mirror of
https://github.com/torvalds/linux.git
synced 2024-11-18 01:51:53 +00:00
644473e9c6
Pull user namespace enhancements from Eric Biederman: "This is a course correction for the user namespace, so that we can reach an inexpensive, maintainable, and reasonably complete implementation. Highlights: - Config guards make it impossible to enable the user namespace and code that has not been converted to be user namespace safe. - Use of the new kuid_t type ensures the if you somehow get past the config guards the kernel will encounter type errors if you enable user namespaces and attempt to compile in code whose permission checks have not been updated to be user namespace safe. - All uids from child user namespaces are mapped into the initial user namespace before they are processed. Removing the need to add an additional check to see if the user namespace of the compared uids remains the same. - With the user namespaces compiled out the performance is as good or better than it is today. - For most operations absolutely nothing changes performance or operationally with the user namespace enabled. - The worst case performance I could come up with was timing 1 billion cache cold stat operations with the user namespace code enabled. This went from 156s to 164s on my laptop (or 156ns to 164ns per stat operation). - (uid_t)-1 and (gid_t)-1 are reserved as an internal error value. Most uid/gid setting system calls treat these value specially anyway so attempting to use -1 as a uid would likely cause entertaining failures in userspace. - If setuid is called with a uid that can not be mapped setuid fails. I have looked at sendmail, login, ssh and every other program I could think of that would call setuid and they all check for and handle the case where setuid fails. - If stat or a similar system call is called from a context in which we can not map a uid we lie and return overflowuid. The LFS experience suggests not lying and returning an error code might be better, but the historical precedent with uids is different and I can not think of anything that would break by lying about a uid we can't map. - Capabilities are localized to the current user namespace making it safe to give the initial user in a user namespace all capabilities. My git tree covers all of the modifications needed to convert the core kernel and enough changes to make a system bootable to runlevel 1." Fix up trivial conflicts due to nearby independent changes in fs/stat.c * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (46 commits) userns: Silence silly gcc warning. cred: use correct cred accessor with regards to rcu read lock userns: Convert the move_pages, and migrate_pages permission checks to use uid_eq userns: Convert cgroup permission checks to use uid_eq userns: Convert tmpfs to use kuid and kgid where appropriate userns: Convert sysfs to use kgid/kuid where appropriate userns: Convert sysctl permission checks to use kuid and kgids. userns: Convert proc to use kuid/kgid where appropriate userns: Convert ext4 to user kuid/kgid where appropriate userns: Convert ext3 to use kuid/kgid where appropriate userns: Convert ext2 to use kuid/kgid where appropriate. userns: Convert devpts to use kuid/kgid where appropriate userns: Convert binary formats to use kuid/kgid where appropriate userns: Add negative depends on entries to avoid building code that is userns unsafe userns: signal remove unnecessary map_cred_ns userns: Teach inode_capable to understand inodes whose uids map to other namespaces. userns: Fail exec for suid and sgid binaries with ids outside our user namespace. userns: Convert stat to return values mapped from kuids and kgids userns: Convert user specfied uids and gids in chown into kuids and kgid userns: Use uid_eq gid_eq helpers when comparing kuids and kgids in the vfs ...
883 lines
22 KiB
C
883 lines
22 KiB
C
/* Task credentials management - see Documentation/security/credentials.txt
|
|
*
|
|
* Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public Licence
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the Licence, or (at your option) any later version.
