LCOV - code coverage report
Current view: top level - kernel - cred.c (source / functions) Hit Total Coverage
Test: coverage.info Lines: 59 194 30.4 %
Date: 2023-08-24 13:40:31 Functions: 6 19 31.6 %

          Line data    Source code
       1             : // SPDX-License-Identifier: GPL-2.0-or-later
       2             : /* Task credentials management - see Documentation/security/credentials.rst
       3             :  *
       4             :  * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
       5             :  * Written by David Howells (dhowells@redhat.com)
       6             :  */
       7             : #include <linux/export.h>
       8             : #include <linux/cred.h>
       9             : #include <linux/slab.h>
      10             : #include <linux/sched.h>
      11             : #include <linux/sched/coredump.h>
      12             : #include <linux/key.h>
      13             : #include <linux/keyctl.h>
      14             : #include <linux/init_task.h>
      15             : #include <linux/security.h>
      16             : #include <linux/binfmts.h>
      17             : #include <linux/cn_proc.h>
      18             : #include <linux/uidgid.h>
      19             : 
      20             : #if 0
      21             : #define kdebug(FMT, ...)                                                \
      22             :         printk("[%-5.5s%5u] " FMT "\n",                                     \
      23             :                current->comm, current->pid, ##__VA_ARGS__)
      24             : #else
      25             : #define kdebug(FMT, ...)                                                \
      26             : do {                                                                    \
      27             :         if (0)                                                          \
      28             :                 no_printk("[%-5.5s%5u] " FMT "\n",                  \
      29             :                           current->comm, current->pid, ##__VA_ARGS__);    \
      30             : } while (0)
      31             : #endif
      32             : 
      33             : static struct kmem_cache *cred_jar;
      34             : 
      35             : /* init to 2 - one for init_task, one to ensure it is never freed */
      36             : static struct group_info init_groups = { .usage = ATOMIC_INIT(2) };
      37             : 
      38             : /*
      39             :  * The initial credentials for the initial task
      40             :  */
      41             : struct cred init_cred = {
      42             :         .usage                  = ATOMIC_INIT(4),
      43             : #ifdef CONFIG_DEBUG_CREDENTIALS
      44             :         .subscribers            = ATOMIC_INIT(2),
      45             :         .magic                  = CRED_MAGIC,
      46             : #endif
      47             :         .uid                    = GLOBAL_ROOT_UID,
      48             :         .gid                    = GLOBAL_ROOT_GID,
      49             :         .suid                   = GLOBAL_ROOT_UID,
      50             :         .sgid                   = GLOBAL_ROOT_GID,
      51             :         .euid                   = GLOBAL_ROOT_UID,
      52             :         .egid                   = GLOBAL_ROOT_GID,
      53             :         .fsuid                  = GLOBAL_ROOT_UID,
      54             :         .fsgid                  = GLOBAL_ROOT_GID,
      55             :         .securebits             = SECUREBITS_DEFAULT,
      56             :         .cap_inheritable        = CAP_EMPTY_SET,
      57             :         .cap_permitted          = CAP_FULL_SET,
      58             :         .cap_effective          = CAP_FULL_SET,
      59             :         .cap_bset               = CAP_FULL_SET,
      60             :         .user                   = INIT_USER,
      61             :         .user_ns                = &init_user_ns,
      62             :         .group_info             = &init_groups,
      63             :         .ucounts                = &init_ucounts,
      64             : };
      65             : 
      66             : static inline void set_cred_subscribers(struct cred *cred, int n)
      67             : {
      68             : #ifdef CONFIG_DEBUG_CREDENTIALS
      69             :         atomic_set(&cred->subscribers, n);
      70             : #endif
      71             : }
      72             : 
      73             : static inline int read_cred_subscribers(const struct cred *cred)
      74             : {
      75             : #ifdef CONFIG_DEBUG_CREDENTIALS
      76             :         return atomic_read(&cred->subscribers);
      77             : #else
      78             :         return 0;
      79             : #endif
      80             : }
      81             : 
      82             : static inline void alter_cred_subscribers(const struct cred *_cred, int n)
      83             : {
      84             : #ifdef CONFIG_DEBUG_CREDENTIALS
      85             :         struct cred *cred = (struct cred *) _cred;
      86             : 
      87             :         atomic_add(n, &cred->subscribers);
      88             : #endif
      89             : }
      90             : 
      91             : /*
      92             :  * The RCU callback to actually dispose of a set of credentials
      93             :  */
      94         159 : static void put_cred_rcu(struct rcu_head *rcu)
      95             : {
      96         159 :         struct cred *cred = container_of(rcu, struct cred, rcu);
      97             : 
      98             :         kdebug("put_cred_rcu(%p)", cred);
      99             : 
     100             : #ifdef CONFIG_DEBUG_CREDENTIALS
     101             :         if (cred->magic != CRED_MAGIC_DEAD ||
     102             :             atomic_read(&cred->usage) != 0 ||
     103             :             read_cred_subscribers(cred) != 0)
     104             :                 panic("CRED: put_cred_rcu() sees %p with"
     105             :                       " mag %x, put %p, usage %d, subscr %d\n",
     106             :                       cred, cred->magic, cred->put_addr,
     107             :                       atomic_read(&cred->usage),
     108             :                       read_cred_subscribers(cred));
     109             : #else
     110         318 :         if (atomic_read(&cred->usage) != 0)
     111           0 :                 panic("CRED: put_cred_rcu() sees %p with usage %d\n",
     112           0 :                       cred, atomic_read(&cred->usage));
     113             : #endif
     114             : 
     115         159 :         security_cred_free(cred);
     116             :         key_put(cred->session_keyring);
     117             :         key_put(cred->process_keyring);
     118             :         key_put(cred->thread_keyring);
     119             :         key_put(cred->request_key_auth);
     120         159 :         if (cred->group_info)
     121         318 :                 put_group_info(cred->group_info);
     122         159 :         free_uid(cred->user);
     123         159 :         if (cred->ucounts)
     124         159 :                 put_ucounts(cred->ucounts);
     125         159 :         put_user_ns(cred->user_ns);
     126         159 :         kmem_cache_free(cred_jar, cred);
     127         159 : }
     128             : 
     129             : /**
     130             :  * __put_cred - Destroy a set of credentials
     131             :  * @cred: The record to release
     132             :  *
     133             :  * Destroy a set of credentials on which no references remain.
