kernel/cred.c

   1 // SPDX-License-Identifier: GPL-2.0-or-later
   2 /* Task credentials management - see Documentation/security/credentials.rst
   3  *
   4  * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
   5  * Written by David Howells (dhowells@redhat.com)
   6  */
   7 #include <linux/export.h>
   8 #include <linux/cred.h>
   9 #include <linux/slab.h>
  10 #include <linux/sched.h>
  11 #include <linux/sched/coredump.h>
  12 #include <linux/key.h>
  13 #include <linux/keyctl.h>
  14 #include <linux/init_task.h>
  15 #include <linux/security.h>
  16 #include <linux/binfmts.h>
  17 #include <linux/cn_proc.h>
  18 #include <linux/uidgid.h>
  19
  20 #if 0
  21 #define kdebug(FMT, ...)                                                \
  22         printk("[%-5.5s%5u] " FMT "\n",                                 \
  23                current->comm, current->pid, ##__VA_ARGS__)
  24 #else
  25 #define kdebug(FMT, ...)                                                \
  26 do {                                                                    \
  27         if (0)                                                          \
  28                 no_printk("[%-5.5s%5u] " FMT "\n",                      \
  29                           current->comm, current->pid, ##__VA_ARGS__);  \
  30 } while (0)
  31 #endif
  32
  33 static struct kmem_cache *cred_jar;
  34
  35 /* init to 2 - one for init_task, one to ensure it is never freed */
  36 static struct group_info init_groups = { .usage = ATOMIC_INIT(2) };
  37
  38 /*
  39  * The initial credentials for the initial task
  40  */
  41 struct cred init_cred = {
  42         .usage                  = ATOMIC_INIT(4),
  43 #ifdef CONFIG_DEBUG_CREDENTIALS
  44         .subscribers            = ATOMIC_INIT(2),
  45         .magic                  = CRED_MAGIC,
  46 #endif
  47         .uid                    = GLOBAL_ROOT_UID,
  48         .gid                    = GLOBAL_ROOT_GID,
  49         .suid                   = GLOBAL_ROOT_UID,
  50         .sgid                   = GLOBAL_ROOT_GID,
  51         .euid                   = GLOBAL_ROOT_UID,
  52         .egid                   = GLOBAL_ROOT_GID,
  53         .fsuid                  = GLOBAL_ROOT_UID,
  54         .fsgid                  = GLOBAL_ROOT_GID,
  55         .securebits             = SECUREBITS_DEFAULT,
  56         .cap_inheritable        = CAP_EMPTY_SET,
  57         .cap_permitted          = CAP_FULL_SET,
  58         .cap_effective          = CAP_FULL_SET,
  59         .cap_bset               = CAP_FULL_SET,
  60         .user                   = INIT_USER,
  61         .user_ns                = &init_user_ns,
  62         .group_info             = &init_groups,
  63         .ucounts                = &init_ucounts,
  64 };
  65
  66 static inline void set_cred_subscribers(struct cred *cred, int n)
  67 {
  68 #ifdef CONFIG_DEBUG_CREDENTIALS
  69         atomic_set(&cred->subscribers, n);
  70 #endif
  71 }
  72
  73 static inline int read_cred_subscribers(const struct cred *cred)
  74 {
  75 #ifdef CONFIG_DEBUG_CREDENTIALS
  76         return atomic_read(&cred->subscribers);
  77 #else
  78         return 0;
  79 #endif
  80 }
  81
  82 static inline void alter_cred_subscribers(const struct cred *_cred, int n)
  83 {
  84 #ifdef CONFIG_DEBUG_CREDENTIALS
  85         struct cred *cred = (struct cred *) _cred;
  86
  87         atomic_add(n, &cred->subscribers);
  88 #endif
  89 }
  90
  91 /*
  92  * The RCU callback to actually dispose of a set of credentials
  93  */
  94 static void put_cred_rcu(struct rcu_head *rcu)
  95 {
  96         struct cred *cred = container_of(rcu, struct cred, rcu);
  97
  98         kdebug("put_cred_rcu(%p)", cred);
  99
 100 #ifdef CONFIG_DEBUG_CREDENTIALS
 101         if (cred->magic != CRED_MAGIC_DEAD ||
 102             atomic_read(&cred->usage) != 0 ||
 103             read_cred_subscribers(cred) != 0)
 104                 panic("CRED: put_cred_rcu() sees %p with"
 105                       " mag %x, put %p, usage %d, subscr %d\n",
 106                       cred, cred->magic, cred->put_addr,
 107                       atomic_read(&cred->usage),
 108                       read_cred_subscribers(cred));
 109 #else
 110         if (atomic_read(&cred->usage) != 0)
 111                 panic("CRED: put_cred_rcu() sees %p with usage %d\n",
 112                       cred, atomic_read(&cred->usage));
 113 #endif
 114
 115         security_cred_free(cred);
 116         key_put(cred->session_keyring);
 117         key_put(cred->process_keyring);
 118         key_put(cred->thread_keyring);
 119         key_put(cred->request_key_auth);
 120         if (cred->group_info)
 121                 put_group_info(cred->group_info);
 122         free_uid(cred->user);
 123         if (cred->ucounts)
 124                 put_ucounts(cred->ucounts);
 125         put_user_ns(cred->user_ns);
 126         kmem_cache_free(cred_jar, cred);
 127 }
 128
 129 /**
 130  * __put_cred - Destroy a set of credentials
 131  * @cred: The record to release
 132  *
 133  * Destroy a set of credentials on which no references remain.
