1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Key permission checking
4 * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
8 #include <linux/export.h>
9 #include <linux/security.h>
10 #include <linux/user_namespace.h>
11 #include <linux/uaccess.h>
14 struct key_acl default_key_acl = {
15 .usage = REFCOUNT_INIT(1),
17 .possessor_viewable = true,
19 KEY_POSSESSOR_ACE(KEY_ACE__PERMS & ~KEY_ACE_JOIN),
20 KEY_OWNER_ACE(KEY_ACE_VIEW),
23 EXPORT_SYMBOL(default_key_acl);
25 struct key_acl joinable_keyring_acl = {
26 .usage = REFCOUNT_INIT(1),
28 .possessor_viewable = true,
30 KEY_POSSESSOR_ACE(KEY_ACE__PERMS & ~KEY_ACE_JOIN),
31 KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_LINK | KEY_ACE_JOIN),
34 EXPORT_SYMBOL(joinable_keyring_acl);
36 struct key_acl internal_key_acl = {
37 .usage = REFCOUNT_INIT(1),
40 KEY_POSSESSOR_ACE(KEY_ACE_SEARCH),
41 KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_SEARCH),
44 EXPORT_SYMBOL(internal_key_acl);
46 struct key_acl internal_keyring_acl = {
47 .usage = REFCOUNT_INIT(1),
50 KEY_POSSESSOR_ACE(KEY_ACE_SEARCH),
51 KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_SEARCH),
54 EXPORT_SYMBOL(internal_keyring_acl);
56 struct key_acl internal_writable_keyring_acl = {
57 .usage = REFCOUNT_INIT(1),
60 KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_WRITE),
61 KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_WRITE | KEY_ACE_SEARCH),
64 EXPORT_SYMBOL(internal_writable_keyring_acl);
67 * key_task_permission - Check a key can be used
68 * @key_ref: The key to check.
69 * @cred: The credentials to use.
70 * @desired_perm: The permission to check for.
72 * Check to see whether permission is granted to use a key in the desired way,
73 * but permit the security modules to override.
75 * The caller must hold either a ref on cred or must hold the RCU readlock.
77 * Returns 0 if successful, -EACCES if access is denied based on the
78 * permissions bits or the LSM check.
80 int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
81 unsigned int desired_perm)
83 const struct key_acl *acl;
84 const struct key *key;
85 unsigned int allow = 0;
88 BUILD_BUG_ON(KEY_NEED_VIEW != KEY_ACE_VIEW ||
89 KEY_NEED_READ != KEY_ACE_READ ||
90 KEY_NEED_WRITE != KEY_ACE_WRITE ||
91 KEY_NEED_SEARCH != KEY_ACE_SEARCH ||
92 KEY_NEED_LINK != KEY_ACE_LINK ||
93 KEY_NEED_SETSEC != KEY_ACE_SET_SECURITY ||
94 KEY_NEED_INVAL != KEY_ACE_INVAL ||
95 KEY_NEED_REVOKE != KEY_ACE_REVOKE ||
96 KEY_NEED_JOIN != KEY_ACE_JOIN ||
97 KEY_NEED_CLEAR != KEY_ACE_CLEAR);
99 key = key_ref_to_ptr(key_ref);
103 acl = rcu_dereference(key->acl);
104 if (!acl || acl->nr_ace == 0)
107 for (i = 0; i < acl->nr_ace; i++) {
108 const struct key_ace *ace = &acl->aces[i];
111 case KEY_ACE_SUBJ_STANDARD:
112 switch (ace->subject_id) {
113 case KEY_ACE_POSSESSOR:
114 if (is_key_possessed(key_ref))
118 if (uid_eq(key->uid, cred->fsuid))
122 if (gid_valid(key->gid)) {
123 if (gid_eq(key->gid, cred->fsgid))
125 else if (groups_search(cred->group_info, key->gid))
129 case KEY_ACE_EVERYONE:
139 if (!(allow & desired_perm))
142 return security_key_permission(key_ref, cred, desired_perm);
149 EXPORT_SYMBOL(key_task_permission);
152 * key_validate - Validate a key.
153 * @key: The key to be validated.
155 * Check that a key is valid, returning 0 if the key is okay, -ENOKEY if the
156 * key is invalidated, -EKEYREVOKED if the key's type has been removed or if
157 * the key has been revoked or -EKEYEXPIRED if the key has expired.
159 int key_validate(const struct key *key)
161 unsigned long flags = READ_ONCE(key->flags);
162 time64_t expiry = READ_ONCE(key->expiry);
164 if (flags & (1 << KEY_FLAG_INVALIDATED))
167 /* check it's still accessible */
168 if (flags & ((1 << KEY_FLAG_REVOKED) |
169 (1 << KEY_FLAG_DEAD)))
172 /* check it hasn't expired */
174 if (ktime_get_real_seconds() >= expiry)
180 EXPORT_SYMBOL(key_validate);
183 * Roughly render an ACL to an old-style permissions mask. We cannot
184 * accurately render what the ACL, particularly if it has ACEs that represent
185 * subjects outside of { poss, user, group, other }.
