1 // SPDX-License-Identifier: GPL-2.0-or-later !! 1 /* Task credentials management - see Documentation/credentials.txt
2 /* Task credentials management - see Documenta <<
3 * 2 *
4 * Copyright (C) 2008 Red Hat, Inc. All Rights 3 * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.c 4 * Written by David Howells (dhowells@redhat.com)
>> 5 *
>> 6 * This program is free software; you can redistribute it and/or
>> 7 * modify it under the terms of the GNU General Public Licence
>> 8 * as published by the Free Software Foundation; either version
>> 9 * 2 of the Licence, or (at your option) any later version.
6 */ 10 */
7 !! 11 #include <linux/module.h>
8 #define pr_fmt(fmt) "CRED: " fmt <<
9 <<
10 #include <linux/export.h> <<
11 #include <linux/cred.h> 12 #include <linux/cred.h>
12 #include <linux/slab.h> <<
13 #include <linux/sched.h> 13 #include <linux/sched.h>
14 #include <linux/sched/coredump.h> <<
15 #include <linux/key.h> 14 #include <linux/key.h>
16 #include <linux/keyctl.h> 15 #include <linux/keyctl.h>
17 #include <linux/init_task.h> 16 #include <linux/init_task.h>
18 #include <linux/security.h> 17 #include <linux/security.h>
19 #include <linux/binfmts.h> <<
20 #include <linux/cn_proc.h> 18 #include <linux/cn_proc.h>
21 #include <linux/uidgid.h> <<
22 19
23 #if 0 20 #if 0
24 #define kdebug(FMT, ...) !! 21 #define kdebug(FMT, ...) \
25 printk("[%-5.5s%5u] " FMT "\n", !! 22 printk("[%-5.5s%5u] "FMT"\n", current->comm, current->pid ,##__VA_ARGS__)
26 current->comm, current->pid, ## <<
27 #else 23 #else
28 #define kdebug(FMT, ...) !! 24 static inline __attribute__((format(printf, 1, 2)))
29 do { !! 25 void no_printk(const char *fmt, ...)
30 if (0) !! 26 {
31 no_printk("[%-5.5s%5u] " FMT " !! 27 }
32 current->comm, curre !! 28 #define kdebug(FMT, ...) \
33 } while (0) !! 29 no_printk("[%-5.5s%5u] "FMT"\n", current->comm, current->pid ,##__VA_ARGS__)
34 #endif 30 #endif
35 31
36 static struct kmem_cache *cred_jar; 32 static struct kmem_cache *cred_jar;
37 33
38 /* init to 2 - one for init_task, one to ensur !! 34 /*
39 static struct group_info init_groups = { .usag !! 35 * The common credentials for the initial task's thread group
>> 36 */
>> 37 #ifdef CONFIG_KEYS
>> 38 static struct thread_group_cred init_tgcred = {
>> 39 .usage = ATOMIC_INIT(2),
>> 40 .tgid = 0,
>> 41 .lock = SPIN_LOCK_UNLOCKED,
>> 42 };
>> 43 #endif
40 44
41 /* 45 /*
42 * The initial credentials for the initial tas 46 * The initial credentials for the initial task
43 */ 47 */
44 struct cred init_cred = { 48 struct cred init_cred = {
45 .usage = ATOMIC_INIT( 49 .usage = ATOMIC_INIT(4),
46 .uid = GLOBAL_ROOT_ !! 50 #ifdef CONFIG_DEBUG_CREDENTIALS
47 .gid = GLOBAL_ROOT_ !! 51 .subscribers = ATOMIC_INIT(2),
48 .suid = GLOBAL_ROOT_ !! 52 .magic = CRED_MAGIC,
49 .sgid = GLOBAL_ROOT_ !! 53 #endif
50 .euid = GLOBAL_ROOT_ <<
51 .egid = GLOBAL_ROOT_ <<
52 .fsuid = GLOBAL_ROOT_ <<
53 .fsgid = GLOBAL_ROOT_ <<
54 .securebits = SECUREBITS_D 54 .securebits = SECUREBITS_DEFAULT,
55 .cap_inheritable = CAP_EMPTY_SE !! 55 .cap_inheritable = CAP_INIT_INH_SET,
56 .cap_permitted = CAP_FULL_SET 56 .cap_permitted = CAP_FULL_SET,
57 .cap_effective = CAP_FULL_SET !! 57 .cap_effective = CAP_INIT_EFF_SET,
58 .cap_bset = CAP_FULL_SET !! 58 .cap_bset = CAP_INIT_BSET,
59 .user = INIT_USER, 59 .user = INIT_USER,
60 .user_ns = &init_user_n <<
61 .group_info = &init_groups 60 .group_info = &init_groups,
62 .ucounts = &init_ucount !! 61 #ifdef CONFIG_KEYS
>> 62 .tgcred = &init_tgcred,
>> 63 #endif
63 }; 64 };
64 65
>> 66 static inline void set_cred_subscribers(struct cred *cred, int n)
>> 67 {
>> 68 #ifdef CONFIG_DEBUG_CREDENTIALS
>> 69 atomic_set(&cred->subscribers, n);
>> 70 #endif
>> 71 }
>> 72
>> 73 static inline int read_cred_subscribers(const struct cred *cred)
>> 74 {
>> 75 #ifdef CONFIG_DEBUG_CREDENTIALS
>> 76 return atomic_read(&cred->subscribers);
>> 77 #else
>> 78 return 0;
>> 79 #endif
>> 80 }
>> 81
>> 82 static inline void alter_cred_subscribers(const struct cred *_cred, int n)
>> 83 {
>> 84 #ifdef CONFIG_DEBUG_CREDENTIALS
>> 85 struct cred *cred = (struct cred *) _cred;
>> 86
>> 87 atomic_add(n, &cred->subscribers);
>> 88 #endif
>> 89 }
>> 90
>> 91 /*
>> 92 * Dispose of the shared task group credentials
>> 93 */
>> 94 #ifdef CONFIG_KEYS
>> 95 static void release_tgcred_rcu(struct rcu_head *rcu)
>> 96 {
>> 97 struct thread_group_cred *tgcred =
>> 98 container_of(rcu, struct thread_group_cred, rcu);
>> 99
>> 100 BUG_ON(atomic_read(&tgcred->usage) != 0);
>> 101
>> 102 key_put(tgcred->session_keyring);
>> 103 key_put(tgcred->process_keyring);
>> 104 kfree(tgcred);
>> 105 }
>> 106 #endif
>> 107
>> 108 /*
>> 109 * Release a set of thread group credentials.
