David Howells | 973c9f4 | 2011-01-20 16:38:33 +0000 | [diff] [blame] | 1 | /* Key permission checking |
David Howells | 468ed2b | 2005-10-07 15:07:38 +0100 | [diff] [blame] | 2 | * |
| 3 | * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. |
| 4 | * Written by David Howells (dhowells@redhat.com) |
| 5 | * |
| 6 | * This program is free software; you can redistribute it and/or |
| 7 | * modify it under the terms of the GNU General Public License |
| 8 | * as published by the Free Software Foundation; either version |
| 9 | * 2 of the License, or (at your option) any later version. |
| 10 | */ |
| 11 | |
Paul Gortmaker | 876979c | 2018-12-09 15:36:29 -0500 | [diff] [blame] | 12 | #include <linux/export.h> |
David Howells | 29db919 | 2005-10-30 15:02:44 -0800 | [diff] [blame] | 13 | #include <linux/security.h> |
David Howells | 468ed2b | 2005-10-07 15:07:38 +0100 | [diff] [blame] | 14 | #include "internal.h" |
| 15 | |
David Howells | d84f4f9 | 2008-11-14 10:39:23 +1100 | [diff] [blame] | 16 | /** |
| 17 | * key_task_permission - Check a key can be used |
David Howells | 973c9f4 | 2011-01-20 16:38:33 +0000 | [diff] [blame] | 18 | * @key_ref: The key to check. |
| 19 | * @cred: The credentials to use. |
| 20 | * @perm: The permissions to check for. |
David Howells | d84f4f9 | 2008-11-14 10:39:23 +1100 | [diff] [blame] | 21 | * |
| 22 | * Check to see whether permission is granted to use a key in the desired way, |
| 23 | * but permit the security modules to override. |
| 24 | * |
David Howells | 973c9f4 | 2011-01-20 16:38:33 +0000 | [diff] [blame] | 25 | * The caller must hold either a ref on cred or must hold the RCU readlock. |
| 26 | * |
| 27 | * Returns 0 if successful, -EACCES if access is denied based on the |
| 28 | * permissions bits or the LSM check. |
David Howells | 468ed2b | 2005-10-07 15:07:38 +0100 | [diff] [blame] | 29 | */ |
David Howells | d84f4f9 | 2008-11-14 10:39:23 +1100 | [diff] [blame] | 30 | int key_task_permission(const key_ref_t key_ref, const struct cred *cred, |
David Howells | f589594 | 2014-03-14 17:44:49 +0000 | [diff] [blame] | 31 | unsigned perm) |
David Howells | 468ed2b | 2005-10-07 15:07:38 +0100 | [diff] [blame] | 32 | { |
| 33 | struct key *key; |
| 34 | key_perm_t kperm; |
| 35 | int ret; |
| 36 | |
| 37 | key = key_ref_to_ptr(key_ref); |
| 38 | |
David Howells | 468ed2b | 2005-10-07 15:07:38 +0100 | [diff] [blame] | 39 | /* use the second 8-bits of permissions for keys the caller owns */ |
Eric W. Biederman | 9a56c2d | 2012-02-08 07:53:04 -0800 | [diff] [blame] | 40 | if (uid_eq(key->uid, cred->fsuid)) { |
David Howells | 468ed2b | 2005-10-07 15:07:38 +0100 | [diff] [blame] | 41 | kperm = key->perm >> 16; |
| 42 | goto use_these_perms; |
| 43 | } |
| 44 | |
| 45 | /* use the third 8-bits of permissions for keys the caller has a group |
| 46 | * membership in common with */ |
Eric W. Biederman | 9a56c2d | 2012-02-08 07:53:04 -0800 | [diff] [blame] | 47 | if (gid_valid(key->gid) && key->perm & KEY_GRP_ALL) { |
| 48 | if (gid_eq(key->gid, cred->fsgid)) { |
David Howells | 468ed2b | 2005-10-07 15:07:38 +0100 | [diff] [blame] | 49 | kperm = key->perm >> 8; |
| 50 | goto use_these_perms; |
| 51 | } |
| 52 | |
Eric W. Biederman | 9a56c2d | 2012-02-08 07:53:04 -0800 | [diff] [blame] | 53 | ret = groups_search(cred->group_info, key->gid); |
David Howells | 468ed2b | 2005-10-07 15:07:38 +0100 | [diff] [blame] | 54 | if (ret) { |
| 55 | kperm = key->perm >> 8; |
| 56 | goto use_these_perms; |
| 57 | } |
| 58 | } |
| 59 | |
| 60 | /* otherwise use the least-significant 8-bits */ |
| 61 | kperm = key->perm; |
