xref: /linux/security/keys/internal.h (revision e9a83bd2322035ed9d7dcf35753d3f984d76c6a5) 
1 /* SPDX-License-Identifier: GPL-2.0-or-later */
2 /* Authentication token and access key management internal defs
3  *
4  * Copyright (C) 2003-5, 2007 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #ifndef _INTERNAL_H
9 #define _INTERNAL_H
10 
11 #include <linux/sched.h>
12 #include <linux/wait_bit.h>
13 #include <linux/cred.h>
14 #include <linux/key-type.h>
15 #include <linux/task_work.h>
16 #include <linux/keyctl.h>
17 #include <linux/refcount.h>
18 #include <linux/compat.h>
19 
20 struct iovec;
21 
22 #ifdef __KDEBUG
23 #define kenter(FMT, ...) \
24 	printk(KERN_DEBUG "==> %s("FMT")\n", __func__, ##__VA_ARGS__)
25 #define kleave(FMT, ...) \
26 	printk(KERN_DEBUG "<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
27 #define kdebug(FMT, ...) \
28 	printk(KERN_DEBUG "   "FMT"\n", ##__VA_ARGS__)
29 #else
30 #define kenter(FMT, ...) \
31 	no_printk(KERN_DEBUG "==> %s("FMT")\n", __func__, ##__VA_ARGS__)
32 #define kleave(FMT, ...) \
33 	no_printk(KERN_DEBUG "<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
34 #define kdebug(FMT, ...) \
35 	no_printk(KERN_DEBUG FMT"\n", ##__VA_ARGS__)
36 #endif
37 
38 extern struct key_type key_type_dead;
39 extern struct key_type key_type_user;
40 extern struct key_type key_type_logon;
41 
42 /*****************************************************************************/
43 /*
44  * Keep track of keys for a user.
45  *
46  * This needs to be separate to user_struct to avoid a refcount-loop
47  * (user_struct pins some keyrings which pin this struct).
48  *
49  * We also keep track of keys under request from userspace for this UID here.
50  */
51 struct key_user {
52 	struct rb_node		node;
53 	struct mutex		cons_lock;	/* construction initiation lock */
54 	spinlock_t		lock;
55 	refcount_t		usage;		/* for accessing qnkeys & qnbytes */
56 	atomic_t		nkeys;		/* number of keys */
57 	atomic_t		nikeys;		/* number of instantiated keys */
58 	kuid_t			uid;
59 	int			qnkeys;		/* number of keys allocated to this user */
60 	int			qnbytes;	/* number of bytes allocated to this user */
61 };
62 
63 extern struct rb_root	key_user_tree;
64 extern spinlock_t	key_user_lock;
65 extern struct key_user	root_key_user;
66 
67 extern struct key_user *key_user_lookup(kuid_t uid);
68 extern void key_user_put(struct key_user *user);
69 
70 /*
71  * Key quota limits.