>> 110 */
>> 111 static void release_tgcred(struct cred *cred)
>> 112 {
>> 113 #ifdef CONFIG_KEYS
>> 114 struct thread_group_cred *tgcred = cred->tgcred;
>> 115
>> 116 if (atomic_dec_and_test(&tgcred->usage))
>> 117 call_rcu(&tgcred->rcu, release_tgcred_rcu);
>> 118 #endif
>> 119 }
>> 120
65 /* 121 /*
66 * The RCU callback to actually dispose of a s 122 * The RCU callback to actually dispose of a set of credentials
67 */ 123 */
68 static void put_cred_rcu(struct rcu_head *rcu) 124 static void put_cred_rcu(struct rcu_head *rcu)
69 { 125 {
70 struct cred *cred = container_of(rcu, 126 struct cred *cred = container_of(rcu, struct cred, rcu);
71 127
72 kdebug("put_cred_rcu(%p)", cred); 128 kdebug("put_cred_rcu(%p)", cred);
73 129
74 if (atomic_long_read(&cred->usage) != !! 130 #ifdef CONFIG_DEBUG_CREDENTIALS
75 panic("CRED: put_cred_rcu() se !! 131 if (cred->magic != CRED_MAGIC_DEAD ||
76 cred, atomic_long_read(& !! 132 atomic_read(&cred->usage) != 0 ||
>> 133 read_cred_subscribers(cred) != 0)
>> 134 panic("CRED: put_cred_rcu() sees %p with"
>> 135 " mag %x, put %p, usage %d, subscr %d\n",
>> 136 cred, cred->magic, cred->put_addr,
>> 137 atomic_read(&cred->usage),
>> 138 read_cred_subscribers(cred));
>> 139 #else
>> 140 if (atomic_read(&cred->usage) != 0)
>> 141 panic("CRED: put_cred_rcu() sees %p with usage %d\n",
>> 142 cred, atomic_read(&cred->usage));
>> 143 #endif
77 144
78 security_cred_free(cred); 145 security_cred_free(cred);
79 key_put(cred->session_keyring); <<
80 key_put(cred->process_keyring); <<
81 key_put(cred->thread_keyring); 146 key_put(cred->thread_keyring);
82 key_put(cred->request_key_auth); 147 key_put(cred->request_key_auth);
>> 148 release_tgcred(cred);
83 if (cred->group_info) 149 if (cred->group_info)
84 put_group_info(cred->group_inf 150 put_group_info(cred->group_info);
85 free_uid(cred->user); 151 free_uid(cred->user);
86 if (cred->ucounts) <<
87 put_ucounts(cred->ucounts); <<
88 put_user_ns(cred->user_ns); <<
89 kmem_cache_free(cred_jar, cred); 152 kmem_cache_free(cred_jar, cred);
90 } 153 }
91 154
92 /** 155 /**
93 * __put_cred - Destroy a set of credentials 156 * __put_cred - Destroy a set of credentials
94 * @cred: The record to release 157 * @cred: The record to release
95 * 158 *
96 * Destroy a set of credentials on which no re 159 * Destroy a set of credentials on which no references remain.
97 */ 160 */
98 void __put_cred(struct cred *cred) 161 void __put_cred(struct cred *cred)
99 { 162 {
100 kdebug("__put_cred(%p{%ld})", cred, !! 163 kdebug("__put_cred(%p{%d,%d})", cred,
101 atomic_long_read(&cred->usage)) !! 164 atomic_read(&cred->usage),
102 !! 165 read_cred_subscribers(cred));
103 BUG_ON(atomic_long_read(&cred->usage) !! 166
>> 167 BUG_ON(atomic_read(&cred->usage) != 0);
>> 168 #ifdef CONFIG_DEBUG_CREDENTIALS
>> 169 BUG_ON(read_cred_subscribers(cred) != 0);
>> 170 cred->magic = CRED_MAGIC_DEAD;
>> 171 cred->put_addr = __builtin_return_address(0);
>> 172 #endif
104 BUG_ON(cred == current->cred); 173 BUG_ON(cred == current->cred);
105 BUG_ON(cred == current->real_cred); 174 BUG_ON(cred == current->real_cred);
106 175
107 if (cred->non_rcu) !! 176 call_rcu(&cred->rcu, put_cred_rcu);
108 put_cred_rcu(&cred->rcu); <<
109 else <<
110 call_rcu(&cred->rcu, put_cred_ <<
111 } 177 }
112 EXPORT_SYMBOL(__put_cred); 178 EXPORT_SYMBOL(__put_cred);
113 179
114 /* 180 /*
115 * Clean up a task's credentials when it exits 181 * Clean up a task's credentials when it exits
116 */ 182 */
117 void exit_creds(struct task_struct *tsk) 183 void exit_creds(struct task_struct *tsk)
118 { 184 {
119 struct cred *real_cred, *cred; !! 185 struct cred *cred;
120 186
121 kdebug("exit_creds(%u,%p,%p,{%ld})", t !! 187 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
122 atomic_long_read(&tsk->cred->us !! 188 atomic_read(&tsk->cred->usage),
>> 189 read_cred_subscribers(tsk->cred));
123 190
124 real_cred = (struct cred *) tsk->real_ !! 191 cred = (struct cred *) tsk->real_cred;
125 tsk->real_cred = NULL; 192 tsk->real_cred = NULL;
>> 193 validate_creds(cred);
>> 194 alter_cred_subscribers(cred, -1);
>> 195 put_cred(cred);
126 196
127 cred = (struct cred *) tsk->cred; 197 cred = (struct cred *) tsk->cred;
128 tsk->cred = NULL; 198 tsk->cred = NULL;
129 !! 199 validate_creds(cred);
130 if (real_cred == cred) { !! 200 alter_cred_subscribers(cred, -1);
131 put_cred_many(cred, 2); !! 201 put_cred(cred);
132 } else { !! 202
133 put_cred(real_cred); !! 203 cred = (struct cred *) tsk->replacement_session_keyring;
>> 204 if (cred) {
>> 205 tsk->replacement_session_keyring = NULL;
>> 206 validate_creds(cred);
134 put_cred(cred); 207 put_cred(cred);
135 } 208 }
136 <<
137 #ifdef CONFIG_KEYS_REQUEST_CACHE <<
138 key_put(tsk->cached_requested_key); <<
139 tsk->cached_requested_key = NULL; <<
140 #endif <<
141 } 209 }
142 210
143 /** 211 /**
144 * get_task_cred - Get another task's objectiv 212 * get_task_cred - Get another task's objective credentials
145 * @task: The task to query 213 * @task: The task to query
146 * 214 *
147 * Get the objective credentials of a task, pi 215 * Get the objective credentials of a task, pinning them so that they can't go
148 * away. Accessing a task's credentials direc 216 * away. Accessing a task's credentials directly is not permitted.
149 * 217 *
150 * The caller must also make sure task doesn't 218 * The caller must also make sure task doesn't get deleted, either by holding a
151 * ref on task or by holding tasklist_lock to 219 * ref on task or by holding tasklist_lock to prevent it from being unlinked.
