kernel/cred.c

   1 /* Task credentials management - see Documentation/security/credentials.rst
   2  *
   3  * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
   4  * Written by David Howells (dhowells@redhat.com)
   5  *
   6  * This program is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU General Public Licence
   8  * as published by the Free Software Foundation; either version
   9  * 2 of the Licence, or (at your option) any later version.
  10  */
  11 #include <linux/export.h>
  12 #include <linux/cred.h>
  13 #include <linux/slab.h>
  14 #include <linux/sched.h>
  15 #include <linux/sched/coredump.h>
  16 #include <linux/key.h>
  17 #include <linux/keyctl.h>
  18 #include <linux/init_task.h>
  19 #include <linux/security.h>
  20 #include <linux/binfmts.h>
  21 #include <linux/cn_proc.h>
  22 #include <linux/uidgid.h>
  23
  24 #if 0
  25 #define kdebug(FMT, ...)                                                \
  26         printk("[%-5.5s%5u] " FMT "\n",                                 \
  27                current->comm, current->pid, ##__VA_ARGS__)
  28 #else
  29 #define kdebug(FMT, ...)                                                \
  30 do {                                                                    \
  31         if (0)                                                          \
  32                 no_printk("[%-5.5s%5u] " FMT "\n",                      \
  33                           current->comm, current->pid, ##__VA_ARGS__);  \
  34 } while (0)
  35 #endif
  36
  37 static struct kmem_cache *cred_jar;
  38
  39 /* init to 2 - one for init_task, one to ensure it is never freed */
  40 struct group_info init_groups = { .usage = ATOMIC_INIT(2) };
  41
  42 /*
  43  * The initial credentials for the initial task
  44  */
  45 struct cred init_cred = {
  46         .usage                  = ATOMIC_INIT(4),
  47 #ifdef CONFIG_DEBUG_CREDENTIALS
  48         .subscribers            = ATOMIC_INIT(2),
  49         .magic                  = CRED_MAGIC,
  50 #endif
  51         .uid                    = GLOBAL_ROOT_UID,
  52         .gid                    = GLOBAL_ROOT_GID,
  53         .suid                   = GLOBAL_ROOT_UID,
  54         .sgid                   = GLOBAL_ROOT_GID,
  55         .euid                   = GLOBAL_ROOT_UID,
  56         .egid                   = GLOBAL_ROOT_GID,
  57         .fsuid                  = GLOBAL_ROOT_UID,
  58         .fsgid                  = GLOBAL_ROOT_GID,
  59         .securebits             = SECUREBITS_DEFAULT,
  60         .cap_inheritable        = CAP_EMPTY_SET,
  61         .cap_permitted          = CAP_FULL_SET,
  62         .cap_effective          = CAP_FULL_SET,
  63         .cap_bset               = CAP_FULL_SET,
  64         .user                   = INIT_USER,
  65         .user_ns                = &init_user_ns,
  66         .group_info             = &init_groups,
  67 };
  68
  69 static inline void set_cred_subscribers(struct cred *cred, int n)
  70 {
  71 #ifdef CONFIG_DEBUG_CREDENTIALS
  72         atomic_set(&cred->subscribers, n);
  73 #endif
  74 }
  75
  76 static inline int read_cred_subscribers(const struct cred *cred)
  77 {
  78 #ifdef CONFIG_DEBUG_CREDENTIALS
  79         return atomic_read(&cred->subscribers);
  80 #else
  81         return 0;
  82 #endif
  83 }
  84
  85 static inline void alter_cred_subscribers(const struct cred *_cred, int n)
  86 {
  87 #ifdef CONFIG_DEBUG_CREDENTIALS
  88         struct cred *cred = (struct cred *) _cred;
  89
  90         atomic_add(n, &cred->subscribers);
  91 #endif
  92 }
  93
  94 /*
  95  * The RCU callback to actually dispose of a set of credentials
  96  */
  97 static void put_cred_rcu(struct rcu_head *rcu)
  98 {
  99         struct cred *cred = container_of(rcu, struct cred, rcu);