72  * - root has its own separate limits to everyone else
73  */
74 extern unsigned key_quota_root_maxkeys;
75 extern unsigned key_quota_root_maxbytes;
76 extern unsigned key_quota_maxkeys;
77 extern unsigned key_quota_maxbytes;
78 
79 #define KEYQUOTA_LINK_BYTES	4		/* a link in a keyring is worth 4 bytes */
80 
81 
82 extern struct kmem_cache *key_jar;
83 extern struct rb_root key_serial_tree;
84 extern spinlock_t key_serial_lock;
85 extern struct mutex key_construction_mutex;
86 extern wait_queue_head_t request_key_conswq;
87 extern struct key_acl default_key_acl;
88 extern struct key_acl joinable_keyring_acl;
89 
90 extern void key_set_index_key(struct keyring_index_key *index_key);
91 
92 extern struct key_type *key_type_lookup(const char *type);
93 extern void key_type_put(struct key_type *ktype);
94 
95 extern int __key_link_lock(struct key *keyring,
96 			   const struct keyring_index_key *index_key);
97 extern int __key_move_lock(struct key *l_keyring, struct key *u_keyring,
98 			   const struct keyring_index_key *index_key);
99 extern int __key_link_begin(struct key *keyring,
100 			    const struct keyring_index_key *index_key,
101 			    struct assoc_array_edit **_edit);
102 extern int __key_link_check_live_key(struct key *keyring, struct key *key);
103 extern void __key_link(struct key *key, struct assoc_array_edit **_edit);
104 extern void __key_link_end(struct key *keyring,
105 			   const struct keyring_index_key *index_key,
106 			   struct assoc_array_edit *edit);
107 
108 extern key_ref_t find_key_to_update(key_ref_t keyring_ref,
109 				    const struct keyring_index_key *index_key);
110 
111 extern struct key *keyring_search_instkey(struct key *keyring,
112 					  key_serial_t target_id);
113 
114 extern int iterate_over_keyring(const struct key *keyring,
115 				int (*func)(const struct key *key, void *data),
116 				void *data);
117 
118 struct keyring_search_context {
119 	struct keyring_index_key index_key;
120 	const struct cred	*cred;
121 	struct key_match_data	match_data;
122 	unsigned		flags;
123 #define KEYRING_SEARCH_NO_STATE_CHECK	0x0001	/* Skip state checks */
124 #define KEYRING_SEARCH_DO_STATE_CHECK	0x0002	/* Override NO_STATE_CHECK */
125 #define KEYRING_SEARCH_NO_UPDATE_TIME	0x0004	/* Don't update times */
126 #define KEYRING_SEARCH_NO_CHECK_PERM	0x0008	/* Don't check permissions */
127 #define KEYRING_SEARCH_DETECT_TOO_DEEP	0x0010	/* Give an error on excessive depth */
128 #define KEYRING_SEARCH_SKIP_EXPIRED	0x0020	/* Ignore expired keys (intention to replace) */
129 #define KEYRING_SEARCH_RECURSE		0x0040	/* Search child keyrings also */
130 
131 	int (*iterator)(const void *object, void *iterator_data);
132 
133 	/* Internal stuff */
134 	int			skipped_ret;
135 	bool			possessed;
136 	key_ref_t		result;
137 	time64_t		now;
138 };
139 
140 extern bool key_default_cmp(const struct key *key,
141 			    const struct key_match_data *match_data);
142 extern key_ref_t keyring_search_rcu(key_ref_t keyring_ref,
143 				    struct keyring_search_context *ctx);
144 
145 extern key_ref_t search_cred_keyrings_rcu(struct keyring_search_context *ctx);
146 extern key_ref_t search_process_keyrings_rcu(struct keyring_search_context *ctx);
147 
148 extern struct key *find_keyring_by_name(const char *name, bool uid_keyring);
149 
150 extern int look_up_user_keyrings(struct key **, struct key **);
151 extern struct key *get_user_session_keyring_rcu(const struct cred *);
152 extern int install_thread_keyring_to_cred(struct cred *);
153 extern int install_process_keyring_to_cred(struct cred *);
154 extern int install_session_keyring_to_cred(struct cred *, struct key *);
155 
156 extern struct key *request_key_and_link(struct key_type *type,
157 					const char *description,
158 					struct key_tag *domain_tag,
159 					const void *callout_info,
160 					size_t callout_len,
161 					void *aux,
162 					struct key_acl *acl,
163 					struct key *dest_keyring,
164 					unsigned long flags);
165 
166 extern bool lookup_user_key_possessed(const struct key *key,
167 				      const struct key_match_data *match_data);
168 #define KEY_LOOKUP_CREATE	0x01
169 #define KEY_LOOKUP_PARTIAL	0x02
170 #define KEY_LOOKUP_FOR_UNLINK	0x04
171 
172 extern long join_session_keyring(const char *name);
173 extern void key_change_session_keyring(struct callback_head *twork);
174 
175 extern struct work_struct key_gc_work;
176 extern unsigned key_gc_delay;
177 extern void keyring_gc(struct key *keyring, time64_t limit);
178 extern void keyring_restriction_gc(struct key *keyring,
179 				   struct key_type *dead_type);
180 extern void key_schedule_gc(time64_t gc_at);
181 extern void key_schedule_gc_links(void);
182 extern void key_gc_keytype(struct key_type *ktype);
183 
184 extern int key_task_permission(const key_ref_t key_ref,
185 			       const struct cred *cred,
186 			       u32 desired_perm);
187 extern unsigned int key_acl_to_perm(const struct key_acl *acl);
188 extern long key_set_acl(struct key *key, struct key_acl *acl);
189 extern void key_put_acl(struct key_acl *acl);
190 
191 /*
192  * Check to see whether permission is granted to use a key in the desired way.