152 */ 220 */
153 const struct cred *get_task_cred(struct task_s 221 const struct cred *get_task_cred(struct task_struct *task)
154 { 222 {
155 const struct cred *cred; 223 const struct cred *cred;
156 224
157 rcu_read_lock(); 225 rcu_read_lock();
158 226
159 do { 227 do {
160 cred = __task_cred((task)); 228 cred = __task_cred((task));
161 BUG_ON(!cred); 229 BUG_ON(!cred);
162 } while (!get_cred_rcu(cred)); !! 230 } while (!atomic_inc_not_zero(&((struct cred *)cred)->usage));
163 231
164 rcu_read_unlock(); 232 rcu_read_unlock();
165 return cred; 233 return cred;
166 } 234 }
167 EXPORT_SYMBOL(get_task_cred); <<
168 235
169 /* 236 /*
170 * Allocate blank credentials, such that the c 237 * Allocate blank credentials, such that the credentials can be filled in at a
171 * later date without risk of ENOMEM. 238 * later date without risk of ENOMEM.
172 */ 239 */
173 struct cred *cred_alloc_blank(void) 240 struct cred *cred_alloc_blank(void)
174 { 241 {
175 struct cred *new; 242 struct cred *new;
176 243
177 new = kmem_cache_zalloc(cred_jar, GFP_ 244 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
178 if (!new) 245 if (!new)
179 return NULL; 246 return NULL;
180 247
181 atomic_long_set(&new->usage, 1); !! 248 #ifdef CONFIG_KEYS
182 if (security_cred_alloc_blank(new, GFP !! 249 new->tgcred = kzalloc(sizeof(*new->tgcred), GFP_KERNEL);
>> 250 if (!new->tgcred) {
>> 251 kmem_cache_free(cred_jar, new);
>> 252 return NULL;
>> 253 }
>> 254 atomic_set(&new->tgcred->usage, 1);
>> 255 #endif
>> 256
>> 257 atomic_set(&new->usage, 1);
>> 258 #ifdef CONFIG_DEBUG_CREDENTIALS
>> 259 new->magic = CRED_MAGIC;
>> 260 #endif
>> 261
>> 262 if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
183 goto error; 263 goto error;
184 264
185 return new; 265 return new;
186 266
187 error: 267 error:
188 abort_creds(new); 268 abort_creds(new);
189 return NULL; 269 return NULL;
190 } 270 }
191 271
192 /** 272 /**
193 * prepare_creds - Prepare a new set of creden 273 * prepare_creds - Prepare a new set of credentials for modification
194 * 274 *
195 * Prepare a new set of task credentials for m 275 * Prepare a new set of task credentials for modification. A task's creds
196 * shouldn't generally be modified directly, t 276 * shouldn't generally be modified directly, therefore this function is used to
197 * prepare a new copy, which the caller then m 277 * prepare a new copy, which the caller then modifies and then commits by
198 * calling commit_creds(). 278 * calling commit_creds().
199 * 279 *
200 * Preparation involves making a copy of the o 280 * Preparation involves making a copy of the objective creds for modification.
201 * 281 *
202 * Returns a pointer to the new creds-to-be if 282 * Returns a pointer to the new creds-to-be if successful, NULL otherwise.
203 * 283 *
204 * Call commit_creds() or abort_creds() to cle 284 * Call commit_creds() or abort_creds() to clean up.
205 */ 285 */
206 struct cred *prepare_creds(void) 286 struct cred *prepare_creds(void)
207 { 287 {
208 struct task_struct *task = current; 288 struct task_struct *task = current;
209 const struct cred *old; 289 const struct cred *old;
210 struct cred *new; 290 struct cred *new;
211 291
>> 292 validate_process_creds();
>> 293
212 new = kmem_cache_alloc(cred_jar, GFP_K 294 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
213 if (!new) 295 if (!new)
214 return NULL; 296 return NULL;
215 297
216 kdebug("prepare_creds() alloc %p", new 298 kdebug("prepare_creds() alloc %p", new);
217 299
218 old = task->cred; 300 old = task->cred;
219 memcpy(new, old, sizeof(struct cred)); 301 memcpy(new, old, sizeof(struct cred));
220 302
221 new->non_rcu = 0; !! 303 atomic_set(&new->usage, 1);
222 atomic_long_set(&new->usage, 1); !! 304 set_cred_subscribers(new, 0);
223 get_group_info(new->group_info); 305 get_group_info(new->group_info);
224 get_uid(new->user); 306 get_uid(new->user);
225 get_user_ns(new->user_ns); <<
226 307
227 #ifdef CONFIG_KEYS 308 #ifdef CONFIG_KEYS
228 key_get(new->session_keyring); <<
229 key_get(new->process_keyring); <<
230 key_get(new->thread_keyring); 309 key_get(new->thread_keyring);
231 key_get(new->request_key_auth); 310 key_get(new->request_key_auth);
>> 311 atomic_inc(&new->tgcred->usage);
232 #endif 312 #endif
233 313
234 #ifdef CONFIG_SECURITY 314 #ifdef CONFIG_SECURITY
235 new->security = NULL; 315 new->security = NULL;
236 #endif 316 #endif
237 317
238 new->ucounts = get_ucounts(new->ucount !! 318 if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
239 if (!new->ucounts) <<
240 goto error; <<
241 <<
242 if (security_prepare_creds(new, old, G <<
243 goto error; 319 goto error;
244 !! 320 validate_creds(new);
245 return new; 321 return new;
246 322
247 error: 323 error:
248 abort_creds(new); 324 abort_creds(new);
249 return NULL; 325 return NULL;
250 } 326 }
251 EXPORT_SYMBOL(prepare_creds); 327 EXPORT_SYMBOL(prepare_creds);
252 328
253 /* 329 /*
254 * Prepare credentials for current to perform 330 * Prepare credentials for current to perform an execve()
255 * - The caller must hold ->cred_guard_mutex !! 331 * - The caller must hold current->cred_guard_mutex
256 */ 332 */
257 struct cred *prepare_exec_creds(void) 333 struct cred *prepare_exec_creds(void)
258 { 334 {
>> 335 struct thread_group_cred *tgcred = NULL;
259 struct cred *new; 336 struct cred *new;
260 337
>> 338 #ifdef CONFIG_KEYS
>> 339 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
>> 340 if (!tgcred)
>> 341 return NULL;
>> 342 #endif
>> 343
261 new = prepare_creds(); 344 new = prepare_creds();
262 if (!new) !! 345 if (!new) {
>> 346 kfree(tgcred);
263 return new; 347 return new;
>> 348 }
264 349
265 #ifdef CONFIG_KEYS 350 #ifdef CONFIG_KEYS
266 /* newly exec'd tasks don't get a thre 351 /* newly exec'd tasks don't get a thread keyring */
267 key_put(new->thread_keyring); 352 key_put(new->thread_keyring);
268 new->thread_keyring = NULL; 353 new->thread_keyring = NULL;
269 354
>> 355 /* create a new per-thread-group creds for all this set of threads to
>> 356 * share */
>> 357 memcpy(tgcred, new->tgcred, sizeof(struct thread_group_cred));
>> 358
>> 359 atomic_set(&tgcred->usage, 1);
>> 360 spin_lock_init(&tgcred->lock);
>> 361
270 /* inherit the session keyring; new pr 362 /* inherit the session keyring; new process keyring */
271 key_put(new->process_keyring); !! 363 key_get(tgcred->session_keyring);
272 new->process_keyring = NULL; !! 364 tgcred->process_keyring = NULL;
>> 365
>> 366 release_tgcred(new);
>> 367 new->tgcred = tgcred;
>> 368 #endif
>> 369
>> 370 return new;
>> 371 }
>> 372
>> 373 /*
>> 374 * prepare new credentials for the usermode helper dispatcher
>> 375 */
>> 376 struct cred *prepare_usermodehelper_creds(void)