|
|
*/
|
|
#include <linux/export.h>
|
|
#include <linux/cred.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/key.h>
|
|
#include <linux/keyctl.h>
|
|
#include <linux/init_task.h>
|
|
#include <linux/security.h>
|
|
#include <linux/binfmts.h>
|
|
#include <linux/cn_proc.h>
|
|
|
|
#if 0
|
|
#define kdebug(FMT, ...) \
|
|
printk("[%-5.5s%5u] "FMT"\n", current->comm, current->pid ,##__VA_ARGS__)
|
|
#else
|
|
#define kdebug(FMT, ...) \
|
|
no_printk("[%-5.5s%5u] "FMT"\n", current->comm, current->pid ,##__VA_ARGS__)
|
|
#endif
|
|
|
|
static struct kmem_cache *cred_jar;
|
|
|
|
/*
|
|
* The common credentials for the initial task's thread group
|
|
*/
|
|
#ifdef CONFIG_KEYS
|
|
static struct thread_group_cred init_tgcred = {
|
|
.usage = ATOMIC_INIT(2),
|
|
.tgid = 0,
|
|
.lock = __SPIN_LOCK_UNLOCKED(init_cred.tgcred.lock),
|
|
};
|
|
#endif
|
|
|
|
/*
|
|
* The initial credentials for the initial task
|
|
*/
|
|
struct cred init_cred = {
|
|
.usage = ATOMIC_INIT(4),
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
.subscribers = ATOMIC_INIT(2),
|
|
.magic = CRED_MAGIC,
|
|
#endif
|
|
.uid = GLOBAL_ROOT_UID,
|
|
.gid = GLOBAL_ROOT_GID,
|
|
.suid = GLOBAL_ROOT_UID,
|
|
.sgid = GLOBAL_ROOT_GID,
|
|
.euid = GLOBAL_ROOT_UID,
|
|
.egid = GLOBAL_ROOT_GID,
|
|
.fsuid = GLOBAL_ROOT_UID,
|
|
.fsgid = GLOBAL_ROOT_GID,
|
|
.securebits = SECUREBITS_DEFAULT,
|
|
.cap_inheritable = CAP_EMPTY_SET,
|
|
.cap_permitted = CAP_FULL_SET,
|
|
.cap_effective = CAP_FULL_SET,
|
|
.cap_bset = CAP_FULL_SET,
|
|
.user = INIT_USER,
|
|
.user_ns = &init_user_ns,
|
|
.group_info = &init_groups,
|
|
#ifdef CONFIG_KEYS
|
|
.tgcred = &init_tgcred,
|
|
#endif
|
|
};
|
|
|
|
static inline void set_cred_subscribers(struct cred *cred, int n)
|
|
{
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
atomic_set(&cred->subscribers, n);
|
|
#endif
|
|
}
|
|
|
|
static inline int read_cred_subscribers(const struct cred *cred)
|
|
{
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
return atomic_read(&cred->subscribers);
|
|
#else
|
|
return 0;
|
|
#endif
|
|
}
|
|
|
|
static inline void alter_cred_subscribers(const struct cred *_cred, int n)
|
|
{
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
struct cred *cred = (struct cred *) _cred;
|
|
|
|
atomic_add(n, &cred->subscribers);
|
|
#endif
|
|
}
|
|
|
|
/*
|
|
* Dispose of the shared task group credentials
|
|
*/
|
|
#ifdef CONFIG_KEYS
|
|
static void release_tgcred_rcu(struct rcu_head *rcu)
|
|
{
|
|
struct thread_group_cred *tgcred =
|
|
container_of(rcu, struct thread_group_cred, rcu);
|
|
|
|
BUG_ON(atomic_read(&tgcred->usage) != 0);
|
|
|
|
key_put(tgcred->session_keyring);
|
|
key_put(tgcred->process_keyring);
|
|
kfree(tgcred);
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* Release a set of thread group credentials.
|
|
*/
|
|
static void release_tgcred(struct cred *cred)
|
|
{
|
|
#ifdef CONFIG_KEYS
|
|
struct thread_group_cred *tgcred = cred->tgcred;
|
|
|
|
if (atomic_dec_and_test(&tgcred->usage))
|
|
call_rcu(&tgcred->rcu, release_tgcred_rcu);
|
|
#endif
|
|
}
|
|
|
|
/*
|
|
* The RCU callback to actually dispose of a set of credentials
|
|
*/
|
|
static void put_cred_rcu(struct rcu_head *rcu)
|
|
{
|
|
struct cred *cred = container_of(rcu, struct cred, rcu);
|
|
|
|
kdebug("put_cred_rcu(%p)", cred);
|
|
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
if (cred->magic != CRED_MAGIC_DEAD ||
|
|
atomic_read(&cred->usage) != 0 ||
|
|
read_cred_subscribers(cred) != 0)
|
|
panic("CRED: put_cred_rcu() sees %p with"
|
|
" mag %x, put %p, usage %d, subscr %d\n",
|
|
cred, cred->magic, cred->put_addr,
|
|
atomic_read(&cred->usage),
|
|
read_cred_subscribers(cred));
|
|
#else
|
|
if (atomic_read(&cred->usage) != 0)
|
|
panic("CRED: put_cred_rcu() sees %p with usage %d\n",
|
|
cred, atomic_read(&cred->usage));
|
|
#endif
|
|
|
|
security_cred_free(cred);
|
|
key_put(cred->thread_keyring);
|
|
key_put(cred->request_key_auth);
|
|
release_tgcred(cred);
|
|
if (cred->group_info)
|
|
put_group_info(cred->group_info);
|
|
free_uid(cred->user);
|
|
put_user_ns(cred->user_ns);
|
|
kmem_cache_free(cred_jar, cred);
|
|
}
|
|
|
|
/**
|
|
* __put_cred - Destroy a set of credentials
|
|
* @cred: The record to release
|
|
*
|
|
* Destroy a set of credentials on which no references remain.