 134  */
 135 void __put_cred(struct cred *cred)
 136 {
 137         kdebug("__put_cred(%p{%d,%d})", cred,
 138                atomic_read(&cred->usage),
 139                read_cred_subscribers(cred));
 140
 141         BUG_ON(atomic_read(&cred->usage) != 0);
 142 #ifdef CONFIG_DEBUG_CREDENTIALS
 143         BUG_ON(read_cred_subscribers(cred) != 0);
 144         cred->magic = CRED_MAGIC_DEAD;
 145         cred->put_addr = __builtin_return_address(0);
 146 #endif
 147         BUG_ON(cred == current->cred);
 148         BUG_ON(cred == current->real_cred);
 149
 150         if (cred->non_rcu)
 151                 put_cred_rcu(&cred->rcu);
 152         else
 153                 call_rcu(&cred->rcu, put_cred_rcu);
 154 }
 155 EXPORT_SYMBOL(__put_cred);
 156
 157 /*
 158  * Clean up a task's credentials when it exits
 159  */
 160 void exit_creds(struct task_struct *tsk)
 161 {
 162         struct cred *cred;
 163
 164         kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
 165                atomic_read(&tsk->cred->usage),
 166                read_cred_subscribers(tsk->cred));
 167
 168         cred = (struct cred *) tsk->real_cred;
 169         tsk->real_cred = NULL;
 170         validate_creds(cred);
 171         alter_cred_subscribers(cred, -1);
 172         put_cred(cred);
 173
 174         cred = (struct cred *) tsk->cred;
 175         tsk->cred = NULL;
 176         validate_creds(cred);
 177         alter_cred_subscribers(cred, -1);
 178         put_cred(cred);
 179
 180 #ifdef CONFIG_KEYS_REQUEST_CACHE
 181         key_put(tsk->cached_requested_key);
 182         tsk->cached_requested_key = NULL;
 183 #endif
 184 }
 185
 186 /**
 187  * get_task_cred - Get another task's objective credentials
 188  * @task: The task to query
 189  *
 190  * Get the objective credentials of a task, pinning them so that they can't go
 191  * away.  Accessing a task's credentials directly is not permitted.
 192  *
 193  * The caller must also make sure task doesn't get deleted, either by holding a
 194  * ref on task or by holding tasklist_lock to prevent it from being unlinked.
 195  */
 196 const struct cred *get_task_cred(struct task_struct *task)
 197 {
 198         const struct cred *cred;
 199
 200         rcu_read_lock();
 201
 202         do {
 203                 cred = __task_cred((task));
 204                 BUG_ON(!cred);
 205         } while (!get_cred_rcu(cred));
 206
 207         rcu_read_unlock();
 208         return cred;
 209 }
 210 EXPORT_SYMBOL(get_task_cred);
 211
 212 /*
 213  * Allocate blank credentials, such that the credentials can be filled in at a
 214  * later date without risk of ENOMEM.