193  */
194 static inline int key_permission(const key_ref_t key_ref, unsigned perm)
195 {
196 	return key_task_permission(key_ref, current_cred(), perm);
197 }
198 
199 extern struct key_type key_type_request_key_auth;
200 extern struct key *request_key_auth_new(struct key *target,
201 					const char *op,
202 					const void *callout_info,
203 					size_t callout_len,
204 					struct key *dest_keyring);
205 
206 extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
207 
208 /*
209  * Determine whether a key is dead.
210  */
211 static inline bool key_is_dead(const struct key *key, time64_t limit)
212 {
213 	return
214 		key->flags & ((1 << KEY_FLAG_DEAD) |
215 			      (1 << KEY_FLAG_INVALIDATED)) ||
216 		(key->expiry > 0 && key->expiry <= limit) ||
217 		key->domain_tag->removed;
218 }
219 
220 /*
221  * keyctl() functions
222  */
223 extern long keyctl_get_keyring_ID(key_serial_t, int);
224 extern long keyctl_join_session_keyring(const char __user *);
225 extern long keyctl_update_key(key_serial_t, const void __user *, size_t);
226 extern long keyctl_revoke_key(key_serial_t);
227 extern long keyctl_keyring_clear(key_serial_t);
228 extern long keyctl_keyring_link(key_serial_t, key_serial_t);
229 extern long keyctl_keyring_move(key_serial_t, key_serial_t, key_serial_t, unsigned int);
230 extern long keyctl_keyring_unlink(key_serial_t, key_serial_t);
231 extern long keyctl_describe_key(key_serial_t, char __user *, size_t);
232 extern long keyctl_keyring_search(key_serial_t, const char __user *,
233 				  const char __user *, key_serial_t);
234 extern long keyctl_read_key(key_serial_t, char __user *, size_t);
235 extern long keyctl_chown_key(key_serial_t, uid_t, gid_t);
236 extern long keyctl_setperm_key(key_serial_t, unsigned int);
237 extern long keyctl_instantiate_key(key_serial_t, const void __user *,
238 				   size_t, key_serial_t);
239 extern long keyctl_negate_key(key_serial_t, unsigned, key_serial_t);
240 extern long keyctl_set_reqkey_keyring(int);
241 extern long keyctl_set_timeout(key_serial_t, unsigned);
242 extern long keyctl_assume_authority(key_serial_t);
243 extern long keyctl_get_security(key_serial_t keyid, char __user *buffer,
244 				size_t buflen);
245 extern long keyctl_session_to_parent(void);
246 extern long keyctl_reject_key(key_serial_t, unsigned, unsigned, key_serial_t);
247 extern long keyctl_instantiate_key_iov(key_serial_t,
248 				       const struct iovec __user *,
249 				       unsigned, key_serial_t);
250 extern long keyctl_invalidate_key(key_serial_t);
251 
252 struct iov_iter;
253 extern long keyctl_instantiate_key_common(key_serial_t,
254 					  struct iov_iter *,
255 					  key_serial_t);
256 extern long keyctl_restrict_keyring(key_serial_t id,
257 				    const char __user *_type,
258 				    const char __user *_restriction);
259 #ifdef CONFIG_PERSISTENT_KEYRINGS
260 extern long keyctl_get_persistent(uid_t, key_serial_t);
261 extern unsigned persistent_keyring_expiry;
262 #else
263 static inline long keyctl_get_persistent(uid_t uid, key_serial_t destring)
264 {
265 	return -EOPNOTSUPP;
266 }
267 #endif