|
|
*/
|
|
void __put_cred(struct cred *cred)
|
|
{
|
|
kdebug("__put_cred(%p{%d,%d})", cred,
|
|
atomic_read(&cred->usage),
|
|
read_cred_subscribers(cred));
|
|
|
|
BUG_ON(atomic_read(&cred->usage) != 0);
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
BUG_ON(read_cred_subscribers(cred) != 0);
|
|
cred->magic = CRED_MAGIC_DEAD;
|
|
cred->put_addr = __builtin_return_address(0);
|
|
#endif
|
|
BUG_ON(cred == current->cred);
|
|
BUG_ON(cred == current->real_cred);
|
|
|
|
call_rcu(&cred->rcu, put_cred_rcu);
|
|
}
|
|
EXPORT_SYMBOL(__put_cred);
|
|
|
|
/*
|
|
* Clean up a task's credentials when it exits
|
|
*/
|
|
void exit_creds(struct task_struct *tsk)
|
|
{
|
|
struct cred *cred;
|
|
|
|
kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
|
|
atomic_read(&tsk->cred->usage),
|
|
read_cred_subscribers(tsk->cred));
|
|
|
|
cred = (struct cred *) tsk->real_cred;
|
|
tsk->real_cred = NULL;
|
|
validate_creds(cred);
|
|
alter_cred_subscribers(cred, -1);
|
|
put_cred(cred);
|
|
|
|
cred = (struct cred *) tsk->cred;
|
|
tsk->cred = NULL;
|
|
validate_creds(cred);
|
|
alter_cred_subscribers(cred, -1);
|
|
put_cred(cred);
|
|
|
|
cred = (struct cred *) tsk->replacement_session_keyring;
|
|
if (cred) {
|
|
tsk->replacement_session_keyring = NULL;
|
|
validate_creds(cred);
|
|
put_cred(cred);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* get_task_cred - Get another task's objective credentials
|
|
* @task: The task to query
|
|
*
|
|
* Get the objective credentials of a task, pinning them so that they can't go
|
|
* away. Accessing a task's credentials directly is not permitted.
|
|
*
|
|
* The caller must also make sure task doesn't get deleted, either by holding a
|
|
* ref on task or by holding tasklist_lock to prevent it from being unlinked.
|
|
*/
|
|
const struct cred *get_task_cred(struct task_struct *task)
|
|
{
|
|
const struct cred *cred;
|
|
|
|
rcu_read_lock();
|
|
|
|
do {
|
|
cred = __task_cred((task));
|
|
BUG_ON(!cred);
|
|
} while (!atomic_inc_not_zero(&((struct cred *)cred)->usage));
|
|
|
|
rcu_read_unlock();
|
|
return cred;
|
|
}
|
|
|
|
/*
|
|
* Allocate blank credentials, such that the credentials can be filled in at a
|
|
* later date without risk of ENOMEM.
|
|
*/
|
|
struct cred *cred_alloc_blank(void)
|
|
{
|
|
struct cred *new;
|
|
|
|
new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
|
|
if (!new)
|
|
return NULL;
|
|
|
|
#ifdef CONFIG_KEYS
|
|
new->tgcred = kzalloc(sizeof(*new->tgcred), GFP_KERNEL);
|
|
if (!new->tgcred) {
|
|
kmem_cache_free(cred_jar, new);
|
|
return NULL;
|
|
}
|
|
atomic_set(&new->tgcred->usage, 1);
|
|
#endif
|
|
|
|
atomic_set(&new->usage, 1);
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
new->magic = CRED_MAGIC;
|
|
#endif
|
|
|
|
if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
|
|
goto error;
|
|
|
|
return new;
|
|
|
|
error:
|
|
abort_creds(new);
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
* prepare_creds - Prepare a new set of credentials for modification
|
|
*
|
|
* Prepare a new set of task credentials for modification. A task's creds
|
|
* shouldn't generally be modified directly, therefore this function is used to
|
|
* prepare a new copy, which the caller then modifies and then commits by
|
|
* calling commit_creds().
|
|
*
|
|
* Preparation involves making a copy of the objective creds for modification.