     134             :  */
     135         159 : void __put_cred(struct cred *cred)
     136             : {
     137             :         kdebug("__put_cred(%p{%d,%d})", cred,
     138             :                atomic_read(&cred->usage),
     139             :                read_cred_subscribers(cred));
     140             : 
     141         318 :         BUG_ON(atomic_read(&cred->usage) != 0);
     142             : #ifdef CONFIG_DEBUG_CREDENTIALS
     143             :         BUG_ON(read_cred_subscribers(cred) != 0);
     144             :         cred->magic = CRED_MAGIC_DEAD;
     145             :         cred->put_addr = __builtin_return_address(0);
     146             : #endif
     147         159 :         BUG_ON(cred == current->cred);
     148         159 :         BUG_ON(cred == current->real_cred);
     149             : 
     150         159 :         if (cred->non_rcu)
     151           0 :                 put_cred_rcu(&cred->rcu);
     152             :         else
     153         159 :                 call_rcu(&cred->rcu, put_cred_rcu);
     154         159 : }
     155             : EXPORT_SYMBOL(__put_cred);
     156             : 
     157             : /*
     158             :  * Clean up a task's credentials when it exits
     159             :  */
     160         159 : void exit_creds(struct task_struct *tsk)
     161             : {
     162             :         struct cred *cred;
     163             : 
     164             :         kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
     165             :                atomic_read(&tsk->cred->usage),
     166             :                read_cred_subscribers(tsk->cred));
     167             : 
     168         159 :         cred = (struct cred *) tsk->real_cred;
     169         159 :         tsk->real_cred = NULL;
     170         159 :         validate_creds(cred);
     171         159 :         alter_cred_subscribers(cred, -1);
     172         159 :         put_cred(cred);
     173             : 
     174         159 :         cred = (struct cred *) tsk->cred;
     175         159 :         tsk->cred = NULL;
     176         159 :         validate_creds(cred);
     177         159 :         alter_cred_subscribers(cred, -1);
     178         159 :         put_cred(cred);
     179             : 
     180             : #ifdef CONFIG_KEYS_REQUEST_CACHE
     181             :         key_put(tsk->cached_requested_key);
     182             :         tsk->cached_requested_key = NULL;
     183             : #endif
     184         159 : }
     185             : 
     186             : /**
     187             :  * get_task_cred - Get another task's objective credentials
     188             :  * @task: The task to query
     189             :  *
     190             :  * Get the objective credentials of a task, pinning them so that they can't go
     191             :  * away.  Accessing a task's credentials directly is not permitted.
     192             :  *
     193             :  * The caller must also make sure task doesn't get deleted, either by holding a
     194             :  * ref on task or by holding tasklist_lock to prevent it from being unlinked.
     195             :  */
     196           0 : const struct cred *get_task_cred(struct task_struct *task)
     197             : {
     198             :         const struct cred *cred;
     199             : 
     200             :         rcu_read_lock();
     201             : 
     202             :         do {
     203           0 :                 cred = __task_cred((task));
     204           0 :                 BUG_ON(!cred);
     205           0 :         } while (!get_cred_rcu(cred));
     206             : 
     207             :         rcu_read_unlock();
     208           0 :         return cred;
     209             : }
     210             : EXPORT_SYMBOL(get_task_cred);
     211             : 
     212             : /*
     213             :  * Allocate blank credentials, such that the credentials can be filled in at a
     214             :  * later date without risk of ENOMEM.