187 unsigned int key_acl_to_perm(const struct key_acl *acl)
189 unsigned int perm = 0, tperm;
192 BUILD_BUG_ON(KEY_OTH_VIEW != KEY_ACE_VIEW ||
193 KEY_OTH_READ != KEY_ACE_READ ||
194 KEY_OTH_WRITE != KEY_ACE_WRITE ||
195 KEY_OTH_SEARCH != KEY_ACE_SEARCH ||
196 KEY_OTH_LINK != KEY_ACE_LINK ||
197 KEY_OTH_SETATTR != KEY_ACE_SET_SECURITY);
199 if (!acl || acl->nr_ace == 0)
202 for (i = 0; i < acl->nr_ace; i++) {
203 const struct key_ace *ace = &acl->aces[i];
206 case KEY_ACE_SUBJ_STANDARD:
207 tperm = ace->perm & KEY_OTH_ALL;
209 /* Invalidation and joining were allowed by SEARCH */
210 if (ace->perm & (KEY_ACE_INVAL | KEY_ACE_JOIN))
211 tperm |= KEY_OTH_SEARCH;
213 /* Revocation was allowed by either SETATTR or WRITE */
214 if ((ace->perm & KEY_ACE_REVOKE) && !(tperm & KEY_OTH_SETATTR))
215 tperm |= KEY_OTH_WRITE;
217 /* Clearing was allowed by WRITE */
218 if (ace->perm & KEY_ACE_CLEAR)
219 tperm |= KEY_OTH_WRITE;
221 switch (ace->subject_id) {
222 case KEY_ACE_POSSESSOR:
231 case KEY_ACE_EVERYONE:
242 * Destroy a key's ACL.
244 void key_put_acl(struct key_acl *acl)
246 if (acl && refcount_dec_and_test(&acl->usage))
251 * Try to set the ACL. This either attaches or discards the proposed ACL.
253 long key_set_acl(struct key *key, struct key_acl *acl)
257 /* If we're not the sysadmin, we can only change a key that we own. */
258 if (!capable(CAP_SYS_ADMIN) && !uid_eq(key->uid, current_fsuid())) {
263 for (i = 0; i < acl->nr_ace; i++) {
264 const struct key_ace *ace = &acl->aces[i];
265 if (ace->type == KEY_ACE_SUBJ_STANDARD &&
266 ace->subject_id == KEY_ACE_POSSESSOR) {
267 if (ace->perm & KEY_ACE_VIEW)
268 acl->possessor_viewable = true;
273 rcu_swap_protected(key->acl, acl, lockdep_is_held(&key->sem));
279 * Allocate a new ACL with an extra ACE slot.
281 static struct key_acl *key_alloc_acl(const struct key_acl *old_acl, int nr, int skip)
284 int nr_ace, i, j = 0;
286 nr_ace = old_acl->nr_ace + nr;
288 return ERR_PTR(-EINVAL);
290 acl = kzalloc(struct_size(acl, aces, nr_ace), GFP_KERNEL);
292 return ERR_PTR(-ENOMEM);
294 refcount_set(&acl->usage, 1);
295 acl->nr_ace = nr_ace;
296 for (i = 0; i < old_acl->nr_ace; i++) {
299 acl->aces[j] = old_acl->aces[i];
306 * Generate the revised ACL.
308 static long key_change_acl(struct key *key, struct key_ace *new_ace)
310 struct key_acl *acl, *old;
313 old = rcu_dereference_protected(key->acl, lockdep_is_held(&key->sem));
315 for (i = 0; i < old->nr_ace; i++)
316 if (old->aces[i].type == new_ace->type &&
317 old->aces[i].subject_id == new_ace->subject_id)
320 if (new_ace->perm == 0)
321 return 0; /* No permissions to remove. Add deny record? */
323 acl = key_alloc_acl(old, 1, -1);
326 acl->aces[i] = *new_ace;
330 if (new_ace->perm == 0)
332 if (new_ace->perm == old->aces[i].perm)
334 acl = key_alloc_acl(old, 0, -1);
337 acl->aces[i].perm = new_ace->perm;
341 acl = key_alloc_acl(old, -1, i);
347 return key_set_acl(key, acl);
351 * Add, alter or remove (if perm == 0) an ACE in a key's ACL.
353 long keyctl_grant_permission(key_serial_t keyid,
354 enum key_ace_subject_type type,
355 unsigned int subject,
358 struct key_ace new_ace;
367 case KEY_ACE_SUBJ_STANDARD:
368 if (subject >= nr__key_ace_standard_subject)
370 new_ace.subject_id = subject;
377 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_SETSEC);
378 if (IS_ERR(key_ref)) {
379 ret = PTR_ERR(key_ref);
383 key = key_ref_to_ptr(key_ref);
385 down_write(&key->sem);
387 /* If we're not the sysadmin, we can only change a key that we own */
389 if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid()))
390 ret = key_change_acl(key, &new_ace);