>> 377 {
>> 378 #ifdef CONFIG_KEYS
>> 379 struct thread_group_cred *tgcred = NULL;
>> 380 #endif
>> 381 struct cred *new;
>> 382
>> 383 #ifdef CONFIG_KEYS
>> 384 tgcred = kzalloc(sizeof(*new->tgcred), GFP_ATOMIC);
>> 385 if (!tgcred)
>> 386 return NULL;
>> 387 #endif
>> 388
>> 389 new = kmem_cache_alloc(cred_jar, GFP_ATOMIC);
>> 390 if (!new)
>> 391 return NULL;
>> 392
>> 393 kdebug("prepare_usermodehelper_creds() alloc %p", new);
>> 394
>> 395 memcpy(new, &init_cred, sizeof(struct cred));
>> 396
>> 397 atomic_set(&new->usage, 1);
>> 398 set_cred_subscribers(new, 0);
>> 399 get_group_info(new->group_info);
>> 400 get_uid(new->user);
>> 401
>> 402 #ifdef CONFIG_KEYS
>> 403 new->thread_keyring = NULL;
>> 404 new->request_key_auth = NULL;
>> 405 new->jit_keyring = KEY_REQKEY_DEFL_DEFAULT;
>> 406
>> 407 atomic_set(&tgcred->usage, 1);
>> 408 spin_lock_init(&tgcred->lock);
>> 409 new->tgcred = tgcred;
273 #endif 410 #endif
274 411
275 new->suid = new->fsuid = new->euid; !! 412 #ifdef CONFIG_SECURITY
276 new->sgid = new->fsgid = new->egid; !! 413 new->security = NULL;
>> 414 #endif
>> 415 if (security_prepare_creds(new, &init_cred, GFP_ATOMIC) < 0)
>> 416 goto error;
>> 417 validate_creds(new);
277 418
>> 419 BUG_ON(atomic_read(&new->usage) != 1);
278 return new; 420 return new;
>> 421
>> 422 error:
>> 423 put_cred(new);
>> 424 return NULL;
279 } 425 }
280 426
281 /* 427 /*
282 * Copy credentials for the new process create 428 * Copy credentials for the new process created by fork()
283 * 429 *
284 * We share if we can, but under some circumst 430 * We share if we can, but under some circumstances we have to generate a new
285 * set. 431 * set.
286 * 432 *
287 * The new process gets the current process's 433 * The new process gets the current process's subjective credentials as its
288 * objective and subjective credentials 434 * objective and subjective credentials
289 */ 435 */
290 int copy_creds(struct task_struct *p, unsigned 436 int copy_creds(struct task_struct *p, unsigned long clone_flags)
291 { 437 {
>> 438 #ifdef CONFIG_KEYS
>> 439 struct thread_group_cred *tgcred;
>> 440 #endif
292 struct cred *new; 441 struct cred *new;
293 int ret; 442 int ret;
294 443
295 #ifdef CONFIG_KEYS_REQUEST_CACHE !! 444 mutex_init(&p->cred_guard_mutex);
296 p->cached_requested_key = NULL; !! 445
297 #endif !! 446 p->replacement_session_keyring = NULL;
298 447
299 if ( 448 if (
300 #ifdef CONFIG_KEYS 449 #ifdef CONFIG_KEYS
301 !p->cred->thread_keyring && 450 !p->cred->thread_keyring &&
302 #endif 451 #endif
303 clone_flags & CLONE_THREAD 452 clone_flags & CLONE_THREAD
304 ) { 453 ) {
305 p->real_cred = get_cred_many(p !! 454 p->real_cred = get_cred(p->cred);
306 kdebug("share_creds(%p{%ld})", !! 455 get_cred(p->cred);
307 p->cred, atomic_long_re !! 456 alter_cred_subscribers(p->cred, 2);
308 inc_rlimit_ucounts(task_ucount !! 457 kdebug("share_creds(%p{%d,%d})",
>> 458 p->cred, atomic_read(&p->cred->usage),
>> 459 read_cred_subscribers(p->cred));
>> 460 atomic_inc(&p->cred->user->processes);
309 return 0; 461 return 0;
310 } 462 }
311 463
312 new = prepare_creds(); 464 new = prepare_creds();
313 if (!new) 465 if (!new)
314 return -ENOMEM; 466 return -ENOMEM;
315 467
316 if (clone_flags & CLONE_NEWUSER) { 468 if (clone_flags & CLONE_NEWUSER) {
317 ret = create_user_ns(new); 469 ret = create_user_ns(new);
318 if (ret < 0) 470 if (ret < 0)
319 goto error_put; 471 goto error_put;
320 ret = set_cred_ucounts(new); <<
321 if (ret < 0) <<
322 goto error_put; <<
323 } 472 }
324 473
325 #ifdef CONFIG_KEYS 474 #ifdef CONFIG_KEYS
326 /* new threads get their own thread ke 475 /* new threads get their own thread keyrings if their parent already
327 * had one */ 476 * had one */
328 if (new->thread_keyring) { 477 if (new->thread_keyring) {
329 key_put(new->thread_keyring); 478 key_put(new->thread_keyring);
330 new->thread_keyring = NULL; 479 new->thread_keyring = NULL;
331 if (clone_flags & CLONE_THREAD 480 if (clone_flags & CLONE_THREAD)
332 install_thread_keyring 481 install_thread_keyring_to_cred(new);
333 } 482 }
334 483
335 /* The process keyring is only shared !! 484 /* we share the process and session keyrings between all the threads in
336 * anything outside of those threads d !! 485 * a process - this is slightly icky as we violate COW credentials a
337 */ !! 486 * bit */
338 if (!(clone_flags & CLONE_THREAD)) { 487 if (!(clone_flags & CLONE_THREAD)) {
339 key_put(new->process_keyring); !! 488 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
340 new->process_keyring = NULL; !! 489 if (!tgcred) {
>> 490 ret = -ENOMEM;
>> 491 goto error_put;
>> 492 }
>> 493 atomic_set(&tgcred->usage, 1);
>> 494 spin_lock_init(&tgcred->lock);
>> 495 tgcred->process_keyring = NULL;
>> 496 tgcred->session_keyring = key_get(new->tgcred->session_keyring);
>> 497
>> 498 release_tgcred(new);
>> 499 new->tgcred = tgcred;
341 } 500 }
342 #endif 501 #endif
343 502
>> 503 atomic_inc(&new->user->processes);
344 p->cred = p->real_cred = get_cred(new) 504 p->cred = p->real_cred = get_cred(new);
345 inc_rlimit_ucounts(task_ucounts(p), UC !! 505 alter_cred_subscribers(new, 2);
>> 506 validate_creds(new);
346 return 0; 507 return 0;
347 508
348 error_put: 509 error_put:
349 put_cred(new); 510 put_cred(new);
350 return ret; 511 return ret;
351 } 512 }
352 513
353 static bool cred_cap_issubset(const struct cre <<
354 { <<
355 const struct user_namespace *set_ns = <<
356 const struct user_namespace *subset_ns <<
357 <<
358 /* If the two credentials are in the s <<
359 * the capabilities of subset are a su <<
360 */ <<
361 if (set_ns == subset_ns) <<
362 return cap_issubset(subset->ca <<
363 <<
364 /* The credentials are in a different <<
365 * therefore one is a subset of the ot <<
366 * ancestor of subset and set->euid is <<
367 * of subsets ancestors. <<
368 */ <<
369 for (;subset_ns != &init_user_ns; subs <<
370 if ((set_ns == subset_ns->pare <<
371 uid_eq(subset_ns->owner, s <<
372 return true; <<
373 } <<
374 <<
375 return false; <<
376 } <<
377 <<
378 /** 514 /**
379 * commit_creds - Install new credentials upon 515 * commit_creds - Install new credentials upon the current task
380 * @new: The credentials to be assigned 516 * @new: The credentials to be assigned
381 * 517 *
382 * Install a new set of credentials to the cur 518 * Install a new set of credentials to the current task, using RCU to replace
383 * the old set. Both the objective and the su 519 * the old set. Both the objective and the subjective credentials pointers are
384 * updated. This function may not be called i 520 * updated. This function may not be called if the subjective credentials are
385 * in an overridden state. 521 * in an overridden state.