     215             :  */
     216           0 : struct cred *cred_alloc_blank(void)
     217             : {
     218             :         struct cred *new;
     219             : 
     220           0 :         new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
     221           0 :         if (!new)
     222             :                 return NULL;
     223             : 
     224           0 :         atomic_set(&new->usage, 1);
     225             : #ifdef CONFIG_DEBUG_CREDENTIALS
     226             :         new->magic = CRED_MAGIC;
     227             : #endif
     228           0 :         if (security_cred_alloc_blank(new, GFP_KERNEL_ACCOUNT) < 0)
     229             :                 goto error;
     230             : 
     231           0 :         return new;
     232             : 
     233             : error:
     234             :         abort_creds(new);
     235             :         return NULL;
     236             : }
     237             : 
     238             : /**
     239             :  * prepare_creds - Prepare a new set of credentials for modification
     240             :  *
     241             :  * Prepare a new set of task credentials for modification.  A task's creds
     242             :  * shouldn't generally be modified directly, therefore this function is used to
     243             :  * prepare a new copy, which the caller then modifies and then commits by
     244             :  * calling commit_creds().
     245             :  *
     246             :  * Preparation involves making a copy of the objective creds for modification.
     247             :  *
     248             :  * Returns a pointer to the new creds-to-be if successful, NULL otherwise.
     249             :  *
     250             :  * Call commit_creds() or abort_creds() to clean up.
     251             :  */
     252         175 : struct cred *prepare_creds(void)
     253             : {
     254         175 :         struct task_struct *task = current;
     255             :         const struct cred *old;
     256             :         struct cred *new;
     257             : 
     258             :         validate_process_creds();
     259             : 
     260         175 :         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
     261         175 :         if (!new)
     262             :                 return NULL;
     263             : 
     264             :         kdebug("prepare_creds() alloc %p", new);
     265             : 
     266         175 :         old = task->cred;
     267         350 :         memcpy(new, old, sizeof(struct cred));
     268             : 
     269         175 :         new->non_rcu = 0;
     270         350 :         atomic_set(&new->usage, 1);
     271         175 :         set_cred_subscribers(new, 0);
     272         350 :         get_group_info(new->group_info);
     273         350 :         get_uid(new->user);
     274         175 :         get_user_ns(new->user_ns);
     275             : 
     276             : #ifdef CONFIG_KEYS
     277             :         key_get(new->session_keyring);
     278             :         key_get(new->process_keyring);
     279             :         key_get(new->thread_keyring);
     280             :         key_get(new->request_key_auth);
     281             : #endif
     282             : 
     283             : #ifdef CONFIG_SECURITY
     284             :         new->security = NULL;
     285             : #endif
     286             : 
     287         175 :         new->ucounts = get_ucounts(new->ucounts);
     288         175 :         if (!new->ucounts)
     289             :                 goto error;
     290             : 
     291             :         if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
     292             :                 goto error;
     293             : 
     294             :         validate_creds(new);
     295             :         return new;
     296             : 
     297             : error:
     298           0 :         abort_creds(new);
     299           0 :         return NULL;
     300             : }
     301             : EXPORT_SYMBOL(prepare_creds);
     302             : 
     303             : /*
     304             :  * Prepare credentials for current to perform an execve()
     305             :  * - The caller must hold ->cred_guard_mutex
     306             :  */
     307           0 : struct cred *prepare_exec_creds(void)
     308             : {
     309             :         struct cred *new;
     310             : 
     311           0 :         new = prepare_creds();
     312           0 :         if (!new)
     313             :                 return new;
     314             : 
     315             : #ifdef CONFIG_KEYS
     316             :         /* newly exec'd tasks don't get a thread keyring */
     317             :         key_put(new->thread_keyring);
     318             :         new->thread_keyring = NULL;
     319             : 
     320             :         /* inherit the session keyring; new process keyring */
     321             :         key_put(new->process_keyring);
     322             :         new->process_keyring = NULL;
     323             : #endif
     324             : 
     325           0 :         new->suid = new->fsuid = new->euid;
     326           0 :         new->sgid = new->fsgid = new->egid;
     327             : 
     328           0 :         return new;
     329             : }
     330             : 
     331             : /*
     332             :  * Copy credentials for the new process created by fork()
     333             :  *
     334             :  * We share if we can, but under some circumstances we have to generate a new
     335             :  * set.