 215  */
 216 struct cred *cred_alloc_blank(void)
 217 {
 218         struct cred *new;
 219
 220         new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
 221         if (!new)
 222                 return NULL;
 223
 224         atomic_set(&new->usage, 1);
 225 #ifdef CONFIG_DEBUG_CREDENTIALS
 226         new->magic = CRED_MAGIC;
 227 #endif
 228         if (security_cred_alloc_blank(new, GFP_KERNEL_ACCOUNT) < 0)
 229                 goto error;
 230
 231         return new;
 232
 233 error:
 234         abort_creds(new);
 235         return NULL;
 236 }
 237
 238 /**
 239  * prepare_creds - Prepare a new set of credentials for modification
 240  *
 241  * Prepare a new set of task credentials for modification.  A task's creds
 242  * shouldn't generally be modified directly, therefore this function is used to
 243  * prepare a new copy, which the caller then modifies and then commits by
 244  * calling commit_creds().
 245  *
 246  * Preparation involves making a copy of the objective creds for modification.
 247  *
 248  * Returns a pointer to the new creds-to-be if successful, NULL otherwise.
 249  *
 250  * Call commit_creds() or abort_creds() to clean up.
 251  */
 252 struct cred *prepare_creds(void)
 253 {
 254         struct task_struct *task = current;
 255         const struct cred *old;
 256         struct cred *new;
 257
 258         validate_process_creds();
 259
 260         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
 261         if (!new)
 262                 return NULL;
 263
 264         kdebug("prepare_creds() alloc %p", new);
 265
 266         old = task->cred;
 267         memcpy(new, old, sizeof(struct cred));
 268
 269         new->non_rcu = 0;
 270         atomic_set(&new->usage, 1);
 271         set_cred_subscribers(new, 0);
 272         get_group_info(new->group_info);
 273         get_uid(new->user);
 274         get_user_ns(new->user_ns);
 275
 276 #ifdef CONFIG_KEYS
 277         key_get(new->session_keyring);
 278         key_get(new->process_keyring);
 279         key_get(new->thread_keyring);
 280         key_get(new->request_key_auth);
 281 #endif
 282
 283 #ifdef CONFIG_SECURITY
 284         new->security = NULL;
 285 #endif
 286
 287         new->ucounts = get_ucounts(new->ucounts);
 288         if (!new->ucounts)
 289                 goto error;
 290
 291         if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
 292                 goto error;
 293
 294         validate_creds(new);
 295         return new;
 296
 297 error:
 298         abort_creds(new);
 299         return NULL;
 300 }
 301 EXPORT_SYMBOL(prepare_creds);
 302
 303 /*
 304  * Prepare credentials for current to perform an execve()
 305  * - The caller must hold ->cred_guard_mutex
 306  */
 307 struct cred *prepare_exec_creds(void)
 308 {
 309         struct cred *new;
 310
 311         new = prepare_creds();
 312         if (!new)
 313                 return new;
 314
 315 #ifdef CONFIG_KEYS
 316         /* newly exec'd tasks don't get a thread keyring */
 317         key_put(new->thread_keyring);
 318         new->thread_keyring = NULL;
 319
 320         /* inherit the session keyring; new process keyring */
 321         key_put(new->process_keyring);
 322         new->process_keyring = NULL;
 323 #endif
 324
 325         new->suid = new->fsuid = new->euid;
 326         new->sgid = new->fsgid = new->egid;
 327
 328         return new;
 329 }
 330
 331 /*
 332  * Copy credentials for the new process created by fork()
 333  *
 334  * We share if we can, but under some circumstances we have to generate a new
 335  * set.