|
|
*
|
|
* Returns a pointer to the new creds-to-be if successful, NULL otherwise.
|
|
*
|
|
* Call commit_creds() or abort_creds() to clean up.
|
|
*/
|
|
struct cred *prepare_creds(void)
|
|
{
|
|
struct task_struct *task = current;
|
|
const struct cred *old;
|
|
struct cred *new;
|
|
|
|
validate_process_creds();
|
|
|
|
new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
|
|
if (!new)
|
|
return NULL;
|
|
|
|
kdebug("prepare_creds() alloc %p", new);
|
|
|
|
old = task->cred;
|
|
memcpy(new, old, sizeof(struct cred));
|
|
|
|
atomic_set(&new->usage, 1);
|
|
set_cred_subscribers(new, 0);
|
|
get_group_info(new->group_info);
|
|
get_uid(new->user);
|
|
get_user_ns(new->user_ns);
|
|
|
|
#ifdef CONFIG_KEYS
|
|
key_get(new->thread_keyring);
|
|
key_get(new->request_key_auth);
|
|
atomic_inc(&new->tgcred->usage);
|
|
#endif
|
|
|
|
#ifdef CONFIG_SECURITY
|
|
new->security = NULL;
|
|
#endif
|
|
|
|
if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
|
|
goto error;
|
|
validate_creds(new);
|
|
return new;
|
|
|
|
error:
|
|
abort_creds(new);
|
|
return NULL;
|
|
}
|
|
EXPORT_SYMBOL(prepare_creds);
|
|
|
|
/*
|
|
* Prepare credentials for current to perform an execve()
|
|
* - The caller must hold ->cred_guard_mutex
|
|
*/
|
|
struct cred *prepare_exec_creds(void)
|
|
{
|
|
struct thread_group_cred *tgcred = NULL;
|
|
struct cred *new;
|
|
|
|
#ifdef CONFIG_KEYS
|
|
tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
|
|
if (!tgcred)
|
|
return NULL;
|
|
#endif
|
|
|
|
new = prepare_creds();
|
|
if (!new) {
|
|
kfree(tgcred);
|
|
return new;
|
|
}
|
|
|
|
#ifdef CONFIG_KEYS
|
|
/* newly exec'd tasks don't get a thread keyring */
|
|
key_put(new->thread_keyring);
|
|
new->thread_keyring = NULL;
|
|
|
|
/* create a new per-thread-group creds for all this set of threads to
|
|
* share */
|
|
memcpy(tgcred, new->tgcred, sizeof(struct thread_group_cred));
|
|
|
|
atomic_set(&tgcred->usage, 1);
|
|
spin_lock_init(&tgcred->lock);
|
|
|
|
/* inherit the session keyring; new process keyring */
|
|
key_get(tgcred->session_keyring);
|
|
tgcred->process_keyring = NULL;
|
|
|
|
release_tgcred(new);
|
|
new->tgcred = tgcred;
|
|
#endif
|
|
|
|
return new;
|
|
}
|
|
|
|
/*
|
|
* Copy credentials for the new process created by fork()
|
|
*
|
|
* We share if we can, but under some circumstances we have to generate a new
|
|
* set.