| 62 | |
| 63 | use_these_perms: |
David Howells | c69e8d9 | 2008-11-14 10:39:19 +1100 | [diff] [blame] | 64 | |
David Howells | 7ab501d | 2005-10-07 16:41:24 +0100 | [diff] [blame] | 65 | /* use the top 8-bits of permissions for keys the caller possesses |
| 66 | * - possessor permissions are additive with other permissions |
| 67 | */ |
| 68 | if (is_key_possessed(key_ref)) |
| 69 | kperm |= key->perm >> 24; |
| 70 | |
David Howells | f589594 | 2014-03-14 17:44:49 +0000 | [diff] [blame] | 71 | kperm = kperm & perm & KEY_NEED_ALL; |
David Howells | 468ed2b | 2005-10-07 15:07:38 +0100 | [diff] [blame] | 72 | |
David Howells | 29db919 | 2005-10-30 15:02:44 -0800 | [diff] [blame] | 73 | if (kperm != perm) |
| 74 | return -EACCES; |
| 75 | |
| 76 | /* let LSM be the final arbiter */ |
David Howells | d84f4f9 | 2008-11-14 10:39:23 +1100 | [diff] [blame] | 77 | return security_key_permission(key_ref, cred, perm); |
David Howells | a8b17ed | 2011-01-20 16:38:27 +0000 | [diff] [blame] | 78 | } |
David Howells | 468ed2b | 2005-10-07 15:07:38 +0100 | [diff] [blame] | 79 | EXPORT_SYMBOL(key_task_permission); |
David Howells | b5f545c | 2006-01-08 01:02:47 -0800 | [diff] [blame] | 80 | |
David Howells | 973c9f4 | 2011-01-20 16:38:33 +0000 | [diff] [blame] | 81 | /** |
| 82 | * key_validate - Validate a key. |
| 83 | * @key: The key to be validated. |
| 84 | * |
David Howells | fd75815 | 2012-05-11 10:56:56 +0100 | [diff] [blame] | 85 | * Check that a key is valid, returning 0 if the key is okay, -ENOKEY if the |
| 86 | * key is invalidated, -EKEYREVOKED if the key's type has been removed or if |
| 87 | * the key has been revoked or -EKEYEXPIRED if the key has expired. |
David Howells | b5f545c | 2006-01-08 01:02:47 -0800 | [diff] [blame] | 88 | */ |
David Howells | b404aef | 2012-05-15 14:11:11 +0100 | [diff] [blame] | 89 | int key_validate(const struct key *key) |
David Howells | b5f545c | 2006-01-08 01:02:47 -0800 | [diff] [blame] | 90 | { |
Eric Biggers | 1823d47 | 2017-09-27 12:50:44 -0700 | [diff] [blame] | 91 | unsigned long flags = READ_ONCE(key->flags); |
Baolin Wang | 074d589 | 2017-11-15 16:38:45 +0000 | [diff] [blame] | 92 | time64_t expiry = READ_ONCE(key->expiry); |
David Howells | b5f545c | 2006-01-08 01:02:47 -0800 | [diff] [blame] | 93 | |
David Howells | b404aef | 2012-05-15 14:11:11 +0100 | [diff] [blame] | 94 | if (flags & (1 << KEY_FLAG_INVALIDATED)) |
| 95 | return -ENOKEY; |
David Howells | fd75815 | 2012-05-11 10:56:56 +0100 | [diff] [blame] | 96 | |
David Howells | b404aef | 2012-05-15 14:11:11 +0100 | [diff] [blame] | 97 | /* check it's still accessible */ |
| 98 | if (flags & ((1 << KEY_FLAG_REVOKED) | |
| 99 | (1 << KEY_FLAG_DEAD))) |
| 100 | return -EKEYREVOKED; |
David Howells | b5f545c | 2006-01-08 01:02:47 -0800 | [diff] [blame] | 101 | |
David Howells | b404aef | 2012-05-15 14:11:11 +0100 | [diff] [blame] | 102 | /* check it hasn't expired */ |
Eric Biggers | 1823d47 | 2017-09-27 12:50:44 -0700 | [diff] [blame] | 103 | if (expiry) { |
Baolin Wang | 074d589 | 2017-11-15 16:38:45 +0000 | [diff] [blame] | 104 | if (ktime_get_real_seconds() >= expiry) |
David Howells | b404aef | 2012-05-15 14:11:11 +0100 | [diff] [blame] | 105 | return -EKEYEXPIRED; |
David Howells | b5f545c | 2006-01-08 01:02:47 -0800 | [diff] [blame] | 106 | } |
| 107 | |
David Howells | b404aef | 2012-05-15 14:11:11 +0100 | [diff] [blame] | 108 | return 0; |
David Howells | a8b17ed | 2011-01-20 16:38:27 +0000 | [diff] [blame] | 109 | } |
David Howells | b5f545c | 2006-01-08 01:02:47 -0800 | [diff] [blame] | 110 | EXPORT_SYMBOL(key_validate); |