 336  *
 337  * The new process gets the current process's subjective credentials as its
 338  * objective and subjective credentials
 339  */
 340 int copy_creds(struct task_struct *p, unsigned long clone_flags)
 341 {
 342         struct cred *new;
 343         int ret;
 344
 345 #ifdef CONFIG_KEYS_REQUEST_CACHE
 346         p->cached_requested_key = NULL;
 347 #endif
 348
 349         if (
 350 #ifdef CONFIG_KEYS
 351                 !p->cred->thread_keyring &&
 352 #endif
 353                 clone_flags & CLONE_THREAD
 354             ) {
 355                 p->real_cred = get_cred(p->cred);
 356                 get_cred(p->cred);
 357                 alter_cred_subscribers(p->cred, 2);
 358                 kdebug("share_creds(%p{%d,%d})",
 359                        p->cred, atomic_read(&p->cred->usage),
 360                        read_cred_subscribers(p->cred));
 361                 inc_rlimit_ucounts(task_ucounts(p), UCOUNT_RLIMIT_NPROC, 1);
 362                 return 0;
 363         }
 364
 365         new = prepare_creds();
 366         if (!new)
 367                 return -ENOMEM;
 368
 369         if (clone_flags & CLONE_NEWUSER) {
 370                 ret = create_user_ns(new);
 371                 if (ret < 0)
 372                         goto error_put;
 373                 ret = set_cred_ucounts(new);
 374                 if (ret < 0)
 375                         goto error_put;
 376         }
 377
 378 #ifdef CONFIG_KEYS
 379         /* new threads get their own thread keyrings if their parent already
 380          * had one */
 381         if (new->thread_keyring) {
 382                 key_put(new->thread_keyring);
 383                 new->thread_keyring = NULL;
 384                 if (clone_flags & CLONE_THREAD)
 385                         install_thread_keyring_to_cred(new);
 386         }
 387
 388         /* The process keyring is only shared between the threads in a process;
 389          * anything outside of those threads doesn't inherit.
 390          */
 391         if (!(clone_flags & CLONE_THREAD)) {
 392                 key_put(new->process_keyring);
 393                 new->process_keyring = NULL;
 394         }
 395 #endif
 396
 397         p->cred = p->real_cred = get_cred(new);
 398         inc_rlimit_ucounts(task_ucounts(p), UCOUNT_RLIMIT_NPROC, 1);
 399         alter_cred_subscribers(new, 2);
 400         validate_creds(new);
 401         return 0;
 402
 403 error_put:
 404         put_cred(new);
 405         return ret;
 406 }
 407
 408 static bool cred_cap_issubset(const struct cred *set, const struct cred *subset)
 409 {
 410         const struct user_namespace *set_ns = set->user_ns;
 411         const struct user_namespace *subset_ns = subset->user_ns;
 412
 413         /* If the two credentials are in the same user namespace see if
 414          * the capabilities of subset are a subset of set.
 415          */
 416         if (set_ns == subset_ns)
 417                 return cap_issubset(subset->cap_permitted, set->cap_permitted);
 418
 419         /* The credentials are in a different user namespaces
 420          * therefore one is a subset of the other only if a set is an
 421          * ancestor of subset and set->euid is owner of subset or one
 422          * of subsets ancestors.
 423          */
 424         for (;subset_ns != &init_user_ns; subset_ns = subset_ns->parent) {
 425                 if ((set_ns == subset_ns->parent)  &&
 426                     uid_eq(subset_ns->owner, set->euid))
 427                         return true;
 428         }
 429
 430         return false;
 431 }
 432
 433 /**
 434  * commit_creds - Install new credentials upon the current task
 435  * @new: The credentials to be assigned
 436  *
 437  * Install a new set of credentials to the current task, using RCU to replace
 438  * the old set.  Both the objective and the subjective credentials pointers are
 439  * updated.  This function may not be called if the subjective credentials are
 440  * in an overridden state.
 441  *
 442  * This function eats the caller's reference to the new credentials.
 443  *
 444  * Always returns 0 thus allowing this function to be tail-called at the end
 445  * of, say, sys_setgid().
 446  */
 447 int commit_creds(struct cred *new)
 448 {
 449         struct task_struct *task = current;
 450         const struct cred *old = task->real_cred;
 451
 452         kdebug("commit_creds(%p{%d,%d})", new,
 453                atomic_read(&new->usage),
 454                read_cred_subscribers(new));
 455
 456         BUG_ON(task->cred != old);
 457 #ifdef CONFIG_DEBUG_CREDENTIALS
 458         BUG_ON(read_cred_subscribers(old) < 2);
 459         validate_creds(old);
 460         validate_creds(new);
 461 #endif
 462         BUG_ON(atomic_read(&new->usage) < 1);
 463
 464         get_cred(new); /* we will require a ref for the subj creds too */
 465
 466         /* dumpability changes */
 467         if (!uid_eq(old->euid, new->euid) ||
 468             !gid_eq(old->egid, new->egid) ||
 469             !uid_eq(old->fsuid, new->fsuid) ||
 470             !gid_eq(old->fsgid, new->fsgid) ||
 471             !cred_cap_issubset(old, new)) {
 472                 if (task->mm)
 473                         set_dumpable(task->mm, suid_dumpable);
 474                 task->pdeath_signal = 0;
 475                 /*
 476                  * If a task drops privileges and becomes nondumpable,
 477                  * the dumpability change must become visible before
 478                  * the credential change; otherwise, a __ptrace_may_access()
 479                  * racing with this change may be able to attach to a task it
 480                  * shouldn't be able to attach to (as if the task had dropped
 481                  * privileges without becoming nondumpable).