|
|
*
|
|
* The new process gets the current process's subjective credentials as its
|
|
* objective and subjective credentials
|
|
*/
|
|
int copy_creds(struct task_struct *p, unsigned long clone_flags)
|
|
{
|
|
#ifdef CONFIG_KEYS
|
|
struct thread_group_cred *tgcred;
|
|
#endif
|
|
struct cred *new;
|
|
int ret;
|
|
|
|
p->replacement_session_keyring = NULL;
|
|
|
|
if (
|
|
#ifdef CONFIG_KEYS
|
|
!p->cred->thread_keyring &&
|
|
#endif
|
|
clone_flags & CLONE_THREAD
|
|
) {
|
|
p->real_cred = get_cred(p->cred);
|
|
get_cred(p->cred);
|
|
alter_cred_subscribers(p->cred, 2);
|
|
kdebug("share_creds(%p{%d,%d})",
|
|
p->cred, atomic_read(&p->cred->usage),
|
|
read_cred_subscribers(p->cred));
|
|
atomic_inc(&p->cred->user->processes);
|
|
return 0;
|
|
}
|
|
|
|
new = prepare_creds();
|
|
if (!new)
|
|
return -ENOMEM;
|
|
|
|
if (clone_flags & CLONE_NEWUSER) {
|
|
ret = create_user_ns(new);
|
|
if (ret < 0)
|
|
goto error_put;
|
|
}
|
|
|
|
#ifdef CONFIG_KEYS
|
|
/* new threads get their own thread keyrings if their parent already
|
|
* had one */
|
|
if (new->thread_keyring) {
|
|
key_put(new->thread_keyring);
|
|
new->thread_keyring = NULL;
|
|
if (clone_flags & CLONE_THREAD)
|
|
install_thread_keyring_to_cred(new);
|
|
}
|
|
|
|
/* we share the process and session keyrings between all the threads in
|
|
* a process - this is slightly icky as we violate COW credentials a
|
|
* bit */
|
|
if (!(clone_flags & CLONE_THREAD)) {
|
|
tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
|
|
if (!tgcred) {
|
|
ret = -ENOMEM;
|
|
goto error_put;
|
|
}
|
|
atomic_set(&tgcred->usage, 1);
|
|
spin_lock_init(&tgcred->lock);
|
|
tgcred->process_keyring = NULL;
|
|
tgcred->session_keyring = key_get(new->tgcred->session_keyring);
|
|
|
|
release_tgcred(new);
|
|
new->tgcred = tgcred;
|
|
}
|
|
#endif
|
|
|
|
atomic_inc(&new->user->processes);
|
|
p->cred = p->real_cred = get_cred(new);
|
|
alter_cred_subscribers(new, 2);
|
|
validate_creds(new);
|
|
return 0;
|
|
|
|
error_put:
|
|
put_cred(new);
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* commit_creds - Install new credentials upon the current task
|
|
* @new: The credentials to be assigned
|
|
*
|
|
* Install a new set of credentials to the current task, using RCU to replace
|
|
* the old set. Both the objective and the subjective credentials pointers are
|
|
* updated. This function may not be called if the subjective credentials are
|
|
* in an overridden state.
|
|
*
|
|
* This function eats the caller's reference to the new credentials.
|
|
*
|
|
* Always returns 0 thus allowing this function to be tail-called at the end
|
|
* of, say, sys_setgid().
|
|
*/
|
|
int commit_creds(struct cred *new)
|
|
{
|
|
struct task_struct *task = current;
|
|
const struct cred *old = task->real_cred;
|
|
|
|
kdebug("commit_creds(%p{%d,%d})", new,
|
|
atomic_read(&new->usage),
|
|
read_cred_subscribers(new));
|
|
|
|
BUG_ON(task->cred != old);
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
BUG_ON(read_cred_subscribers(old) < 2);
|
|
validate_creds(old);
|
|
validate_creds(new);
|
|
#endif
|
|
BUG_ON(atomic_read(&new->usage) < 1);
|
|
|
|
get_cred(new); /* we will require a ref for the subj creds too */
|
|
|
|
/* dumpability changes */
|
|
if (!uid_eq(old->euid, new->euid) ||
|
|
!gid_eq(old->egid, new->egid) ||
|
|
!uid_eq(old->fsuid, new->fsuid) ||
|
|
!gid_eq(old->fsgid, new->fsgid) ||
|
|
!cap_issubset(new->cap_permitted, old->cap_permitted)) {
|
|
if (task->mm)
|
|
set_dumpable(task->mm, suid_dumpable);
|
|
task->pdeath_signal = 0;
|
|
smp_wmb();
|
|
}
|
|
|
|
/* alter the thread keyring */
|
|
if (!uid_eq(new->fsuid, old->fsuid))
|
|
key_fsuid_changed(task);
|
|
if (!gid_eq(new->fsgid, old->fsgid))
|
|
key_fsgid_changed(task);
|
|
|
|
/* do it
|
|
* RLIMIT_NPROC limits on user->processes have already been checked
|
|
* in set_user().