     336             :  *
     337             :  * The new process gets the current process's subjective credentials as its
     338             :  * objective and subjective credentials
     339             :  */
     340         175 : int copy_creds(struct task_struct *p, unsigned long clone_flags)
     341             : {
     342             :         struct cred *new;
     343             :         int ret;
     344             : 
     345             : #ifdef CONFIG_KEYS_REQUEST_CACHE
     346             :         p->cached_requested_key = NULL;
     347             : #endif
     348             : 
     349         175 :         if (
     350             : #ifdef CONFIG_KEYS
     351             :                 !p->cred->thread_keyring &&
     352             : #endif
     353         175 :                 clone_flags & CLONE_THREAD
     354             :             ) {
     355           0 :                 p->real_cred = get_cred(p->cred);
     356           0 :                 get_cred(p->cred);
     357           0 :                 alter_cred_subscribers(p->cred, 2);
     358             :                 kdebug("share_creds(%p{%d,%d})",
     359             :                        p->cred, atomic_read(&p->cred->usage),
     360             :                        read_cred_subscribers(p->cred));
     361           0 :                 inc_rlimit_ucounts(task_ucounts(p), UCOUNT_RLIMIT_NPROC, 1);
     362           0 :                 return 0;
     363             :         }
     364             : 
     365         175 :         new = prepare_creds();
     366         175 :         if (!new)
     367             :                 return -ENOMEM;
     368             : 
     369         175 :         if (clone_flags & CLONE_NEWUSER) {
     370           0 :                 ret = create_user_ns(new);
     371             :                 if (ret < 0)
     372             :                         goto error_put;
     373             :                 ret = set_cred_ucounts(new);
     374             :                 if (ret < 0)
     375             :                         goto error_put;
     376             :         }
     377             : 
     378             : #ifdef CONFIG_KEYS
     379             :         /* new threads get their own thread keyrings if their parent already
     380             :          * had one */
     381             :         if (new->thread_keyring) {
     382             :                 key_put(new->thread_keyring);
     383             :                 new->thread_keyring = NULL;
     384             :                 if (clone_flags & CLONE_THREAD)
     385             :                         install_thread_keyring_to_cred(new);
     386             :         }
     387             : 
     388             :         /* The process keyring is only shared between the threads in a process;
     389             :          * anything outside of those threads doesn't inherit.
     390             :          */
     391             :         if (!(clone_flags & CLONE_THREAD)) {
     392             :                 key_put(new->process_keyring);
     393             :                 new->process_keyring = NULL;
     394             :         }
     395             : #endif
     396             : 
     397         175 :         p->cred = p->real_cred = get_cred(new);
     398         350 :         inc_rlimit_ucounts(task_ucounts(p), UCOUNT_RLIMIT_NPROC, 1);
     399         175 :         alter_cred_subscribers(new, 2);
     400         175 :         validate_creds(new);
     401         175 :         return 0;
     402             : 
     403             : error_put:
     404             :         put_cred(new);
     405             :         return ret;
     406             : }
     407             : 
     408             : static bool cred_cap_issubset(const struct cred *set, const struct cred *subset)
     409             : {
     410           0 :         const struct user_namespace *set_ns = set->user_ns;
     411           0 :         const struct user_namespace *subset_ns = subset->user_ns;
     412             : 
     413             :         /* If the two credentials are in the same user namespace see if
     414             :          * the capabilities of subset are a subset of set.
     415             :          */
     416           0 :         if (set_ns == subset_ns)
     417             :                 return cap_issubset(subset->cap_permitted, set->cap_permitted);
     418             : 
     419             :         /* The credentials are in a different user namespaces
     420             :          * therefore one is a subset of the other only if a set is an
     421             :          * ancestor of subset and set->euid is owner of subset or one
     422             :          * of subsets ancestors.
     423             :          */
     424           0 :         for (;subset_ns != &init_user_ns; subset_ns = subset_ns->parent) {
     425           0 :                 if ((set_ns == subset_ns->parent)  &&
     426           0 :                     uid_eq(subset_ns->owner, set->euid))
     427             :                         return true;
     428             :         }
     429             : 
     430             :         return false;
     431             : }
     432             : 
     433             : /**
     434             :  * commit_creds - Install new credentials upon the current task
     435             :  * @new: The credentials to be assigned
     436             :  *
     437             :  * Install a new set of credentials to the current task, using RCU to replace
     438             :  * the old set.  Both the objective and the subjective credentials pointers are
     439             :  * updated.  This function may not be called if the subjective credentials are
     440             :  * in an overridden state.
     441             :  *
     442             :  * This function eats the caller's reference to the new credentials.
     443             :  *
     444             :  * Always returns 0 thus allowing this function to be tail-called at the end
     445             :  * of, say, sys_setgid().
     446             :  */
     447           0 : int commit_creds(struct cred *new)
     448             : {
     449           0 :         struct task_struct *task = current;
     450           0 :         const struct cred *old = task->real_cred;
     451             : 
     452             :         kdebug("commit_creds(%p{%d,%d})", new,
     453             :                atomic_read(&new->usage),
     454             :                read_cred_subscribers(new));
     455             : 
     456           0 :         BUG_ON(task->cred != old);
     457             : #ifdef CONFIG_DEBUG_CREDENTIALS
     458             :         BUG_ON(read_cred_subscribers(old) < 2);
     459             :         validate_creds(old);
     460             :         validate_creds(new);
     461             : #endif
     462           0 :         BUG_ON(atomic_read(&new->usage) < 1);
     463             : 
     464           0 :         get_cred(new); /* we will require a ref for the subj creds too */
     465             : 
     466             :         /* dumpability changes */
     467           0 :         if (!uid_eq(old->euid, new->euid) ||
     468           0 :             !gid_eq(old->egid, new->egid) ||
     469           0 :             !uid_eq(old->fsuid, new->fsuid) ||
     470           0 :             !gid_eq(old->fsgid, new->fsgid) ||
     471           0 :             !cred_cap_issubset(old, new)) {
     472           0 :                 if (task->mm)
     473           0 :                         set_dumpable(task->mm, suid_dumpable);
     474           0 :                 task->pdeath_signal = 0;
     475             :                 /*
     476             :                  * If a task drops privileges and becomes nondumpable,
     477             :                  * the dumpability change must become visible before
     478             :                  * the credential change; otherwise, a __ptrace_may_access()
     479             :                  * racing with this change may be able to attach to a task it
     480             :                  * shouldn't be able to attach to (as if the task had dropped
     481             :                  * privileges without becoming nondumpable).