 482                  * Pairs with a read barrier in __ptrace_may_access().
 483                  */
 484                 smp_wmb();
 485         }
 486
 487         /* alter the thread keyring */
 488         if (!uid_eq(new->fsuid, old->fsuid))
 489                 key_fsuid_changed(new);
 490         if (!gid_eq(new->fsgid, old->fsgid))
 491                 key_fsgid_changed(new);
 492
 493         /* do it
 494          * RLIMIT_NPROC limits on user->processes have already been checked
 495          * in set_user().
 496          */
 497         alter_cred_subscribers(new, 2);
 498         if (new->user != old->user || new->user_ns != old->user_ns)
 499                 inc_rlimit_ucounts(new->ucounts, UCOUNT_RLIMIT_NPROC, 1);
 500         rcu_assign_pointer(task->real_cred, new);
 501         rcu_assign_pointer(task->cred, new);
 502         if (new->user != old->user || new->user_ns != old->user_ns)
 503                 dec_rlimit_ucounts(old->ucounts, UCOUNT_RLIMIT_NPROC, 1);
 504         alter_cred_subscribers(old, -2);
 505
 506         /* send notifications */
 507         if (!uid_eq(new->uid,   old->uid)  ||
 508             !uid_eq(new->euid,  old->euid) ||
 509             !uid_eq(new->suid,  old->suid) ||
 510             !uid_eq(new->fsuid, old->fsuid))
 511                 proc_id_connector(task, PROC_EVENT_UID);
 512
 513         if (!gid_eq(new->gid,   old->gid)  ||
 514             !gid_eq(new->egid,  old->egid) ||
 515             !gid_eq(new->sgid,  old->sgid) ||
 516             !gid_eq(new->fsgid, old->fsgid))
 517                 proc_id_connector(task, PROC_EVENT_GID);
 518
 519         /* release the old obj and subj refs both */
 520         put_cred(old);
 521         put_cred(old);
 522         return 0;
 523 }
 524 EXPORT_SYMBOL(commit_creds);
 525
 526 /**
 527  * abort_creds - Discard a set of credentials and unlock the current task
 528  * @new: The credentials that were going to be applied
 529  *
 530  * Discard a set of credentials that were under construction and unlock the
 531  * current task.
 532  */
 533 void abort_creds(struct cred *new)
 534 {
 535         kdebug("abort_creds(%p{%d,%d})", new,
 536                atomic_read(&new->usage),
 537                read_cred_subscribers(new));
 538
 539 #ifdef CONFIG_DEBUG_CREDENTIALS
 540         BUG_ON(read_cred_subscribers(new) != 0);
 541 #endif
 542         BUG_ON(atomic_read(&new->usage) < 1);
 543         put_cred(new);
 544 }
 545 EXPORT_SYMBOL(abort_creds);
 546
 547 /**
 548  * override_creds - Override the current process's subjective credentials
 549  * @new: The credentials to be assigned
 550  *
 551  * Install a set of temporary override subjective credentials on the current
 552  * process, returning the old set for later reversion.
 553  */
 554 const struct cred *override_creds(const struct cred *new)
 555 {
 556         const struct cred *old = current->cred;
 557
 558         kdebug("override_creds(%p{%d,%d})", new,
 559                atomic_read(&new->usage),
 560                read_cred_subscribers(new));
 561
 562         validate_creds(old);
 563         validate_creds(new);
 564
 565         /*
 566          * NOTE! This uses 'get_new_cred()' rather than 'get_cred()'.
 567          *
 568          * That means that we do not clear the 'non_rcu' flag, since
 569          * we are only installing the cred into the thread-synchronous
 570          * '->cred' pointer, not the '->real_cred' pointer that is
 571          * visible to other threads under RCU.
 572          *
 573          * Also note that we did validate_creds() manually, not depending
 574          * on the validation in 'get_cred()'.