386 * 522 *
387 * This function eats the caller's reference t 523 * This function eats the caller's reference to the new credentials.
388 * 524 *
389 * Always returns 0 thus allowing this functio 525 * Always returns 0 thus allowing this function to be tail-called at the end
390 * of, say, sys_setgid(). 526 * of, say, sys_setgid().
391 */ 527 */
392 int commit_creds(struct cred *new) 528 int commit_creds(struct cred *new)
393 { 529 {
394 struct task_struct *task = current; 530 struct task_struct *task = current;
395 const struct cred *old = task->real_cr 531 const struct cred *old = task->real_cred;
396 532
397 kdebug("commit_creds(%p{%ld})", new, !! 533 kdebug("commit_creds(%p{%d,%d})", new,
398 atomic_long_read(&new->usage)); !! 534 atomic_read(&new->usage),
>> 535 read_cred_subscribers(new));
399 536
400 BUG_ON(task->cred != old); 537 BUG_ON(task->cred != old);
401 BUG_ON(atomic_long_read(&new->usage) < !! 538 #ifdef CONFIG_DEBUG_CREDENTIALS
>> 539 BUG_ON(read_cred_subscribers(old) < 2);
>> 540 validate_creds(old);
>> 541 validate_creds(new);
>> 542 #endif
>> 543 BUG_ON(atomic_read(&new->usage) < 1);
>> 544
>> 545 security_commit_creds(new, old);
402 546
403 get_cred(new); /* we will require a re 547 get_cred(new); /* we will require a ref for the subj creds too */
404 548
405 /* dumpability changes */ 549 /* dumpability changes */
406 if (!uid_eq(old->euid, new->euid) || !! 550 if (old->euid != new->euid ||
407 !gid_eq(old->egid, new->egid) || !! 551 old->egid != new->egid ||
408 !uid_eq(old->fsuid, new->fsuid) || !! 552 old->fsuid != new->fsuid ||
409 !gid_eq(old->fsgid, new->fsgid) || !! 553 old->fsgid != new->fsgid ||
410 !cred_cap_issubset(old, new)) { !! 554 !cap_issubset(new->cap_permitted, old->cap_permitted)) {
411 if (task->mm) 555 if (task->mm)
412 set_dumpable(task->mm, 556 set_dumpable(task->mm, suid_dumpable);
413 task->pdeath_signal = 0; 557 task->pdeath_signal = 0;
414 /* <<
415 * If a task drops privileges <<
416 * the dumpability change must <<
417 * the credential change; othe <<
418 * racing with this change may <<
419 * shouldn't be able to attach <<
420 * privileges without becoming <<
421 * Pairs with a read barrier i <<
422 */ <<
423 smp_wmb(); 558 smp_wmb();
424 } 559 }
425 560
426 /* alter the thread keyring */ 561 /* alter the thread keyring */
427 if (!uid_eq(new->fsuid, old->fsuid)) !! 562 if (new->fsuid != old->fsuid)
428 key_fsuid_changed(new); !! 563 key_fsuid_changed(task);
429 if (!gid_eq(new->fsgid, old->fsgid)) !! 564 if (new->fsgid != old->fsgid)
430 key_fsgid_changed(new); !! 565 key_fsgid_changed(task);
431 566
432 /* do it 567 /* do it
433 * RLIMIT_NPROC limits on user->proces !! 568 * - What if a process setreuid()'s and this brings the
434 * in set_user(). !! 569 * new uid over his NPROC rlimit? We can check this now
>> 570 * cheaply with the new uid cache, so if it matters
>> 571 * we should be checking for it. -DaveM
435 */ 572 */
436 if (new->user != old->user || new->use !! 573 alter_cred_subscribers(new, 2);
437 inc_rlimit_ucounts(new->ucount !! 574 if (new->user != old->user)
>> 575 atomic_inc(&new->user->processes);
438 rcu_assign_pointer(task->real_cred, ne 576 rcu_assign_pointer(task->real_cred, new);
439 rcu_assign_pointer(task->cred, new); 577 rcu_assign_pointer(task->cred, new);
440 if (new->user != old->user || new->use !! 578 if (new->user != old->user)
441 dec_rlimit_ucounts(old->ucount !! 579 atomic_dec(&old->user->processes);
>> 580 alter_cred_subscribers(old, -2);
442 581
443 /* send notifications */ 582 /* send notifications */
444 if (!uid_eq(new->uid, old->uid) || !! 583 if (new->uid != old->uid ||
445 !uid_eq(new->euid, old->euid) || !! 584 new->euid != old->euid ||
446 !uid_eq(new->suid, old->suid) || !! 585 new->suid != old->suid ||
447 !uid_eq(new->fsuid, old->fsuid)) !! 586 new->fsuid != old->fsuid)
448 proc_id_connector(task, PROC_E 587 proc_id_connector(task, PROC_EVENT_UID);
449 588
450 if (!gid_eq(new->gid, old->gid) || !! 589 if (new->gid != old->gid ||
451 !gid_eq(new->egid, old->egid) || !! 590 new->egid != old->egid ||
452 !gid_eq(new->sgid, old->sgid) || !! 591 new->sgid != old->sgid ||
453 !gid_eq(new->fsgid, old->fsgid)) !! 592 new->fsgid != old->fsgid)
454 proc_id_connector(task, PROC_E 593 proc_id_connector(task, PROC_EVENT_GID);
455 594
456 /* release the old obj and subj refs b 595 /* release the old obj and subj refs both */
457 put_cred_many(old, 2); !! 596 put_cred(old);
>> 597 put_cred(old);
458 return 0; 598 return 0;
459 } 599 }
460 EXPORT_SYMBOL(commit_creds); 600 EXPORT_SYMBOL(commit_creds);
461 601
462 /** 602 /**
463 * abort_creds - Discard a set of credentials 603 * abort_creds - Discard a set of credentials and unlock the current task
464 * @new: The credentials that were going to be 604 * @new: The credentials that were going to be applied
465 * 605 *
466 * Discard a set of credentials that were unde 606 * Discard a set of credentials that were under construction and unlock the
467 * current task. 607 * current task.