     482             :                  * Pairs with a read barrier in __ptrace_may_access().
     483             :                  */
     484           0 :                 smp_wmb();
     485             :         }
     486             : 
     487             :         /* alter the thread keyring */
     488           0 :         if (!uid_eq(new->fsuid, old->fsuid))
     489             :                 key_fsuid_changed(new);
     490           0 :         if (!gid_eq(new->fsgid, old->fsgid))
     491             :                 key_fsgid_changed(new);
     492             : 
     493             :         /* do it
     494             :          * RLIMIT_NPROC limits on user->processes have already been checked
     495             :          * in set_user().
     496             :          */
     497           0 :         alter_cred_subscribers(new, 2);
     498           0 :         if (new->user != old->user || new->user_ns != old->user_ns)
     499           0 :                 inc_rlimit_ucounts(new->ucounts, UCOUNT_RLIMIT_NPROC, 1);
     500           0 :         rcu_assign_pointer(task->real_cred, new);
     501           0 :         rcu_assign_pointer(task->cred, new);
     502           0 :         if (new->user != old->user || new->user_ns != old->user_ns)
     503           0 :                 dec_rlimit_ucounts(old->ucounts, UCOUNT_RLIMIT_NPROC, 1);
     504           0 :         alter_cred_subscribers(old, -2);
     505             : 
     506             :         /* send notifications */
     507           0 :         if (!uid_eq(new->uid,   old->uid)  ||
     508             :             !uid_eq(new->euid,  old->euid) ||
     509             :             !uid_eq(new->suid,  old->suid) ||
     510             :             !uid_eq(new->fsuid, old->fsuid))
     511             :                 proc_id_connector(task, PROC_EVENT_UID);
     512             : 
     513           0 :         if (!gid_eq(new->gid,   old->gid)  ||
     514             :             !gid_eq(new->egid,  old->egid) ||
     515             :             !gid_eq(new->sgid,  old->sgid) ||
     516             :             !gid_eq(new->fsgid, old->fsgid))
     517             :                 proc_id_connector(task, PROC_EVENT_GID);
     518             : 
     519             :         /* release the old obj and subj refs both */
     520           0 :         put_cred(old);
     521           0 :         put_cred(old);
     522           0 :         return 0;
     523             : }
     524             : EXPORT_SYMBOL(commit_creds);
     525             : 
     526             : /**
     527             :  * abort_creds - Discard a set of credentials and unlock the current task
     528             :  * @new: The credentials that were going to be applied
     529             :  *
     530             :  * Discard a set of credentials that were under construction and unlock the
     531             :  * current task.
     532             :  */
     533           0 : void abort_creds(struct cred *new)
     534             : {
     535             :         kdebug("abort_creds(%p{%d,%d})", new,
     536             :                atomic_read(&new->usage),
     537             :                read_cred_subscribers(new));
     538             : 
     539             : #ifdef CONFIG_DEBUG_CREDENTIALS
     540             :         BUG_ON(read_cred_subscribers(new) != 0);
     541             : #endif
     542           0 :         BUG_ON(atomic_read(&new->usage) < 1);
     543           0 :         put_cred(new);
     544           0 : }
     545             : EXPORT_SYMBOL(abort_creds);
     546             : 
     547             : /**
     548             :  * override_creds - Override the current process's subjective credentials
     549             :  * @new: The credentials to be assigned
     550             :  *
     551             :  * Install a set of temporary override subjective credentials on the current
     552             :  * process, returning the old set for later reversion.
     553             :  */
     554           0 : const struct cred *override_creds(const struct cred *new)
     555             : {
     556           0 :         const struct cred *old = current->cred;
     557             : 
     558             :         kdebug("override_creds(%p{%d,%d})", new,
     559             :                atomic_read(&new->usage),
     560             :                read_cred_subscribers(new));
     561             : 
     562           0 :         validate_creds(old);
     563           0 :         validate_creds(new);
     564             : 
     565             :         /*
     566             :          * NOTE! This uses 'get_new_cred()' rather than 'get_cred()'.
     567             :          *
     568             :          * That means that we do not clear the 'non_rcu' flag, since
     569             :          * we are only installing the cred into the thread-synchronous
     570             :          * '->cred' pointer, not the '->real_cred' pointer that is
     571             :          * visible to other threads under RCU.
     572             :          *
     573             :          * Also note that we did validate_creds() manually, not depending
     574             :          * on the validation in 'get_cred()'.