 575          */
 576         get_new_cred((struct cred *)new);
 577         alter_cred_subscribers(new, 1);
 578         rcu_assign_pointer(current->cred, new);
 579         alter_cred_subscribers(old, -1);
 580
 581         kdebug("override_creds() = %p{%d,%d}", old,
 582                atomic_read(&old->usage),
 583                read_cred_subscribers(old));
 584         return old;
 585 }
 586 EXPORT_SYMBOL(override_creds);
 587
 588 /**
 589  * revert_creds - Revert a temporary subjective credentials override
 590  * @old: The credentials to be restored
 591  *
 592  * Revert a temporary set of override subjective credentials to an old set,
 593  * discarding the override set.
 594  */
 595 void revert_creds(const struct cred *old)
 596 {
 597         const struct cred *override = current->cred;
 598
 599         kdebug("revert_creds(%p{%d,%d})", old,
 600                atomic_read(&old->usage),
 601                read_cred_subscribers(old));
 602
 603         validate_creds(old);
 604         validate_creds(override);
 605         alter_cred_subscribers(old, 1);
 606         rcu_assign_pointer(current->cred, old);
 607         alter_cred_subscribers(override, -1);
 608         put_cred(override);
 609 }
 610 EXPORT_SYMBOL(revert_creds);
 611
 612 /**
 613  * cred_fscmp - Compare two credentials with respect to filesystem access.
 614  * @a: The first credential
 615  * @b: The second credential
 616  *
 617  * cred_cmp() will return zero if both credentials have the same
 618  * fsuid, fsgid, and supplementary groups.  That is, if they will both
 619  * provide the same access to files based on mode/uid/gid.
 620  * If the credentials are different, then either -1 or 1 will
 621  * be returned depending on whether @a comes before or after @b
 622  * respectively in an arbitrary, but stable, ordering of credentials.
 623  *
 624  * Return: -1, 0, or 1 depending on comparison
 625  */
 626 int cred_fscmp(const struct cred *a, const struct cred *b)
 627 {
 628         struct group_info *ga, *gb;
 629         int g;
 630
 631         if (a == b)
 632                 return 0;
 633         if (uid_lt(a->fsuid, b->fsuid))
 634                 return -1;
 635         if (uid_gt(a->fsuid, b->fsuid))
 636                 return 1;
 637
 638         if (gid_lt(a->fsgid, b->fsgid))
 639                 return -1;
 640         if (gid_gt(a->fsgid, b->fsgid))
 641                 return 1;
 642
 643         ga = a->group_info;
 644         gb = b->group_info;
 645         if (ga == gb)
 646                 return 0;
 647         if (ga == NULL)
 648                 return -1;
 649         if (gb == NULL)
 650                 return 1;
 651         if (ga->ngroups < gb->ngroups)
 652                 return -1;
 653         if (ga->ngroups > gb->ngroups)
 654                 return 1;
 655
 656         for (g = 0; g < ga->ngroups; g++) {
 657                 if (gid_lt(ga->gid[g], gb->gid[g]))
 658                         return -1;
 659                 if (gid_gt(ga->gid[g], gb->gid[g]))
 660                         return 1;
 661         }
 662         return 0;
 663 }
 664 EXPORT_SYMBOL(cred_fscmp);
 665
 666 int set_cred_ucounts(struct cred *new)
 667 {
 668         struct ucounts *new_ucounts, *old_ucounts = new->ucounts;
 669
 670         /*
 671          * This optimization is needed because alloc_ucounts() uses locks
 672          * for table lookups.
 673          */
 674         if (old_ucounts->ns == new->user_ns && uid_eq(old_ucounts->uid, new->uid))
 675                 return 0;
 676
 677         if (!(new_ucounts = alloc_ucounts(new->user_ns, new->uid)))
 678                 return -EAGAIN;
 679
 680         new->ucounts = new_ucounts;
 681         put_ucounts(old_ucounts);
 682
 683         return 0;
 684 }
 685
 686 /*
 687  * initialise the credentials stuff
 688  */
 689 void __init cred_init(void)
 690 {
 691         /* allocate a slab in which we can store credentials */
 692         cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred), 0,
 693                         SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT, NULL);
 694 }
 695
 696 /**
 697  * prepare_kernel_cred - Prepare a set of credentials for a kernel service
 698  * @daemon: A userspace daemon to be used as a reference
 699  *
 700  * Prepare a set of credentials for a kernel service.  This can then be used to
 701  * override a task's own credentials so that work can be done on behalf of that
 702  * task that requires a different subjective context.