|
|
*/
|
|
alter_cred_subscribers(new, 2);
|
|
if (new->user != old->user)
|
|
atomic_inc(&new->user->processes);
|
|
rcu_assign_pointer(task->real_cred, new);
|
|
rcu_assign_pointer(task->cred, new);
|
|
if (new->user != old->user)
|
|
atomic_dec(&old->user->processes);
|
|
alter_cred_subscribers(old, -2);
|
|
|
|
/* send notifications */
|
|
if (!uid_eq(new->uid, old->uid) ||
|
|
!uid_eq(new->euid, old->euid) ||
|
|
!uid_eq(new->suid, old->suid) ||
|
|
!uid_eq(new->fsuid, old->fsuid))
|
|
proc_id_connector(task, PROC_EVENT_UID);
|
|
|
|
if (!gid_eq(new->gid, old->gid) ||
|
|
!gid_eq(new->egid, old->egid) ||
|
|
!gid_eq(new->sgid, old->sgid) ||
|
|
!gid_eq(new->fsgid, old->fsgid))
|
|
proc_id_connector(task, PROC_EVENT_GID);
|
|
|
|
/* release the old obj and subj refs both */
|
|
put_cred(old);
|
|
put_cred(old);
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL(commit_creds);
|
|
|
|
/**
|
|
* abort_creds - Discard a set of credentials and unlock the current task
|
|
* @new: The credentials that were going to be applied
|
|
*
|
|
* Discard a set of credentials that were under construction and unlock the
|
|
* current task.
|
|
*/
|
|
void abort_creds(struct cred *new)
|
|
{
|
|
kdebug("abort_creds(%p{%d,%d})", new,
|
|
atomic_read(&new->usage),
|
|
read_cred_subscribers(new));
|
|
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
BUG_ON(read_cred_subscribers(new) != 0);
|
|
#endif
|
|
BUG_ON(atomic_read(&new->usage) < 1);
|
|
put_cred(new);
|
|
}
|
|
EXPORT_SYMBOL(abort_creds);
|
|
|
|
/**
|
|
* override_creds - Override the current process's subjective credentials
|
|
* @new: The credentials to be assigned
|
|
*
|
|
* Install a set of temporary override subjective credentials on the current
|
|
* process, returning the old set for later reversion.
|
|
*/
|
|
const struct cred *override_creds(const struct cred *new)
|
|
{
|
|
const struct cred *old = current->cred;
|
|
|
|
kdebug("override_creds(%p{%d,%d})", new,
|
|
atomic_read(&new->usage),
|
|
read_cred_subscribers(new));
|
|
|
|
validate_creds(old);
|
|
validate_creds(new);
|
|
get_cred(new);
|
|
alter_cred_subscribers(new, 1);
|
|
rcu_assign_pointer(current->cred, new);
|
|
alter_cred_subscribers(old, -1);
|
|
|
|
kdebug("override_creds() = %p{%d,%d}", old,
|
|
atomic_read(&old->usage),
|
|
read_cred_subscribers(old));
|
|
return old;
|
|
}
|
|
EXPORT_SYMBOL(override_creds);
|
|
|
|
/**
|
|
* revert_creds - Revert a temporary subjective credentials override
|
|
* @old: The credentials to be restored
|
|
*
|
|
* Revert a temporary set of override subjective credentials to an old set,
|
|
* discarding the override set.
|
|
*/
|
|
void revert_creds(const struct cred *old)
|
|
{
|
|
const struct cred *override = current->cred;
|
|
|
|
kdebug("revert_creds(%p{%d,%d})", old,
|
|
atomic_read(&old->usage),
|
|
read_cred_subscribers(old));
|
|
|
|
validate_creds(old);
|
|
validate_creds(override);
|
|
alter_cred_subscribers(old, 1);
|
|
rcu_assign_pointer(current->cred, old);
|
|
alter_cred_subscribers(override, -1);
|
|
put_cred(override);
|
|
}
|
|
EXPORT_SYMBOL(revert_creds);
|
|
|
|
/*
|
|
* initialise the credentials stuff
|
|
*/
|
|
void __init cred_init(void)
|
|
{
|
|
/* allocate a slab in which we can store credentials */
|
|
cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred),
|
|
0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
|
|
}
|
|
|
|
/**
|
|
* prepare_kernel_cred - Prepare a set of credentials for a kernel service
|
|
* @daemon: A userspace daemon to be used as a reference
|
|
*
|
|
* Prepare a set of credentials for a kernel service. This can then be used to
|
|
* override a task's own credentials so that work can be done on behalf of that
|
|
* task that requires a different subjective context.
|
|
*
|
|
* @daemon is used to provide a base for the security record, but can be NULL.
|
|
* If @daemon is supplied, then the security data will be derived from that;
|
|
* otherwise they'll be set to 0 and no groups, full capabilities and no keys.
|
|
*
|
|
* The caller may change these controls afterwards if desired.
|
|
*
|
|
* Returns the new credentials or NULL if out of memory.
|
|
*
|
|
* Does not take, and does not return holding current->cred_replace_mutex.