468 */ 608 */
469 void abort_creds(struct cred *new) 609 void abort_creds(struct cred *new)
470 { 610 {
471 kdebug("abort_creds(%p{%ld})", new, !! 611 kdebug("abort_creds(%p{%d,%d})", new,
472 atomic_long_read(&new->usage)); !! 612 atomic_read(&new->usage),
>> 613 read_cred_subscribers(new));
473 614
474 BUG_ON(atomic_long_read(&new->usage) < !! 615 #ifdef CONFIG_DEBUG_CREDENTIALS
>> 616 BUG_ON(read_cred_subscribers(new) != 0);
>> 617 #endif
>> 618 BUG_ON(atomic_read(&new->usage) < 1);
475 put_cred(new); 619 put_cred(new);
476 } 620 }
477 EXPORT_SYMBOL(abort_creds); 621 EXPORT_SYMBOL(abort_creds);
478 622
479 /** 623 /**
480 * override_creds - Override the current proce 624 * override_creds - Override the current process's subjective credentials
481 * @new: The credentials to be assigned 625 * @new: The credentials to be assigned
482 * 626 *
483 * Install a set of temporary override subject 627 * Install a set of temporary override subjective credentials on the current
484 * process, returning the old set for later re 628 * process, returning the old set for later reversion.
485 */ 629 */
486 const struct cred *override_creds(const struct 630 const struct cred *override_creds(const struct cred *new)
487 { 631 {
488 const struct cred *old = current->cred 632 const struct cred *old = current->cred;
489 633
490 kdebug("override_creds(%p{%ld})", new, !! 634 kdebug("override_creds(%p{%d,%d})", new,
491 atomic_long_read(&new->usage)); !! 635 atomic_read(&new->usage),
492 !! 636 read_cred_subscribers(new));
493 /* !! 637
494 * NOTE! This uses 'get_new_cred()' ra !! 638 validate_creds(old);
495 * !! 639 validate_creds(new);
496 * That means that we do not clear the !! 640 get_cred(new);
497 * we are only installing the cred int !! 641 alter_cred_subscribers(new, 1);
498 * '->cred' pointer, not the '->real_c <<
499 * visible to other threads under RCU. <<
500 */ <<
501 get_new_cred((struct cred *)new); <<
502 rcu_assign_pointer(current->cred, new) 642 rcu_assign_pointer(current->cred, new);
>> 643 alter_cred_subscribers(old, -1);
503 644
504 kdebug("override_creds() = %p{%ld}", o !! 645 kdebug("override_creds() = %p{%d,%d}", old,
505 atomic_long_read(&old->usage)); !! 646 atomic_read(&old->usage),
>> 647 read_cred_subscribers(old));
506 return old; 648 return old;
507 } 649 }
508 EXPORT_SYMBOL(override_creds); 650 EXPORT_SYMBOL(override_creds);
509 651
510 /** 652 /**
511 * revert_creds - Revert a temporary subjectiv 653 * revert_creds - Revert a temporary subjective credentials override
512 * @old: The credentials to be restored 654 * @old: The credentials to be restored
513 * 655 *
514 * Revert a temporary set of override subjecti 656 * Revert a temporary set of override subjective credentials to an old set,
515 * discarding the override set. 657 * discarding the override set.
516 */ 658 */
517 void revert_creds(const struct cred *old) 659 void revert_creds(const struct cred *old)
518 { 660 {
519 const struct cred *override = current- 661 const struct cred *override = current->cred;
520 662
521 kdebug("revert_creds(%p{%ld})", old, !! 663 kdebug("revert_creds(%p{%d,%d})", old,
522 atomic_long_read(&old->usage)); !! 664 atomic_read(&old->usage),
523 !! 665 read_cred_subscribers(old));
>> 666
>> 667 validate_creds(old);
>> 668 validate_creds(override);
>> 669 alter_cred_subscribers(old, 1);
524 rcu_assign_pointer(current->cred, old) 670 rcu_assign_pointer(current->cred, old);
>> 671 alter_cred_subscribers(override, -1);
525 put_cred(override); 672 put_cred(override);
526 } 673 }
527 EXPORT_SYMBOL(revert_creds); 674 EXPORT_SYMBOL(revert_creds);
528 675
529 /** <<
530 * cred_fscmp - Compare two credentials with r <<
531 * @a: The first credential <<
532 * @b: The second credential <<
533 * <<
534 * cred_cmp() will return zero if both credent <<
535 * fsuid, fsgid, and supplementary groups. Th <<
536 * provide the same access to files based on m <<
537 * If the credentials are different, then eith <<
538 * be returned depending on whether @a comes b <<
539 * respectively in an arbitrary, but stable, o <<
540 * <<
541 * Return: -1, 0, or 1 depending on comparison <<
542 */ <<
543 int cred_fscmp(const struct cred *a, const str <<
544 { <<
545 struct group_info *ga, *gb; <<
546 int g; <<
547 <<
548 if (a == b) <<
549 return 0; <<
550 if (uid_lt(a->fsuid, b->fsuid)) <<
551 return -1; <<
552 if (uid_gt(a->fsuid, b->fsuid)) <<
553 return 1; <<
554 <<
555 if (gid_lt(a->fsgid, b->fsgid)) <<
556 return -1; <<
557 if (gid_gt(a->fsgid, b->fsgid)) <<
558 return 1; <<
559 <<
560 ga = a->group_info; <<
561 gb = b->group_info; <<
562 if (ga == gb) <<
563 return 0; <<
564 if (ga == NULL) <<
565 return -1; <<
566 if (gb == NULL) <<
567 return 1; <<
568 if (ga->ngroups < gb->ngroups) <<
569 return -1; <<
570 if (ga->ngroups > gb->ngroups) <<
571 return 1; <<
572 <<
573 for (g = 0; g < ga->ngroups; g++) { <<
574 if (gid_lt(ga->gid[g], gb->gid <<
575 return -1; <<
576 if (gid_gt(ga->gid[g], gb->gid <<
577 return 1; <<
578 } <<
579 return 0; <<
580 } <<
581 EXPORT_SYMBOL(cred_fscmp); <<
582 <<
583 int set_cred_ucounts(struct cred *new) <<
584 { <<
585 struct ucounts *new_ucounts, *old_ucou <<
586 <<
587 /* <<
588 * This optimization is needed because <<
589 * for table lookups. <<
590 */ <<
591 if (old_ucounts->ns == new->user_ns && <<
592 return 0; <<
593 <<
594 if (!(new_ucounts = alloc_ucounts(new- <<
595 return -EAGAIN; <<
596 <<
597 new->ucounts = new_ucounts; <<
598 put_ucounts(old_ucounts); <<
599 <<
600 return 0; <<
601 } <<
602 <<
603 /* 676 /*
604 * initialise the credentials stuff 677 * initialise the credentials stuff
605 */ 678 */
606 void __init cred_init(void) 679 void __init cred_init(void)
607 { 680 {
608 /* allocate a slab in which we can sto 681 /* allocate a slab in which we can store credentials */
609 cred_jar = KMEM_CACHE(cred, !! 682 cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred),
610 SLAB_HWCACHE_ALI !! 683 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
611 } 684 }
612 685
613 /** 686 /**
614 * prepare_kernel_cred - Prepare a set of cred 687 * prepare_kernel_cred - Prepare a set of credentials for a kernel service
615 * @daemon: A userspace daemon to be used as a 688 * @daemon: A userspace daemon to be used as a reference
616 * 689 *
617 * Prepare a set of credentials for a kernel s 690 * Prepare a set of credentials for a kernel service. This can then be used to
618 * override a task's own credentials so that w 691 * override a task's own credentials so that work can be done on behalf of that
619 * task that requires a different subjective c 692 * task that requires a different subjective context.