 703  *
 704  * @daemon is used to provide a base for the security record, but can be NULL.
 705  * If @daemon is supplied, then the security data will be derived from that;
 706  * otherwise they'll be set to 0 and no groups, full capabilities and no keys.
 707  *
 708  * The caller may change these controls afterwards if desired.
 709  *
 710  * Returns the new credentials or NULL if out of memory.
 711  */
 712 struct cred *prepare_kernel_cred(struct task_struct *daemon)
 713 {
 714         const struct cred *old;
 715         struct cred *new;
 716
 717         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
 718         if (!new)
 719                 return NULL;
 720
 721         kdebug("prepare_kernel_cred() alloc %p", new);
 722
 723         if (daemon)
 724                 old = get_task_cred(daemon);
 725         else
 726                 old = get_cred(&init_cred);
 727
 728         validate_creds(old);
 729
 730         *new = *old;
 731         new->non_rcu = 0;
 732         atomic_set(&new->usage, 1);
 733         set_cred_subscribers(new, 0);
 734         get_uid(new->user);
 735         get_user_ns(new->user_ns);
 736         get_group_info(new->group_info);
 737
 738 #ifdef CONFIG_KEYS
 739         new->session_keyring = NULL;
 740         new->process_keyring = NULL;
 741         new->thread_keyring = NULL;
 742         new->request_key_auth = NULL;
 743         new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
 744 #endif
 745
 746 #ifdef CONFIG_SECURITY
 747         new->security = NULL;
 748 #endif
 749         new->ucounts = get_ucounts(new->ucounts);
 750         if (!new->ucounts)
 751                 goto error;
 752
 753         if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
 754                 goto error;
 755
 756         put_cred(old);
 757         validate_creds(new);
 758         return new;
 759
 760 error:
 761         put_cred(new);
 762         put_cred(old);
 763         return NULL;
 764 }
 765 EXPORT_SYMBOL(prepare_kernel_cred);
 766
 767 /**
 768  * set_security_override - Set the security ID in a set of credentials
 769  * @new: The credentials to alter
 770  * @secid: The LSM security ID to set
 771  *
 772  * Set the LSM security ID in a set of credentials so that the subjective
 773  * security is overridden when an alternative set of credentials is used.
 774  */
 775 int set_security_override(struct cred *new, u32 secid)
 776 {
 777         return security_kernel_act_as(new, secid);
 778 }
 779 EXPORT_SYMBOL(set_security_override);
 780
 781 /**
 782  * set_security_override_from_ctx - Set the security ID in a set of credentials
 783  * @new: The credentials to alter
 784  * @secctx: The LSM security context to generate the security ID from.
 785  *
 786  * Set the LSM security ID in a set of credentials so that the subjective
 787  * security is overridden when an alternative set of credentials is used.  The
 788  * security ID is specified in string form as a security context to be
 789  * interpreted by the LSM.
 790  */
 791 int set_security_override_from_ctx(struct cred *new, const char *secctx)
 792 {
 793         u32 secid;
 794         int ret;
 795
 796         ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
 797         if (ret < 0)
 798                 return ret;
 799
 800         return set_security_override(new, secid);
 801 }
 802 EXPORT_SYMBOL(set_security_override_from_ctx);
 803
 804 /**
 805  * set_create_files_as - Set the LSM file create context in a set of credentials
 806  * @new: The credentials to alter
 807  * @inode: The inode to take the context from
 808  *
 809  * Change the LSM file creation context in a set of credentials to be the same
 810  * as the object context of the specified inode, so that the new inodes have
 811  * the same MAC context as that inode.