 100
 101         kdebug("put_cred_rcu(%p)", cred);
 102
 103 #ifdef CONFIG_DEBUG_CREDENTIALS
 104         if (cred->magic != CRED_MAGIC_DEAD ||
 105             atomic_read(&cred->usage) != 0 ||
 106             read_cred_subscribers(cred) != 0)
 107                 panic("CRED: put_cred_rcu() sees %p with"
 108                       " mag %x, put %p, usage %d, subscr %d\n",
 109                       cred, cred->magic, cred->put_addr,
 110                       atomic_read(&cred->usage),
 111                       read_cred_subscribers(cred));
 112 #else
 113         if (atomic_read(&cred->usage) != 0)
 114                 panic("CRED: put_cred_rcu() sees %p with usage %d\n",
 115                       cred, atomic_read(&cred->usage));
 116 #endif
 117
 118         security_cred_free(cred);
 119         key_put(cred->session_keyring);
 120         key_put(cred->process_keyring);
 121         key_put(cred->thread_keyring);
 122         key_put(cred->request_key_auth);
 123         if (cred->group_info)
 124                 put_group_info(cred->group_info);
 125         free_uid(cred->user);
 126         put_user_ns(cred->user_ns);
 127         kmem_cache_free(cred_jar, cred);
 128 }
 129
 130 /**
 131  * __put_cred - Destroy a set of credentials
 132  * @cred: The record to release
 133  *
 134  * Destroy a set of credentials on which no references remain.
 135  */
 136 void __put_cred(struct cred *cred)
 137 {
 138         kdebug("__put_cred(%p{%d,%d})", cred,
 139                atomic_read(&cred->usage),
 140                read_cred_subscribers(cred));
 141
 142         BUG_ON(atomic_read(&cred->usage) != 0);
 143 #ifdef CONFIG_DEBUG_CREDENTIALS
 144         BUG_ON(read_cred_subscribers(cred) != 0);
 145         cred->magic = CRED_MAGIC_DEAD;
 146         cred->put_addr = __builtin_return_address(0);
 147 #endif
 148         BUG_ON(cred == current->cred);
 149         BUG_ON(cred == current->real_cred);
 150
 151         call_rcu(&cred->rcu, put_cred_rcu);
 152 }
 153 EXPORT_SYMBOL(__put_cred);
 154
 155 /*
 156  * Clean up a task's credentials when it exits
 157  */
 158 void exit_creds(struct task_struct *tsk)
 159 {
 160         struct cred *cred;
 161
 162         kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
 163                atomic_read(&tsk->cred->usage),
 164                read_cred_subscribers(tsk->cred));
 165
 166         cred = (struct cred *) tsk->real_cred;
 167         tsk->real_cred = NULL;
 168         validate_creds(cred);
 169         alter_cred_subscribers(cred, -1);
 170         put_cred(cred);
 171
 172         cred = (struct cred *) tsk->cred;
 173         tsk->cred = NULL;
 174         validate_creds(cred);
 175         alter_cred_subscribers(cred, -1);
 176         put_cred(cred);
 177 }
 178
 179 /**
 180  * get_task_cred - Get another task's objective credentials
 181  * @task: The task to query
 182  *
 183  * Get the objective credentials of a task, pinning them so that they can't go
 184  * away.  Accessing a task's credentials directly is not permitted.
 185  *
 186  * The caller must also make sure task doesn't get deleted, either by holding a
 187  * ref on task or by holding tasklist_lock to prevent it from being unlinked.
 188  */
 189 const struct cred *get_task_cred(struct task_struct *task)
 190 {
 191         const struct cred *cred;
 192
 193         rcu_read_lock();
 194
 195         do {
 196                 cred = __task_cred((task));
 197                 BUG_ON(!cred);
 198         } while (!atomic_inc_not_zero(&((struct cred *)cred)->usage));
 199
 200         rcu_read_unlock();
 201         return cred;
 202 }
 203
 204 /*
 205  * Allocate blank credentials, such that the credentials can be filled in at a
 206  * later date without risk of ENOMEM.