620 * 693 *
621 * @daemon is used to provide a base cred, wit !! 694 * @daemon is used to provide a base for the security record, but can be NULL.
622 * that; if this is "&init_task", they'll be s !! 695 * If @daemon is supplied, then the security data will be derived from that;
623 * capabilities, and no keys. !! 696 * otherwise they'll be set to 0 and no groups, full capabilities and no keys.
624 * 697 *
625 * The caller may change these controls afterw 698 * The caller may change these controls afterwards if desired.
626 * 699 *
627 * Returns the new credentials or NULL if out 700 * Returns the new credentials or NULL if out of memory.
>> 701 *
>> 702 * Does not take, and does not return holding current->cred_replace_mutex.
628 */ 703 */
629 struct cred *prepare_kernel_cred(struct task_s 704 struct cred *prepare_kernel_cred(struct task_struct *daemon)
630 { 705 {
631 const struct cred *old; 706 const struct cred *old;
632 struct cred *new; 707 struct cred *new;
633 708
634 if (WARN_ON_ONCE(!daemon)) <<
635 return NULL; <<
636 <<
637 new = kmem_cache_alloc(cred_jar, GFP_K 709 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
638 if (!new) 710 if (!new)
639 return NULL; 711 return NULL;
640 712
641 kdebug("prepare_kernel_cred() alloc %p 713 kdebug("prepare_kernel_cred() alloc %p", new);
642 714
643 old = get_task_cred(daemon); !! 715 if (daemon)
>> 716 old = get_task_cred(daemon);
>> 717 else
>> 718 old = get_cred(&init_cred);
>> 719
>> 720 validate_creds(old);
644 721
645 *new = *old; 722 *new = *old;
646 new->non_rcu = 0; !! 723 atomic_set(&new->usage, 1);
647 atomic_long_set(&new->usage, 1); !! 724 set_cred_subscribers(new, 0);
648 get_uid(new->user); 725 get_uid(new->user);
649 get_user_ns(new->user_ns); <<
650 get_group_info(new->group_info); 726 get_group_info(new->group_info);
651 727
652 #ifdef CONFIG_KEYS 728 #ifdef CONFIG_KEYS
653 new->session_keyring = NULL; !! 729 atomic_inc(&init_tgcred.usage);
654 new->process_keyring = NULL; !! 730 new->tgcred = &init_tgcred;
655 new->thread_keyring = NULL; <<
656 new->request_key_auth = NULL; 731 new->request_key_auth = NULL;
>> 732 new->thread_keyring = NULL;
657 new->jit_keyring = KEY_REQKEY_DEFL_THR 733 new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
658 #endif 734 #endif
659 735
660 #ifdef CONFIG_SECURITY 736 #ifdef CONFIG_SECURITY
661 new->security = NULL; 737 new->security = NULL;
662 #endif 738 #endif
663 new->ucounts = get_ucounts(new->ucount !! 739 if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
664 if (!new->ucounts) <<
665 goto error; <<
666 <<
667 if (security_prepare_creds(new, old, G <<
668 goto error; 740 goto error;
669 741
670 put_cred(old); 742 put_cred(old);
>> 743 validate_creds(new);
671 return new; 744 return new;
672 745
673 error: 746 error:
674 put_cred(new); 747 put_cred(new);
675 put_cred(old); 748 put_cred(old);
676 return NULL; 749 return NULL;
677 } 750 }
678 EXPORT_SYMBOL(prepare_kernel_cred); 751 EXPORT_SYMBOL(prepare_kernel_cred);
679 752
680 /** 753 /**
681 * set_security_override - Set the security ID 754 * set_security_override - Set the security ID in a set of credentials
682 * @new: The credentials to alter 755 * @new: The credentials to alter
683 * @secid: The LSM security ID to set 756 * @secid: The LSM security ID to set
684 * 757 *
685 * Set the LSM security ID in a set of credent 758 * Set the LSM security ID in a set of credentials so that the subjective
686 * security is overridden when an alternative 759 * security is overridden when an alternative set of credentials is used.
687 */ 760 */
688 int set_security_override(struct cred *new, u3 761 int set_security_override(struct cred *new, u32 secid)
689 { 762 {
690 return security_kernel_act_as(new, sec 763 return security_kernel_act_as(new, secid);
691 } 764 }
692 EXPORT_SYMBOL(set_security_override); 765 EXPORT_SYMBOL(set_security_override);
693 766
694 /** 767 /**
695 * set_security_override_from_ctx - Set the se 768 * set_security_override_from_ctx - Set the security ID in a set of credentials
696 * @new: The credentials to alter 769 * @new: The credentials to alter
697 * @secctx: The LSM security context to genera 770 * @secctx: The LSM security context to generate the security ID from.
698 * 771 *
699 * Set the LSM security ID in a set of credent 772 * Set the LSM security ID in a set of credentials so that the subjective
700 * security is overridden when an alternative 773 * security is overridden when an alternative set of credentials is used. The
701 * security ID is specified in string form as 774 * security ID is specified in string form as a security context to be
702 * interpreted by the LSM. 775 * interpreted by the LSM.