     575             :          */
     576           0 :         get_new_cred((struct cred *)new);
     577           0 :         alter_cred_subscribers(new, 1);
     578           0 :         rcu_assign_pointer(current->cred, new);
     579           0 :         alter_cred_subscribers(old, -1);
     580             : 
     581             :         kdebug("override_creds() = %p{%d,%d}", old,
     582             :                atomic_read(&old->usage),
     583             :                read_cred_subscribers(old));
     584           0 :         return old;
     585             : }
     586             : EXPORT_SYMBOL(override_creds);
     587             : 
     588             : /**
     589             :  * revert_creds - Revert a temporary subjective credentials override
     590             :  * @old: The credentials to be restored
     591             :  *
     592             :  * Revert a temporary set of override subjective credentials to an old set,
     593             :  * discarding the override set.
     594             :  */
     595           0 : void revert_creds(const struct cred *old)
     596             : {
     597           0 :         const struct cred *override = current->cred;
     598             : 
     599             :         kdebug("revert_creds(%p{%d,%d})", old,
     600             :                atomic_read(&old->usage),
     601             :                read_cred_subscribers(old));
     602             : 
     603           0 :         validate_creds(old);
     604           0 :         validate_creds(override);
     605           0 :         alter_cred_subscribers(old, 1);
     606           0 :         rcu_assign_pointer(current->cred, old);
     607           0 :         alter_cred_subscribers(override, -1);
     608           0 :         put_cred(override);
     609           0 : }
     610             : EXPORT_SYMBOL(revert_creds);
     611             : 
     612             : /**
     613             :  * cred_fscmp - Compare two credentials with respect to filesystem access.
     614             :  * @a: The first credential
     615             :  * @b: The second credential
     616             :  *
     617             :  * cred_cmp() will return zero if both credentials have the same
     618             :  * fsuid, fsgid, and supplementary groups.  That is, if they will both
     619             :  * provide the same access to files based on mode/uid/gid.
     620             :  * If the credentials are different, then either -1 or 1 will
     621             :  * be returned depending on whether @a comes before or after @b
     622             :  * respectively in an arbitrary, but stable, ordering of credentials.
     623             :  *
     624             :  * Return: -1, 0, or 1 depending on comparison
     625             :  */
     626           0 : int cred_fscmp(const struct cred *a, const struct cred *b)
     627             : {
     628             :         struct group_info *ga, *gb;
     629             :         int g;
     630             : 
     631           0 :         if (a == b)
     632             :                 return 0;
     633           0 :         if (uid_lt(a->fsuid, b->fsuid))
     634             :                 return -1;
     635           0 :         if (uid_gt(a->fsuid, b->fsuid))
     636             :                 return 1;
     637             : 
     638           0 :         if (gid_lt(a->fsgid, b->fsgid))
     639             :                 return -1;
     640           0 :         if (gid_gt(a->fsgid, b->fsgid))
     641             :                 return 1;
     642             : 
     643           0 :         ga = a->group_info;
     644           0 :         gb = b->group_info;
     645           0 :         if (ga == gb)
     646             :                 return 0;
     647           0 :         if (ga == NULL)
     648             :                 return -1;
     649           0 :         if (gb == NULL)
     650             :                 return 1;
     651           0 :         if (ga->ngroups < gb->ngroups)
     652             :                 return -1;
     653           0 :         if (ga->ngroups > gb->ngroups)
     654             :                 return 1;
     655             : 
     656           0 :         for (g = 0; g < ga->ngroups; g++) {
     657           0 :                 if (gid_lt(ga->gid[g], gb->gid[g]))
     658             :                         return -1;
     659           0 :                 if (gid_gt(ga->gid[g], gb->gid[g]))
     660             :                         return 1;
     661             :         }
     662             :         return 0;
     663             : }
     664             : EXPORT_SYMBOL(cred_fscmp);
     665             : 
     666           0 : int set_cred_ucounts(struct cred *new)
     667             : {
     668           0 :         struct ucounts *new_ucounts, *old_ucounts = new->ucounts;
     669             : 
     670             :         /*
     671             :          * This optimization is needed because alloc_ucounts() uses locks
     672             :          * for table lookups.
     673             :          */
     674           0 :         if (old_ucounts->ns == new->user_ns && uid_eq(old_ucounts->uid, new->uid))
     675             :                 return 0;
     676             : 
     677           0 :         if (!(new_ucounts = alloc_ucounts(new->user_ns, new->uid)))
     678             :                 return -EAGAIN;
     679             : 
     680           0 :         new->ucounts = new_ucounts;
     681           0 :         put_ucounts(old_ucounts);
     682             : 
     683           0 :         return 0;
     684             : }
     685             : 
     686             : /*
     687             :  * initialise the credentials stuff
     688             :  */
     689           1 : void __init cred_init(void)
     690             : {
     691             :         /* allocate a slab in which we can store credentials */
     692           1 :         cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred), 0,
     693             :                         SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT, NULL);
     694           1 : }
     695             : 
     696             : /**
     697             :  * prepare_kernel_cred - Prepare a set of credentials for a kernel service
     698             :  * @daemon: A userspace daemon to be used as a reference
     699             :  *
     700             :  * Prepare a set of credentials for a kernel service.  This can then be used to
     701             :  * override a task's own credentials so that work can be done on behalf of that
     702             :  * task that requires a different subjective context.