 207  */
 208 struct cred *cred_alloc_blank(void)
 209 {
 210         struct cred *new;
 211
 212         new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
 213         if (!new)
 214                 return NULL;
 215
 216         atomic_set(&new->usage, 1);
 217 #ifdef CONFIG_DEBUG_CREDENTIALS
 218         new->magic = CRED_MAGIC;
 219 #endif
 220
 221         if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
 222                 goto error;
 223
 224         return new;
 225
 226 error:
 227         abort_creds(new);
 228         return NULL;
 229 }
 230
 231 /**
 232  * prepare_creds - Prepare a new set of credentials for modification
 233  *
 234  * Prepare a new set of task credentials for modification.  A task's creds
 235  * shouldn't generally be modified directly, therefore this function is used to
 236  * prepare a new copy, which the caller then modifies and then commits by
 237  * calling commit_creds().
 238  *
 239  * Preparation involves making a copy of the objective creds for modification.
 240  *
 241  * Returns a pointer to the new creds-to-be if successful, NULL otherwise.
 242  *
 243  * Call commit_creds() or abort_creds() to clean up.
 244  */
 245 struct cred *prepare_creds(void)
 246 {
 247         struct task_struct *task = current;
 248         const struct cred *old;
 249         struct cred *new;
 250
 251         validate_process_creds();
 252
 253         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
 254         if (!new)
 255                 return NULL;
 256
 257         kdebug("prepare_creds() alloc %p", new);
 258
 259         old = task->cred;
 260         memcpy(new, old, sizeof(struct cred));
 261
 262         atomic_set(&new->usage, 1);
 263         set_cred_subscribers(new, 0);
 264         get_group_info(new->group_info);
 265         get_uid(new->user);
 266         get_user_ns(new->user_ns);
 267
 268 #ifdef CONFIG_KEYS
 269         key_get(new->session_keyring);
 270         key_get(new->process_keyring);
 271         key_get(new->thread_keyring);
 272         key_get(new->request_key_auth);
 273 #endif
 274
 275 #ifdef CONFIG_SECURITY
 276         new->security = NULL;
 277 #endif
 278
 279         if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
 280                 goto error;
 281         validate_creds(new);
 282         return new;
 283
 284 error:
 285         abort_creds(new);
 286         return NULL;
 287 }
 288 EXPORT_SYMBOL(prepare_creds);
 289
 290 /*
 291  * Prepare credentials for current to perform an execve()
 292  * - The caller must hold ->cred_guard_mutex
 293  */
 294 struct cred *prepare_exec_creds(void)
 295 {
 296         struct cred *new;
 297
 298         new = prepare_creds();
 299         if (!new)
 300                 return new;
 301
 302 #ifdef CONFIG_KEYS
 303         /* newly exec'd tasks don't get a thread keyring */
 304         key_put(new->thread_keyring);
 305         new->thread_keyring = NULL;
 306
 307         /* inherit the session keyring; new process keyring */
 308         key_put(new->process_keyring);
 309         new->process_keyring = NULL;
 310 #endif
 311
 312         return new;
 313 }
 314
 315 /*
 316  * Copy credentials for the new process created by fork()
 317  *
 318  * We share if we can, but under some circumstances we have to generate a new
 319  * set.
 320  *
 321  * The new process gets the current process's subjective credentials as its
 322  * objective and subjective credentials
 323  */
 324 int copy_creds(struct task_struct *p, unsigned long clone_flags)
 325 {
 326         struct cred *new;
 327         int ret;
 328
 329         if (
 330 #ifdef CONFIG_KEYS
 331                 !p->cred->thread_keyring &&
 332 #endif
 333                 clone_flags & CLONE_THREAD
 334             ) {
 335                 p->real_cred = get_cred(p->cred);
 336                 get_cred(p->cred);
 337                 alter_cred_subscribers(p->cred, 2);
 338                 kdebug("share_creds(%p{%d,%d})",
 339                        p->cred, atomic_read(&p->cred->usage),
 340                        read_cred_subscribers(p->cred));
 341                 atomic_inc(&p->cred->user->processes);
 342                 return 0;
 343         }
 344
 345         new = prepare_creds();
 346         if (!new)
 347                 return -ENOMEM;
 348
 349         if (clone_flags & CLONE_NEWUSER) {
 350                 ret = create_user_ns(new);
 351                 if (ret < 0)
 352                         goto error_put;
 353         }
 354
 355 #ifdef CONFIG_KEYS
 356         /* new threads get their own thread keyrings if their parent already
 357          * had one */
 358         if (new->thread_keyring) {
 359                 key_put(new->thread_keyring);
 360                 new->thread_keyring = NULL;
 361                 if (clone_flags & CLONE_THREAD)
 362                         install_thread_keyring_to_cred(new);
 363         }
 364
 365         /* The process keyring is only shared between the threads in a process;
 366          * anything outside of those threads doesn't inherit.