|
|
*/
|
|
struct cred *prepare_kernel_cred(struct task_struct *daemon)
|
|
{
|
|
#ifdef CONFIG_KEYS
|
|
struct thread_group_cred *tgcred;
|
|
#endif
|
|
const struct cred *old;
|
|
struct cred *new;
|
|
|
|
new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
|
|
if (!new)
|
|
return NULL;
|
|
|
|
#ifdef CONFIG_KEYS
|
|
tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
|
|
if (!tgcred) {
|
|
kmem_cache_free(cred_jar, new);
|
|
return NULL;
|
|
}
|
|
#endif
|
|
|
|
kdebug("prepare_kernel_cred() alloc %p", new);
|
|
|
|
if (daemon)
|
|
old = get_task_cred(daemon);
|
|
else
|
|
old = get_cred(&init_cred);
|
|
|
|
validate_creds(old);
|
|
|
|
*new = *old;
|
|
atomic_set(&new->usage, 1);
|
|
set_cred_subscribers(new, 0);
|
|
get_uid(new->user);
|
|
get_user_ns(new->user_ns);
|
|
get_group_info(new->group_info);
|
|
|
|
#ifdef CONFIG_KEYS
|
|
atomic_set(&tgcred->usage, 1);
|
|
spin_lock_init(&tgcred->lock);
|
|
tgcred->process_keyring = NULL;
|
|
tgcred->session_keyring = NULL;
|
|
new->tgcred = tgcred;
|
|
new->request_key_auth = NULL;
|
|
new->thread_keyring = NULL;
|
|
new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
|
|
#endif
|
|
|
|
#ifdef CONFIG_SECURITY
|
|
new->security = NULL;
|
|
#endif
|
|
if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
|
|
goto error;
|
|
|
|
put_cred(old);
|
|
validate_creds(new);
|
|
return new;
|
|
|
|
error:
|
|
put_cred(new);
|
|
put_cred(old);
|
|
return NULL;
|
|
}
|
|
EXPORT_SYMBOL(prepare_kernel_cred);
|
|
|
|
/**
|
|
* set_security_override - Set the security ID in a set of credentials
|
|
* @new: The credentials to alter
|
|
* @secid: The LSM security ID to set
|
|
*
|
|
* Set the LSM security ID in a set of credentials so that the subjective
|
|
* security is overridden when an alternative set of credentials is used.
|
|
*/
|
|
int set_security_override(struct cred *new, u32 secid)
|
|
{
|
|
return security_kernel_act_as(new, secid);
|
|
}
|
|
EXPORT_SYMBOL(set_security_override);
|
|
|
|
/**
|
|
* set_security_override_from_ctx - Set the security ID in a set of credentials
|
|
* @new: The credentials to alter
|
|
* @secctx: The LSM security context to generate the security ID from.
|
|
*
|
|
* Set the LSM security ID in a set of credentials so that the subjective
|
|
* security is overridden when an alternative set of credentials is used. The
|
|
* security ID is specified in string form as a security context to be
|
|
* interpreted by the LSM.
|
|
*/
|
|
int set_security_override_from_ctx(struct cred *new, const char *secctx)
|
|
{
|
|
u32 secid;
|
|
int ret;
|
|
|
|
ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
|
|
if (ret < 0)
|
|
return ret;
|
|
|
|
return set_security_override(new, secid);
|
|
}
|
|
EXPORT_SYMBOL(set_security_override_from_ctx);
|
|
|
|
/**
|
|
* set_create_files_as - Set the LSM file create context in a set of credentials
|
|
* @new: The credentials to alter
|
|
* @inode: The inode to take the context from
|
|
*
|
|
* Change the LSM file creation context in a set of credentials to be the same
|
|
* as the object context of the specified inode, so that the new inodes have
|
|
* the same MAC context as that inode.
|
|
*/
|
|
int set_create_files_as(struct cred *new, struct inode *inode)
|
|
{
|
|
new->fsuid = inode->i_uid;
|
|
new->fsgid = inode->i_gid;
|
|
return security_kernel_create_files_as(new, inode);
|
|
}
|
|
EXPORT_SYMBOL(set_create_files_as);
|
|
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
|
|
bool creds_are_invalid(const struct cred *cred)
|
|
{
|
|
if (cred->magic != CRED_MAGIC)
|
|
return true;
|
|
#ifdef CONFIG_SECURITY_SELINUX
|
|
/*
|
|
* cred->security == NULL if security_cred_alloc_blank() or
|
|
* security_prepare_creds() returned an error.