703 */ 776 */
704 int set_security_override_from_ctx(struct cred 777 int set_security_override_from_ctx(struct cred *new, const char *secctx)
705 { 778 {
706 u32 secid; 779 u32 secid;
707 int ret; 780 int ret;
708 781
709 ret = security_secctx_to_secid(secctx, 782 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
710 if (ret < 0) 783 if (ret < 0)
711 return ret; 784 return ret;
712 785
713 return set_security_override(new, seci 786 return set_security_override(new, secid);
714 } 787 }
715 EXPORT_SYMBOL(set_security_override_from_ctx); 788 EXPORT_SYMBOL(set_security_override_from_ctx);
716 789
717 /** 790 /**
718 * set_create_files_as - Set the LSM file crea 791 * set_create_files_as - Set the LSM file create context in a set of credentials
719 * @new: The credentials to alter 792 * @new: The credentials to alter
720 * @inode: The inode to take the context from 793 * @inode: The inode to take the context from
721 * 794 *
722 * Change the LSM file creation context in a s 795 * Change the LSM file creation context in a set of credentials to be the same
723 * as the object context of the specified inod 796 * as the object context of the specified inode, so that the new inodes have
724 * the same MAC context as that inode. 797 * the same MAC context as that inode.
725 */ 798 */
726 int set_create_files_as(struct cred *new, stru 799 int set_create_files_as(struct cred *new, struct inode *inode)
727 { 800 {
728 if (!uid_valid(inode->i_uid) || !gid_v <<
729 return -EINVAL; <<
730 new->fsuid = inode->i_uid; 801 new->fsuid = inode->i_uid;
731 new->fsgid = inode->i_gid; 802 new->fsgid = inode->i_gid;
732 return security_kernel_create_files_as 803 return security_kernel_create_files_as(new, inode);
733 } 804 }
734 EXPORT_SYMBOL(set_create_files_as); 805 EXPORT_SYMBOL(set_create_files_as);
>> 806
>> 807 #ifdef CONFIG_DEBUG_CREDENTIALS
>> 808
>> 809 bool creds_are_invalid(const struct cred *cred)
>> 810 {
>> 811 if (cred->magic != CRED_MAGIC)
>> 812 return true;
>> 813 #ifdef CONFIG_SECURITY_SELINUX
>> 814 /*
>> 815 * cred->security == NULL if security_cred_alloc_blank() or
>> 816 * security_prepare_creds() returned an error.
>> 817 */
>> 818 if (selinux_is_enabled() && cred->security) {
>> 819 if ((unsigned long) cred->security < PAGE_SIZE)
>> 820 return true;
>> 821 if ((*(u32 *)cred->security & 0xffffff00) ==
>> 822 (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
>> 823 return true;
>> 824 }
>> 825 #endif
>> 826 return false;
>> 827 }
>> 828 EXPORT_SYMBOL(creds_are_invalid);
>> 829
>> 830 /*
>> 831 * dump invalid credentials
>> 832 */
>> 833 static void dump_invalid_creds(const struct cred *cred, const char *label,
>> 834 const struct task_struct *tsk)
>> 835 {
>> 836 printk(KERN_ERR "CRED: %s credentials: %p %s%s%s\n",
>> 837 label, cred,
>> 838 cred == &init_cred ? "[init]" : "",
>> 839 cred == tsk->real_cred ? "[real]" : "",
>> 840 cred == tsk->cred ? "[eff]" : "");
>> 841 printk(KERN_ERR "CRED: ->magic=%x, put_addr=%p\n",
>> 842 cred->magic, cred->put_addr);
>> 843 printk(KERN_ERR "CRED: ->usage=%d, subscr=%d\n",
>> 844 atomic_read(&cred->usage),
>> 845 read_cred_subscribers(cred));
>> 846 printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
>> 847 cred->uid, cred->euid, cred->suid, cred->fsuid);
>> 848 printk(KERN_ERR "CRED: ->*gid = { %d,%d,%d,%d }\n",
>> 849 cred->gid, cred->egid, cred->sgid, cred->fsgid);
>> 850 #ifdef CONFIG_SECURITY
>> 851 printk(KERN_ERR "CRED: ->security is %p\n", cred->security);
>> 852 if ((unsigned long) cred->security >= PAGE_SIZE &&
>> 853 (((unsigned long) cred->security & 0xffffff00) !=
>> 854 (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)))
>> 855 printk(KERN_ERR "CRED: ->security {%x, %x}\n",
>> 856 ((u32*)cred->security)[0],
>> 857 ((u32*)cred->security)[1]);
>> 858 #endif
>> 859 }
>> 860
>> 861 /*
>> 862 * report use of invalid credentials
>> 863 */
>> 864 void __invalid_creds(const struct cred *cred, const char *file, unsigned line)
>> 865 {
>> 866 printk(KERN_ERR "CRED: Invalid credentials\n");
>> 867 printk(KERN_ERR "CRED: At %s:%u\n", file, line);
>> 868 dump_invalid_creds(cred, "Specified", current);
>> 869 BUG();
>> 870 }
>> 871 EXPORT_SYMBOL(__invalid_creds);
>> 872
>> 873 /*
>> 874 * check the credentials on a process
>> 875 */
>> 876 void __validate_process_creds(struct task_struct *tsk,
>> 877 const char *file, unsigned line)
>> 878 {
>> 879 if (tsk->cred == tsk->real_cred) {
>> 880 if (unlikely(read_cred_subscribers(tsk->cred) < 2 ||
>> 881 creds_are_invalid(tsk->cred)))
>> 882 goto invalid_creds;
>> 883 } else {
>> 884 if (unlikely(read_cred_subscribers(tsk->real_cred) < 1 ||
>> 885 read_cred_subscribers(tsk->cred) < 1 ||
>> 886 creds_are_invalid(tsk->real_cred) ||
>> 887 creds_are_invalid(tsk->cred)))
>> 888 goto invalid_creds;
>> 889 }
>> 890 return;
>> 891
>> 892 invalid_creds:
>> 893 printk(KERN_ERR "CRED: Invalid process credentials\n");
>> 894 printk(KERN_ERR "CRED: At %s:%u\n", file, line);
>> 895
>> 896 dump_invalid_creds(tsk->real_cred, "Real", tsk);
>> 897 if (tsk->cred != tsk->real_cred)
>> 898 dump_invalid_creds(tsk->cred, "Effective", tsk);
>> 899 else
>> 900 printk(KERN_ERR "CRED: Effective creds == Real creds\n");
>> 901 BUG();
>> 902 }
>> 903 EXPORT_SYMBOL(__validate_process_creds);
>> 904
>> 905 /*
>> 906 * check creds for do_exit()
>> 907 */
>> 908 void validate_creds_for_do_exit(struct task_struct *tsk)
>> 909 {
>> 910 kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})",
>> 911 tsk->real_cred, tsk->cred,
>> 912 atomic_read(&tsk->cred->usage),
>> 913 read_cred_subscribers(tsk->cred));
>> 914
>> 915 __validate_process_creds(tsk, __FILE__, __LINE__);
>> 916 }
>> 917
>> 918 #endif /* CONFIG_DEBUG_CREDENTIALS */
735 919
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.