 812  */
 813 int set_create_files_as(struct cred *new, struct inode *inode)
 814 {
 815         if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid))
 816                 return -EINVAL;
 817         new->fsuid = inode->i_uid;
 818         new->fsgid = inode->i_gid;
 819         return security_kernel_create_files_as(new, inode);
 820 }
 821 EXPORT_SYMBOL(set_create_files_as);
 822
 823 #ifdef CONFIG_DEBUG_CREDENTIALS
 824
 825 bool creds_are_invalid(const struct cred *cred)
 826 {
 827         if (cred->magic != CRED_MAGIC)
 828                 return true;
 829         return false;
 830 }
 831 EXPORT_SYMBOL(creds_are_invalid);
 832
 833 /*
 834  * dump invalid credentials
 835  */
 836 static void dump_invalid_creds(const struct cred *cred, const char *label,
 837                                const struct task_struct *tsk)
 838 {
 839         printk(KERN_ERR "CRED: %s credentials: %p %s%s%s\n",
 840                label, cred,
 841                cred == &init_cred ? "[init]" : "",
 842                cred == tsk->real_cred ? "[real]" : "",
 843                cred == tsk->cred ? "[eff]" : "");
 844         printk(KERN_ERR "CRED: ->magic=%x, put_addr=%p\n",
 845                cred->magic, cred->put_addr);
 846         printk(KERN_ERR "CRED: ->usage=%d, subscr=%d\n",
 847                atomic_read(&cred->usage),
 848                read_cred_subscribers(cred));
 849         printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
 850                 from_kuid_munged(&init_user_ns, cred->uid),
 851                 from_kuid_munged(&init_user_ns, cred->euid),
 852                 from_kuid_munged(&init_user_ns, cred->suid),
 853                 from_kuid_munged(&init_user_ns, cred->fsuid));
 854         printk(KERN_ERR "CRED: ->*gid = { %d,%d,%d,%d }\n",
 855                 from_kgid_munged(&init_user_ns, cred->gid),
 856                 from_kgid_munged(&init_user_ns, cred->egid),
 857                 from_kgid_munged(&init_user_ns, cred->sgid),
 858                 from_kgid_munged(&init_user_ns, cred->fsgid));
 859 #ifdef CONFIG_SECURITY
 860         printk(KERN_ERR "CRED: ->security is %p\n", cred->security);
 861         if ((unsigned long) cred->security >= PAGE_SIZE &&
 862             (((unsigned long) cred->security & 0xffffff00) !=
 863              (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)))
 864                 printk(KERN_ERR "CRED: ->security {%x, %x}\n",
 865                        ((u32*)cred->security)[0],
 866                        ((u32*)cred->security)[1]);
 867 #endif
 868 }
 869
 870 /*
 871  * report use of invalid credentials
 872  */
 873 void __noreturn __invalid_creds(const struct cred *cred, const char *file, unsigned line)
 874 {
 875         printk(KERN_ERR "CRED: Invalid credentials\n");
 876         printk(KERN_ERR "CRED: At %s:%u\n", file, line);
 877         dump_invalid_creds(cred, "Specified", current);
 878         BUG();
 879 }
 880 EXPORT_SYMBOL(__invalid_creds);
 881
 882 /*
 883  * check the credentials on a process
 884  */
 885 void __validate_process_creds(struct task_struct *tsk,
 886                               const char *file, unsigned line)
 887 {
 888         if (tsk->cred == tsk->real_cred) {
 889                 if (unlikely(read_cred_subscribers(tsk->cred) < 2 ||
 890                              creds_are_invalid(tsk->cred)))
 891                         goto invalid_creds;
 892         } else {
 893                 if (unlikely(read_cred_subscribers(tsk->real_cred) < 1 ||
 894                              read_cred_subscribers(tsk->cred) < 1 ||
 895                              creds_are_invalid(tsk->real_cred) ||
 896                              creds_are_invalid(tsk->cred)))
 897                         goto invalid_creds;
 898         }
 899         return;
 900
 901 invalid_creds:
 902         printk(KERN_ERR "CRED: Invalid process credentials\n");
 903         printk(KERN_ERR "CRED: At %s:%u\n", file, line);
 904
 905         dump_invalid_creds(tsk->real_cred, "Real", tsk);
 906         if (tsk->cred != tsk->real_cred)
 907                 dump_invalid_creds(tsk->cred, "Effective", tsk);
 908         else
 909                 printk(KERN_ERR "CRED: Effective creds == Real creds\n");
 910         BUG();
 911 }
 912 EXPORT_SYMBOL(__validate_process_creds);
 913
 914 /*
 915  * check creds for do_exit()
 916  */
 917 void validate_creds_for_do_exit(struct task_struct *tsk)
 918 {
 919         kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})",
 920                tsk->real_cred, tsk->cred,
 921                atomic_read(&tsk->cred->usage),
 922                read_cred_subscribers(tsk->cred));
 923
 924         __validate_process_creds(tsk, __FILE__, __LINE__);
 925 }
 926
 927 #endif /* CONFIG_DEBUG_CREDENTIALS */