 367          */
 368         if (!(clone_flags & CLONE_THREAD)) {
 369                 key_put(new->process_keyring);
 370                 new->process_keyring = NULL;
 371         }
 372 #endif
 373
 374         atomic_inc(&new->user->processes);
 375         p->cred = p->real_cred = get_cred(new);
 376         alter_cred_subscribers(new, 2);
 377         validate_creds(new);
 378         return 0;
 379
 380 error_put:
 381         put_cred(new);
 382         return ret;
 383 }
 384
 385 static bool cred_cap_issubset(const struct cred *set, const struct cred *subset)
 386 {
 387         const struct user_namespace *set_ns = set->user_ns;
 388         const struct user_namespace *subset_ns = subset->user_ns;
 389
 390         /* If the two credentials are in the same user namespace see if
 391          * the capabilities of subset are a subset of set.
 392          */
 393         if (set_ns == subset_ns)
 394                 return cap_issubset(subset->cap_permitted, set->cap_permitted);
 395
 396         /* The credentials are in a different user namespaces
 397          * therefore one is a subset of the other only if a set is an
 398          * ancestor of subset and set->euid is owner of subset or one
 399          * of subsets ancestors.
 400          */
 401         for (;subset_ns != &init_user_ns; subset_ns = subset_ns->parent) {
 402                 if ((set_ns == subset_ns->parent)  &&
 403                     uid_eq(subset_ns->owner, set->euid))
 404                         return true;
 405         }
 406
 407         return false;
 408 }
 409
 410 /**
 411  * commit_creds - Install new credentials upon the current task
 412  * @new: The credentials to be assigned
 413  *
 414  * Install a new set of credentials to the current task, using RCU to replace
 415  * the old set.  Both the objective and the subjective credentials pointers are
 416  * updated.  This function may not be called if the subjective credentials are
 417  * in an overridden state.
 418  *
 419  * This function eats the caller's reference to the new credentials.
 420  *
 421  * Always returns 0 thus allowing this function to be tail-called at the end
 422  * of, say, sys_setgid().
 423  */
 424 int commit_creds(struct cred *new)
 425 {
 426         struct task_struct *task = current;
 427         const struct cred *old = task->real_cred;
 428
 429         kdebug("commit_creds(%p{%d,%d})", new,
 430                atomic_read(&new->usage),
 431                read_cred_subscribers(new));
 432
 433         BUG_ON(task->cred != old);
 434 #ifdef CONFIG_DEBUG_CREDENTIALS
 435         BUG_ON(read_cred_subscribers(old) < 2);
 436         validate_creds(old);
 437         validate_creds(new);
 438 #endif
 439         BUG_ON(atomic_read(&new->usage) < 1);
 440
 441         get_cred(new); /* we will require a ref for the subj creds too */
 442
 443         /* dumpability changes */
 444         if (!uid_eq(old->euid, new->euid) ||
 445             !gid_eq(old->egid, new->egid) ||
 446             !uid_eq(old->fsuid, new->fsuid) ||
 447             !gid_eq(old->fsgid, new->fsgid) ||
 448             !cred_cap_issubset(old, new)) {
 449                 if (task->mm)
 450                         set_dumpable(task->mm, suid_dumpable);
 451                 task->pdeath_signal = 0;
 452                 smp_wmb();
 453         }
 454
 455         /* alter the thread keyring */
 456         if (!uid_eq(new->fsuid, old->fsuid))
 457                 key_fsuid_changed(task);
 458         if (!gid_eq(new->fsgid, old->fsgid))
 459                 key_fsgid_changed(task);
 460
 461         /* do it
 462          * RLIMIT_NPROC limits on user->processes have already been checked
 463          * in set_user().
