18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later 28c2ecf20Sopenharmony_ci/* Key permission checking 38c2ecf20Sopenharmony_ci * 48c2ecf20Sopenharmony_ci * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. 58c2ecf20Sopenharmony_ci * Written by David Howells (dhowells@redhat.com) 68c2ecf20Sopenharmony_ci */ 78c2ecf20Sopenharmony_ci 88c2ecf20Sopenharmony_ci#include <linux/export.h> 98c2ecf20Sopenharmony_ci#include <linux/security.h> 108c2ecf20Sopenharmony_ci#include "internal.h" 118c2ecf20Sopenharmony_ci 128c2ecf20Sopenharmony_ci/** 138c2ecf20Sopenharmony_ci * key_task_permission - Check a key can be used 148c2ecf20Sopenharmony_ci * @key_ref: The key to check. 158c2ecf20Sopenharmony_ci * @cred: The credentials to use. 168c2ecf20Sopenharmony_ci * @need_perm: The permission required. 178c2ecf20Sopenharmony_ci * 188c2ecf20Sopenharmony_ci * Check to see whether permission is granted to use a key in the desired way, 198c2ecf20Sopenharmony_ci * but permit the security modules to override. 208c2ecf20Sopenharmony_ci * 218c2ecf20Sopenharmony_ci * The caller must hold either a ref on cred or must hold the RCU readlock. 228c2ecf20Sopenharmony_ci * 238c2ecf20Sopenharmony_ci * Returns 0 if successful, -EACCES if access is denied based on the 248c2ecf20Sopenharmony_ci * permissions bits or the LSM check. 258c2ecf20Sopenharmony_ci */ 268c2ecf20Sopenharmony_ciint key_task_permission(const key_ref_t key_ref, const struct cred *cred, 278c2ecf20Sopenharmony_ci enum key_need_perm need_perm) 288c2ecf20Sopenharmony_ci{ 298c2ecf20Sopenharmony_ci struct key *key; 308c2ecf20Sopenharmony_ci key_perm_t kperm, mask; 318c2ecf20Sopenharmony_ci int ret; 328c2ecf20Sopenharmony_ci 338c2ecf20Sopenharmony_ci switch (need_perm) { 348c2ecf20Sopenharmony_ci default: 358c2ecf20Sopenharmony_ci WARN_ON(1); 368c2ecf20Sopenharmony_ci return -EACCES; 378c2ecf20Sopenharmony_ci case KEY_NEED_UNLINK: 388c2ecf20Sopenharmony_ci case KEY_SYSADMIN_OVERRIDE: 398c2ecf20Sopenharmony_ci case KEY_AUTHTOKEN_OVERRIDE: 408c2ecf20Sopenharmony_ci case KEY_DEFER_PERM_CHECK: 418c2ecf20Sopenharmony_ci goto lsm; 428c2ecf20Sopenharmony_ci 438c2ecf20Sopenharmony_ci case KEY_NEED_VIEW: mask = KEY_OTH_VIEW; break; 448c2ecf20Sopenharmony_ci case KEY_NEED_READ: mask = KEY_OTH_READ; break; 458c2ecf20Sopenharmony_ci case KEY_NEED_WRITE: mask = KEY_OTH_WRITE; break; 468c2ecf20Sopenharmony_ci case KEY_NEED_SEARCH: mask = KEY_OTH_SEARCH; break; 478c2ecf20Sopenharmony_ci case KEY_NEED_LINK: mask = KEY_OTH_LINK; break; 488c2ecf20Sopenharmony_ci case KEY_NEED_SETATTR: mask = KEY_OTH_SETATTR; break; 498c2ecf20Sopenharmony_ci } 508c2ecf20Sopenharmony_ci 518c2ecf20Sopenharmony_ci key = key_ref_to_ptr(key_ref); 528c2ecf20Sopenharmony_ci 538c2ecf20Sopenharmony_ci /* use the second 8-bits of permissions for keys the caller owns */ 548c2ecf20Sopenharmony_ci if (uid_eq(key->uid, cred->fsuid)) { 558c2ecf20Sopenharmony_ci kperm = key->perm >> 16; 568c2ecf20Sopenharmony_ci goto use_these_perms; 578c2ecf20Sopenharmony_ci } 588c2ecf20Sopenharmony_ci 598c2ecf20Sopenharmony_ci /* use the third 8-bits of permissions for keys the caller has a group 608c2ecf20Sopenharmony_ci * membership in common with */ 618c2ecf20Sopenharmony_ci if (gid_valid(key->gid) && key->perm & KEY_GRP_ALL) { 628c2ecf20Sopenharmony_ci if (gid_eq(key->gid, cred->fsgid)) { 638c2ecf20Sopenharmony_ci kperm = key->perm >> 8; 648c2ecf20Sopenharmony_ci goto use_these_perms; 658c2ecf20Sopenharmony_ci } 668c2ecf20Sopenharmony_ci 678c2ecf20Sopenharmony_ci ret = groups_search(cred->group_info, key->gid); 688c2ecf20Sopenharmony_ci if (ret) { 698c2ecf20Sopenharmony_ci kperm = key->perm >> 8; 708c2ecf20Sopenharmony_ci goto use_these_perms; 718c2ecf20Sopenharmony_ci } 728c2ecf20Sopenharmony_ci } 738c2ecf20Sopenharmony_ci 748c2ecf20Sopenharmony_ci /* otherwise use the least-significant 8-bits */ 758c2ecf20Sopenharmony_ci kperm = key->perm; 768c2ecf20Sopenharmony_ci 778c2ecf20Sopenharmony_ciuse_these_perms: 788c2ecf20Sopenharmony_ci 798c2ecf20Sopenharmony_ci /* use the top 8-bits of permissions for keys the caller possesses 808c2ecf20Sopenharmony_ci * - possessor permissions are additive with other permissions 818c2ecf20Sopenharmony_ci */ 828c2ecf20Sopenharmony_ci if (is_key_possessed(key_ref)) 838c2ecf20Sopenharmony_ci kperm |= key->perm >> 24; 848c2ecf20Sopenharmony_ci 858c2ecf20Sopenharmony_ci if ((kperm & mask) != mask) 868c2ecf20Sopenharmony_ci return -EACCES; 878c2ecf20Sopenharmony_ci 888c2ecf20Sopenharmony_ci /* let LSM be the final arbiter */ 898c2ecf20Sopenharmony_cilsm: 908c2ecf20Sopenharmony_ci return security_key_permission(key_ref, cred, need_perm); 918c2ecf20Sopenharmony_ci} 928c2ecf20Sopenharmony_ciEXPORT_SYMBOL(key_task_permission); 938c2ecf20Sopenharmony_ci 948c2ecf20Sopenharmony_ci/** 958c2ecf20Sopenharmony_ci * key_validate - Validate a key. 968c2ecf20Sopenharmony_ci * @key: The key to be validated. 978c2ecf20Sopenharmony_ci * 988c2ecf20Sopenharmony_ci * Check that a key is valid, returning 0 if the key is okay, -ENOKEY if the 998c2ecf20Sopenharmony_ci * key is invalidated, -EKEYREVOKED if the key's type has been removed or if 1008c2ecf20Sopenharmony_ci * the key has been revoked or -EKEYEXPIRED if the key has expired. 1018c2ecf20Sopenharmony_ci */ 1028c2ecf20Sopenharmony_ciint key_validate(const struct key *key) 1038c2ecf20Sopenharmony_ci{ 1048c2ecf20Sopenharmony_ci unsigned long flags = READ_ONCE(key->flags); 1058c2ecf20Sopenharmony_ci time64_t expiry = READ_ONCE(key->expiry); 1068c2ecf20Sopenharmony_ci 1078c2ecf20Sopenharmony_ci if (flags & (1 << KEY_FLAG_INVALIDATED)) 1088c2ecf20Sopenharmony_ci return -ENOKEY; 1098c2ecf20Sopenharmony_ci 1108c2ecf20Sopenharmony_ci /* check it's still accessible */ 1118c2ecf20Sopenharmony_ci if (flags & ((1 << KEY_FLAG_REVOKED) | 1128c2ecf20Sopenharmony_ci (1 << KEY_FLAG_DEAD))) 1138c2ecf20Sopenharmony_ci return -EKEYREVOKED; 1148c2ecf20Sopenharmony_ci 1158c2ecf20Sopenharmony_ci /* check it hasn't expired */ 1168c2ecf20Sopenharmony_ci if (expiry) { 1178c2ecf20Sopenharmony_ci if (ktime_get_real_seconds() >= expiry) 1188c2ecf20Sopenharmony_ci return -EKEYEXPIRED; 1198c2ecf20Sopenharmony_ci } 1208c2ecf20Sopenharmony_ci 1218c2ecf20Sopenharmony_ci return 0; 1228c2ecf20Sopenharmony_ci} 1238c2ecf20Sopenharmony_ciEXPORT_SYMBOL(key_validate); 124