_permission(key_ref, cred, desired_perm); + kperm = kperm & perm & KEY_NEED_ALL; -no_access_rcu: - rcu_read_unlock(); -no_access: - return -EACCES; + if (kperm != perm) + return -EACCES; + + /* let LSM be the final arbiter */ + return security_key_permission(key_ref, cred, perm); } EXPORT_SYMBOL(key_task_permission); @@ -178,218 +104,3 @@ int key_validate(const struct key *key) return 0; } EXPORT_SYMBOL(key_validate); - -/* - * Roughly render an ACL to an old-style permissions mask. We cannot - * accurately render what the ACL, particularly if it has ACEs that represent - * subjects outside of { poss, user, group, other }. - */ -unsigned int key_acl_to_perm(const struct key_acl *acl) -{ - unsigned int perm = 0, tperm; - int i; - - BUILD_BUG_ON(KEY_OTH_VIEW != KEY_ACE_VIEW || - KEY_OTH_READ != KEY_ACE_READ || - KEY_OTH_WRITE != KEY_ACE_WRITE || - KEY_OTH_SEARCH != KEY_ACE_SEARCH || - KEY_OTH_LINK != KEY_ACE_LINK || - KEY_OTH_SETATTR != KEY_ACE_SET_SECURITY); - - if (!acl || acl->nr_ace == 0) - return 0; - - for (i = 0; i < acl->nr_ace; i++) { - const struct key_ace *ace = &acl->aces[i]; - - switch (ace->type) { - case KEY_ACE_SUBJ_STANDARD: - tperm = ace->perm & KEY_OTH_ALL; - - /* Invalidation and joining were allowed by SEARCH */ - if (ace->perm & (KEY_ACE_INVAL | KEY_ACE_JOIN)) - tperm |= KEY_OTH_SEARCH; - - /* Revocation was allowed by either SETATTR or WRITE */ - if ((ace->perm & KEY_ACE_REVOKE) && !(tperm & KEY_OTH_SETATTR)) - tperm |= KEY_OTH_WRITE; - - /* Clearing was allowed by WRITE */ - if (ace->perm & KEY_ACE_CLEAR) - tperm |= KEY_OTH_WRITE; - - switch (ace->subject_id) { - case KEY_ACE_POSSESSOR: - perm |= tperm << 24; - break; - case KEY_ACE_OWNER: - perm |= tperm << 16; - break; - case KEY_ACE_GROUP: - perm |= tperm << 8; - break; - case KEY_ACE_EVERYONE: - perm |= tperm << 0; - break; - } - } - } - - return perm; -} - -/* - * Destroy a key's ACL. - */ -void key_put_acl(struct key_acl *acl) -{ - if (acl && refcount_dec_and_test(&acl->usage)) - kfree_rcu(acl, rcu); -} - -/* - * Try to set the ACL. This either attaches or discards the proposed ACL. - */ -long key_set_acl(struct key *key, struct key_acl *acl) -{ - int i; - - /* If we're not the sysadmin, we can only change a key that we own. */ - if (!capable(CAP_SYS_ADMIN) && !uid_eq(key->uid, current_fsuid())) { - key_put_acl(acl); - return -EACCES; - } - - for (i = 0; i < acl->nr_ace; i++) { - const struct key_ace *ace = &acl->aces[i]; - if (ace->type == KEY_ACE_SUBJ_STANDARD && - ace->subject_id == KEY_ACE_POSSESSOR) { - if (ace->perm & KEY_ACE_VIEW) - acl->possessor_viewable = true; - break; - } - } - - rcu_swap_protected(key->acl, acl, lockdep_is_held(&key->sem)); - key_put_acl(acl); - return 0; -} - -/* - * Allocate a new ACL with an extra ACE slot. - */ -static struct key_acl *key_alloc_acl(const struct key_acl *old_acl, int nr, int skip) -{ - struct key_acl *acl; - int nr_ace, i, j = 0; - - nr_ace = old_acl->nr_ace + nr; - if (nr_ace > 16) - return ERR_PTR(-EINVAL); - - acl = kzalloc(struct_size(acl, aces, nr_ace), GFP_KERNEL); - if (!acl) - return ERR_PTR(-ENOMEM); - - refcount_set(&acl->usage, 1); - acl->nr_ace = nr_ace; - for (i = 0; i < old_acl->nr_ace; i++) { - if (i == skip) - continue; - acl->aces[j] = old_acl->aces[i]; - j++; - } - return acl; -} - -/* - * Generate the revised ACL. - */ -static long key_change_acl(struct key *key, struct key_ace *new_ace) -{ - struct key_acl *acl, *old; - int i; - - old = rcu_dereference_protected(key->acl, lockdep_is_held(&key->sem)); - - for (i = 0; i < old->nr_ace; i++) - if (old->aces[i].type == new_ace->type && - old->aces[i].subject_id == new_ace->subject_id) - goto found_match; - - if (new_ace->perm == 0) - return 0; /* No permissions to remove. Add deny record? */ - - acl = key_alloc_acl(old, 1, -1); - if (IS_ERR(acl)) - return PTR_ERR(acl); - acl->aces[i] = *new_ace; - goto change; - -found_match: - if (new_ace->perm == 0) - goto delete_ace; - if (new_ace->perm == old->aces[i].perm) - return 0; - acl = key_alloc_acl(old, 0, -1); - if (IS_ERR(acl)) - return PTR_ERR(acl); - acl->aces[i].perm = new_ace->perm; - goto change; - -delete_ace: - acl = key_alloc_acl(old, -1, i); - if (IS_ERR(acl)) - return PTR_ERR(acl); - goto change; - -change: - return key_set_acl(key, acl); -} - -/* - * Add, alter or remove (if perm == 0) an ACE in a key's ACL. - */ -long keyctl_grant_permission(key_serial_t keyid, - enum key_ace_subject_type type, - unsigned int subject, - unsigned int perm) -{ - struct key_ace new_ace; - struct key *key; - key_ref_t key_ref; - long ret; - - new_ace.type = type; - new_ace.perm = perm; - - switch (type) { - case KEY_ACE_SUBJ_STANDARD: - if (subject >= nr__key_ace_standard_subject) - return -ENOENT; - new_ace.subject_id = subject; - break; - - default: - return -ENOENT; - } - - key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_SETSEC); - if (IS_ERR(key_ref)) { - ret = PTR_ERR(key_ref); - goto error; - } - - key = key_ref_to_ptr(key_ref); - - down_write(&key->sem); - - /* If we're not the sysadmin, we can only change a key that we own */ - ret = -EACCES; - if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid())) - ret = key_change_acl(key, &new_ace); - up_write(&key->sem); - key_put(key); -error: - return ret; -} |