 464          */
 465         alter_cred_subscribers(new, 2);
 466         if (new->user != old->user)
 467                 atomic_inc(&new->user->processes);
 468         rcu_assign_pointer(task->real_cred, new);
 469         rcu_assign_pointer(task->cred, new);
 470         if (new->user != old->user)
 471                 atomic_dec(&old->user->processes);
 472         alter_cred_subscribers(old, -2);
 473
 474         /* send notifications */
 475         if (!uid_eq(new->uid,   old->uid)  ||
 476             !uid_eq(new->euid,  old->euid) ||
 477             !uid_eq(new->suid,  old->suid) ||
 478             !uid_eq(new->fsuid, old->fsuid))
 479                 proc_id_connector(task, PROC_EVENT_UID);
 480
 481         if (!gid_eq(new->gid,   old->gid)  ||
 482             !gid_eq(new->egid,  old->egid) ||
 483             !gid_eq(new->sgid,  old->sgid) ||
 484             !gid_eq(new->fsgid, old->fsgid))
 485                 proc_id_connector(task, PROC_EVENT_GID);
 486
 487         /* release the old obj and subj refs both */
 488         put_cred(old);
 489         put_cred(old);
 490         return 0;
 491 }
 492 EXPORT_SYMBOL(commit_creds);
 493
 494 /**
 495  * abort_creds - Discard a set of credentials and unlock the current task
 496  * @new: The credentials that were going to be applied
 497  *
 498  * Discard a set of credentials that were under construction and unlock the
 499  * current task.
 500  */
 501 void abort_creds(struct cred *new)
 502 {
 503         kdebug("abort_creds(%p{%d,%d})", new,
 504                atomic_read(&new->usage),
 505                read_cred_subscribers(new));
 506
 507 #ifdef CONFIG_DEBUG_CREDENTIALS
 508         BUG_ON(read_cred_subscribers(new) != 0);
 509 #endif
 510         BUG_ON(atomic_read(&new->usage) < 1);
 511         put_cred(new);
 512 }
 513 EXPORT_SYMBOL(abort_creds);
 514
 515 /**
 516  * override_creds - Override the current process's subjective credentials
 517  * @new: The credentials to be assigned
 518  *
 519  * Install a set of temporary override subjective credentials on the current
 520  * process, returning the old set for later reversion.
 521  */
 522 const struct cred *override_creds(const struct cred *new)
 523 {
 524         const struct cred *old = current->cred;
 525
 526         kdebug("override_creds(%p{%d,%d})", new,
 527                atomic_read(&new->usage),
 528                read_cred_subscribers(new));
 529
 530         validate_creds(old);
 531         validate_creds(new);
 532         get_cred(new);
 533         alter_cred_subscribers(new, 1);
 534         rcu_assign_pointer(current->cred, new);
 535         alter_cred_subscribers(old, -1);
 536
 537         kdebug("override_creds() = %p{%d,%d}", old,
 538                atomic_read(&old->usage),
 539                read_cred_subscribers(old));
 540         return old;
 541 }
 542 EXPORT_SYMBOL(override_creds);
 543
 544 /**
 545  * revert_creds - Revert a temporary subjective credentials override
 546  * @old: The credentials to be restored
 547  *
 548  * Revert a temporary set of override subjective credentials to an old set,
 549  * discarding the override set.
 550  */
 551 void revert_creds(const struct cred *old)
 552 {
 553         const struct cred *override = current->cred;
 554
 555         kdebug("revert_creds(%p{%d,%d})", old,
 556                atomic_read(&old->usage),
 557                read_cred_subscribers(old));
 558
 559         validate_creds(old);
 560         validate_creds(override);
 561         alter_cred_subscribers(old, 1);
 562         rcu_assign_pointer(current->cred, old);
 563         alter_cred_subscribers(override, -1);
 564         put_cred(override);
 565 }
 566 EXPORT_SYMBOL(revert_creds);
 567
 568 /**
 569  * cred_fscmp - Compare two credentials with respect to filesystem access.