268 
269 #ifdef CONFIG_KEY_DH_OPERATIONS
270 extern long keyctl_dh_compute(struct keyctl_dh_params __user *, char __user *,
271 			      size_t, struct keyctl_kdf_params __user *);
272 extern long __keyctl_dh_compute(struct keyctl_dh_params __user *, char __user *,
273 				size_t, struct keyctl_kdf_params *);
274 #ifdef CONFIG_KEYS_COMPAT
275 extern long compat_keyctl_dh_compute(struct keyctl_dh_params __user *params,
276 				char __user *buffer, size_t buflen,
277 				struct compat_keyctl_kdf_params __user *kdf);
278 #endif
279 #define KEYCTL_KDF_MAX_OUTPUT_LEN	1024	/* max length of KDF output */
280 #define KEYCTL_KDF_MAX_OI_LEN		64	/* max length of otherinfo */
281 #else
282 static inline long keyctl_dh_compute(struct keyctl_dh_params __user *params,
283 				     char __user *buffer, size_t buflen,
284 				     struct keyctl_kdf_params __user *kdf)
285 {
286 	return -EOPNOTSUPP;
287 }
288 
289 #ifdef CONFIG_KEYS_COMPAT
290 static inline long compat_keyctl_dh_compute(
291 				struct keyctl_dh_params __user *params,
292 				char __user *buffer, size_t buflen,
293 				struct keyctl_kdf_params __user *kdf)
294 {
295 	return -EOPNOTSUPP;
296 }
297 #endif
298 #endif
299 
300 #ifdef CONFIG_ASYMMETRIC_KEY_TYPE
301 extern long keyctl_pkey_query(key_serial_t,
302 			      const char __user *,
303 			      struct keyctl_pkey_query __user *);
304 
305 extern long keyctl_pkey_verify(const struct keyctl_pkey_params __user *,
306 			       const char __user *,
307 			       const void __user *, const void __user *);
308 
309 extern long keyctl_pkey_e_d_s(int,
310 			      const struct keyctl_pkey_params __user *,
311 			      const char __user *,
312 			      const void __user *, void __user *);
313 #else
314 static inline long keyctl_pkey_query(key_serial_t id,
315 				     const char __user *_info,
316 				     struct keyctl_pkey_query __user *_res)
317 {
318 	return -EOPNOTSUPP;
319 }
320 
321 static inline long keyctl_pkey_verify(const struct keyctl_pkey_params __user *params,
322 				      const char __user *_info,
323 				      const void __user *_in,
324 				      const void __user *_in2)
325 {
326 	return -EOPNOTSUPP;
327 }
328 
329 static inline long keyctl_pkey_e_d_s(int op,
330 				     const struct keyctl_pkey_params __user *params,
331 				     const char __user *_info,
332 				     const void __user *_in,
333 				     void __user *_out)
334 {
335 	return -EOPNOTSUPP;
336 }
337 #endif
338 
339 extern long keyctl_capabilities(unsigned char __user *_buffer, size_t buflen);
340 
341 extern long keyctl_grant_permission(key_serial_t keyid,
342 				    enum key_ace_subject_type type,
343 				    unsigned int subject,
344 				    unsigned int perm);
345 
346 /*
347  * Debugging key validation
348  */
349 #ifdef KEY_DEBUGGING
350 extern void __key_check(const struct key *);
351 
352 static inline void key_check(const struct key *key)
353 {
354 	if (key && (IS_ERR(key) || key->magic != KEY_DEBUG_MAGIC))
355 		__key_check(key);
356 }
357 
358 #else
359 
360 #define key_check(key) do {} while(0)
361 
362 #endif
363 
364 #endif /* _INTERNAL_H */
365