     703             :  *
     704             :  * @daemon is used to provide a base cred, with the security data derived from
     705             :  * that; if this is "&init_task", they'll be set to 0, no groups, full
     706             :  * capabilities, and no keys.
     707             :  *
     708             :  * The caller may change these controls afterwards if desired.
     709             :  *
     710             :  * Returns the new credentials or NULL if out of memory.
     711             :  */
     712           0 : struct cred *prepare_kernel_cred(struct task_struct *daemon)
     713             : {
     714             :         const struct cred *old;
     715             :         struct cred *new;
     716             : 
     717           0 :         if (WARN_ON_ONCE(!daemon))
     718             :                 return NULL;
     719             : 
     720           0 :         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
     721           0 :         if (!new)
     722             :                 return NULL;
     723             : 
     724             :         kdebug("prepare_kernel_cred() alloc %p", new);
     725             : 
     726           0 :         old = get_task_cred(daemon);
     727           0 :         validate_creds(old);
     728             : 
     729           0 :         *new = *old;
     730           0 :         new->non_rcu = 0;
     731           0 :         atomic_set(&new->usage, 1);
     732           0 :         set_cred_subscribers(new, 0);
     733           0 :         get_uid(new->user);
     734           0 :         get_user_ns(new->user_ns);
     735           0 :         get_group_info(new->group_info);
     736             : 
     737             : #ifdef CONFIG_KEYS
     738             :         new->session_keyring = NULL;
     739             :         new->process_keyring = NULL;
     740             :         new->thread_keyring = NULL;
     741             :         new->request_key_auth = NULL;
     742             :         new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
     743             : #endif
     744             : 
     745             : #ifdef CONFIG_SECURITY
     746             :         new->security = NULL;
     747             : #endif
     748           0 :         new->ucounts = get_ucounts(new->ucounts);
     749           0 :         if (!new->ucounts)
     750             :                 goto error;
     751             : 
     752           0 :         if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
     753             :                 goto error;
     754             : 
     755             :         put_cred(old);
     756             :         validate_creds(new);
     757             :         return new;
     758             : 
     759             : error:
     760           0 :         put_cred(new);
     761             :         put_cred(old);
     762             :         return NULL;
     763             : }
     764             : EXPORT_SYMBOL(prepare_kernel_cred);
     765             : 
     766             : /**
     767             :  * set_security_override - Set the security ID in a set of credentials
     768             :  * @new: The credentials to alter
     769             :  * @secid: The LSM security ID to set
     770             :  *
     771             :  * Set the LSM security ID in a set of credentials so that the subjective
     772             :  * security is overridden when an alternative set of credentials is used.
     773             :  */
     774           0 : int set_security_override(struct cred *new, u32 secid)
     775             : {
     776           0 :         return security_kernel_act_as(new, secid);
     777             : }
     778             : EXPORT_SYMBOL(set_security_override);
     779             : 
     780             : /**
     781             :  * set_security_override_from_ctx - Set the security ID in a set of credentials
     782             :  * @new: The credentials to alter
     783             :  * @secctx: The LSM security context to generate the security ID from.
     784             :  *
     785             :  * Set the LSM security ID in a set of credentials so that the subjective
     786             :  * security is overridden when an alternative set of credentials is used.  The
     787             :  * security ID is specified in string form as a security context to be
     788             :  * interpreted by the LSM.
     789             :  */
     790           0 : int set_security_override_from_ctx(struct cred *new, const char *secctx)
     791             : {
     792             :         u32 secid;
     793             :         int ret;
     794             : 
     795           0 :         ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
     796             :         if (ret < 0)
     797             :                 return ret;
     798             : 
     799             :         return set_security_override(new, secid);
     800             : }
     801             : EXPORT_SYMBOL(set_security_override_from_ctx);
     802             : 
     803             : /**
     804             :  * set_create_files_as - Set the LSM file create context in a set of credentials
     805             :  * @new: The credentials to alter
     806             :  * @inode: The inode to take the context from
     807             :  *
     808             :  * Change the LSM file creation context in a set of credentials to be the same
     809             :  * as the object context of the specified inode, so that the new inodes have
     810             :  * the same MAC context as that inode.