|
|
*/
|
|
if (selinux_is_enabled() && cred->security) {
|
|
if ((unsigned long) cred->security < PAGE_SIZE)
|
|
return true;
|
|
if ((*(u32 *)cred->security & 0xffffff00) ==
|
|
(POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
|
|
return true;
|
|
}
|
|
#endif
|
|
return false;
|
|
}
|
|
EXPORT_SYMBOL(creds_are_invalid);
|
|
|
|
/*
|
|
* dump invalid credentials
|
|
*/
|
|
static void dump_invalid_creds(const struct cred *cred, const char *label,
|
|
const struct task_struct *tsk)
|
|
{
|
|
printk(KERN_ERR "CRED: %s credentials: %p %s%s%s\n",
|
|
label, cred,
|
|
cred == &init_cred ? "[init]" : "",
|
|
cred == tsk->real_cred ? "[real]" : "",
|
|
cred == tsk->cred ? "[eff]" : "");
|
|
printk(KERN_ERR "CRED: ->magic=%x, put_addr=%p\n",
|
|
cred->magic, cred->put_addr);
|
|
printk(KERN_ERR "CRED: ->usage=%d, subscr=%d\n",
|
|
atomic_read(&cred->usage),
|
|
read_cred_subscribers(cred));
|
|
printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
|
|
cred->uid, cred->euid, cred->suid, cred->fsuid);
|
|
printk(KERN_ERR "CRED: ->*gid = { %d,%d,%d,%d }\n",
|
|
cred->gid, cred->egid, cred->sgid, cred->fsgid);
|
|
#ifdef CONFIG_SECURITY
|
|
printk(KERN_ERR "CRED: ->security is %p\n", cred->security);
|
|
if ((unsigned long) cred->security >= PAGE_SIZE &&
|
|
(((unsigned long) cred->security & 0xffffff00) !=
|
|
(POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)))
|
|
printk(KERN_ERR "CRED: ->security {%x, %x}\n",
|
|
((u32*)cred->security)[0],
|
|
((u32*)cred->security)[1]);
|
|
#endif
|
|
}
|
|
|
|
/*
|
|
* report use of invalid credentials
|
|
*/
|
|
void __invalid_creds(const struct cred *cred, const char *file, unsigned line)
|
|
{
|
|
printk(KERN_ERR "CRED: Invalid credentials\n");
|
|
printk(KERN_ERR "CRED: At %s:%u\n", file, line);
|
|
dump_invalid_creds(cred, "Specified", current);
|
|
BUG();
|
|
}
|
|
EXPORT_SYMBOL(__invalid_creds);
|
|
|
|
/*
|
|
* check the credentials on a process
|
|
*/
|
|
void __validate_process_creds(struct task_struct *tsk,
|
|
const char *file, unsigned line)
|
|
{
|
|
if (tsk->cred == tsk->real_cred) {
|
|
if (unlikely(read_cred_subscribers(tsk->cred) < 2 ||
|
|
creds_are_invalid(tsk->cred)))
|
|
goto invalid_creds;
|
|
} else {
|
|
if (unlikely(read_cred_subscribers(tsk->real_cred) < 1 ||
|
|
read_cred_subscribers(tsk->cred) < 1 ||
|
|
creds_are_invalid(tsk->real_cred) ||
|
|
creds_are_invalid(tsk->cred)))
|
|
goto invalid_creds;
|
|
}
|
|
return;
|
|
|
|
invalid_creds:
|
|
printk(KERN_ERR "CRED: Invalid process credentials\n");
|
|
printk(KERN_ERR "CRED: At %s:%u\n", file, line);
|
|
|
|
dump_invalid_creds(tsk->real_cred, "Real", tsk);
|
|
if (tsk->cred != tsk->real_cred)
|
|
dump_invalid_creds(tsk->cred, "Effective", tsk);
|
|
else
|
|
printk(KERN_ERR "CRED: Effective creds == Real creds\n");
|
|
BUG();
|
|
}
|
|
EXPORT_SYMBOL(__validate_process_creds);
|
|
|
|
/*
|
|
* check creds for do_exit()
|
|
*/
|
|
void validate_creds_for_do_exit(struct task_struct *tsk)
|
|
{
|
|
kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})",
|
|
tsk->real_cred, tsk->cred,
|
|
atomic_read(&tsk->cred->usage),
|
|
read_cred_subscribers(tsk->cred));
|
|
|
|
__validate_process_creds(tsk, __FILE__, __LINE__);
|
|
}
|
|
|
|
#endif /* CONFIG_DEBUG_CREDENTIALS */
|