     811             :  */
     812           0 : int set_create_files_as(struct cred *new, struct inode *inode)
     813             : {
     814           0 :         if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid))
     815             :                 return -EINVAL;
     816           0 :         new->fsuid = inode->i_uid;
     817           0 :         new->fsgid = inode->i_gid;
     818           0 :         return security_kernel_create_files_as(new, inode);
     819             : }
     820             : EXPORT_SYMBOL(set_create_files_as);
     821             : 
     822             : #ifdef CONFIG_DEBUG_CREDENTIALS
     823             : 
     824             : bool creds_are_invalid(const struct cred *cred)
     825             : {
     826             :         if (cred->magic != CRED_MAGIC)
     827             :                 return true;
     828             :         return false;
     829             : }
     830             : EXPORT_SYMBOL(creds_are_invalid);
     831             : 
     832             : /*
     833             :  * dump invalid credentials
     834             :  */
     835             : static void dump_invalid_creds(const struct cred *cred, const char *label,
     836             :                                const struct task_struct *tsk)
     837             : {
     838             :         printk(KERN_ERR "CRED: %s credentials: %p %s%s%s\n",
     839             :                label, cred,
     840             :                cred == &init_cred ? "[init]" : "",
     841             :                cred == tsk->real_cred ? "[real]" : "",
     842             :                cred == tsk->cred ? "[eff]" : "");
     843             :         printk(KERN_ERR "CRED: ->magic=%x, put_addr=%p\n",
     844             :                cred->magic, cred->put_addr);
     845             :         printk(KERN_ERR "CRED: ->usage=%d, subscr=%d\n",
     846             :                atomic_read(&cred->usage),
     847             :                read_cred_subscribers(cred));
     848             :         printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
     849             :                 from_kuid_munged(&init_user_ns, cred->uid),
     850             :                 from_kuid_munged(&init_user_ns, cred->euid),
     851             :                 from_kuid_munged(&init_user_ns, cred->suid),
     852             :                 from_kuid_munged(&init_user_ns, cred->fsuid));
     853             :         printk(KERN_ERR "CRED: ->*gid = { %d,%d,%d,%d }\n",
     854             :                 from_kgid_munged(&init_user_ns, cred->gid),
     855             :                 from_kgid_munged(&init_user_ns, cred->egid),
     856             :                 from_kgid_munged(&init_user_ns, cred->sgid),
     857             :                 from_kgid_munged(&init_user_ns, cred->fsgid));
     858             : #ifdef CONFIG_SECURITY
     859             :         printk(KERN_ERR "CRED: ->security is %p\n", cred->security);
     860             :         if ((unsigned long) cred->security >= PAGE_SIZE &&
     861             :             (((unsigned long) cred->security & 0xffffff00) !=
     862             :              (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)))
     863             :                 printk(KERN_ERR "CRED: ->security {%x, %x}\n",
     864             :                        ((u32*)cred->security)[0],
     865             :                        ((u32*)cred->security)[1]);
     866             : #endif
     867             : }
     868             : 
     869             : /*
     870             :  * report use of invalid credentials
     871             :  */
     872             : void __noreturn __invalid_creds(const struct cred *cred, const char *file, unsigned line)
     873             : {
     874             :         printk(KERN_ERR "CRED: Invalid credentials\n");
     875             :         printk(KERN_ERR "CRED: At %s:%u\n", file, line);
     876             :         dump_invalid_creds(cred, "Specified", current);
     877             :         BUG();
     878             : }
     879             : EXPORT_SYMBOL(__invalid_creds);
     880             : 
     881             : /*
     882             :  * check the credentials on a process
     883             :  */
     884             : void __validate_process_creds(struct task_struct *tsk,
     885             :                               const char *file, unsigned line)
     886             : {
     887             :         if (tsk->cred == tsk->real_cred) {
     888             :                 if (unlikely(read_cred_subscribers(tsk->cred) < 2 ||
     889             :                              creds_are_invalid(tsk->cred)))
     890             :                         goto invalid_creds;
     891             :         } else {
     892             :                 if (unlikely(read_cred_subscribers(tsk->real_cred) < 1 ||
     893             :                              read_cred_subscribers(tsk->cred) < 1 ||
     894             :                              creds_are_invalid(tsk->real_cred) ||
     895             :                              creds_are_invalid(tsk->cred)))
     896             :                         goto invalid_creds;
     897             :         }
     898             :         return;
     899             : 
     900             : invalid_creds:
     901             :         printk(KERN_ERR "CRED: Invalid process credentials\n");
     902             :         printk(KERN_ERR "CRED: At %s:%u\n", file, line);
     903             : 
     904             :         dump_invalid_creds(tsk->real_cred, "Real", tsk);
     905             :         if (tsk->cred != tsk->real_cred)
     906             :                 dump_invalid_creds(tsk->cred, "Effective", tsk);
     907             :         else
     908             :                 printk(KERN_ERR "CRED: Effective creds == Real creds\n");
     909             :         BUG();
     910             : }
     911             : EXPORT_SYMBOL(__validate_process_creds);
     912             : 
     913             : /*
     914             :  * check creds for do_exit()
     915             :  */
     916             : void validate_creds_for_do_exit(struct task_struct *tsk)
     917             : {
     918             :         kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})",
     919             :                tsk->real_cred, tsk->cred,
     920             :                atomic_read(&tsk->cred->usage),
     921             :                read_cred_subscribers(tsk->cred));
     922             : 
     923             :         __validate_process_creds(tsk, __FILE__, __LINE__);
     924             : }
     925             : 
     926             : #endif /* CONFIG_DEBUG_CREDENTIALS */

Generated by: LCOV version 1.14