 570  * @a: The first credential
 571  * @b: The second credential
 572  *
 573  * cred_cmp() will return zero if both credentials have the same
 574  * fsuid, fsgid, and supplementary groups.  That is, if they will both
 575  * provide the same access to files based on mode/uid/gid.
 576  * If the credentials are different, then either -1 or 1 will
 577  * be returned depending on whether @a comes before or after @b
 578  * respectively in an arbitrary, but stable, ordering of credentials.
 579  *
 580  * Return: -1, 0, or 1 depending on comparison
 581  */
 582 int cred_fscmp(const struct cred *a, const struct cred *b)
 583 {
 584         struct group_info *ga, *gb;
 585         int g;
 586
 587         if (a == b)
 588                 return 0;
 589         if (uid_lt(a->fsuid, b->fsuid))
 590                 return -1;
 591         if (uid_gt(a->fsuid, b->fsuid))
 592                 return 1;
 593
 594         if (gid_lt(a->fsgid, b->fsgid))
 595                 return -1;
 596         if (gid_gt(a->fsgid, b->fsgid))
 597                 return 1;
 598
 599         ga = a->group_info;
 600         gb = b->group_info;
 601         if (ga == gb)
 602                 return 0;
 603         if (ga == NULL)
 604                 return -1;
 605         if (gb == NULL)
 606                 return 1;
 607         if (ga->ngroups < gb->ngroups)
 608                 return -1;
 609         if (ga->ngroups > gb->ngroups)
 610                 return 1;
 611
 612         for (g = 0; g < ga->ngroups; g++) {
 613                 if (gid_lt(ga->gid[g], gb->gid[g]))
 614                         return -1;
 615                 if (gid_gt(ga->gid[g], gb->gid[g]))
 616                         return 1;
 617         }
 618         return 0;
 619 }
 620 EXPORT_SYMBOL(cred_fscmp);
 621
 622 /*
 623  * initialise the credentials stuff
 624  */
 625 void __init cred_init(void)
 626 {
 627         /* allocate a slab in which we can store credentials */
 628         cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred), 0,
 629                         SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT, NULL);
 630 }
 631
 632 /**
 633  * prepare_kernel_cred - Prepare a set of credentials for a kernel service
 634  * @daemon: A userspace daemon to be used as a reference
 635  *
 636  * Prepare a set of credentials for a kernel service.  This can then be used to
 637  * override a task's own credentials so that work can be done on behalf of that
 638  * task that requires a different subjective context.
 639  *
 640  * @daemon is used to provide a base for the security record, but can be NULL.
 641  * If @daemon is supplied, then the security data will be derived from that;
 642  * otherwise they'll be set to 0 and no groups, full capabilities and no keys.
 643  *
 644  * The caller may change these controls afterwards if desired.
 645  *
 646  * Returns the new credentials or NULL if out of memory.
 647  *
 648  * Does not take, and does not return holding current->cred_replace_mutex.
 649  */
 650 struct cred *prepare_kernel_cred(struct task_struct *daemon)
 651 {
 652         const struct cred *old;
 653         struct cred *new;
 654
 655         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
 656         if (!new)
 657                 return NULL;
 658
 659         kdebug("prepare_kernel_cred() alloc %p", new);
 660
 661         if (daemon)
 662                 old = get_task_cred(daemon);
 663         else
 664                 old = get_cred(&init_cred);
 665
 666         validate_creds(old);
 667
 668         *new = *old;
 669         atomic_set(&new->usage, 1);
 670         set_cred_subscribers(new, 0);
 671         get_uid(new->user);
 672         get_user_ns(new->user_ns);
 673         get_group_info(new->group_info);
 674
 675 #ifdef CONFIG_KEYS
 676         new->session_keyring = NULL;
 677         new->process_keyring = NULL;
 678         new->thread_keyring = NULL;
 679         new->request_key_auth = NULL;
 680         new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
 681 #endif
 682
 683 #ifdef CONFIG_SECURITY
 684         new->security = NULL;
 685 #endif
 686         if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
 687                 goto error;
 688
 689         put_cred(old);
 690         validate_creds(new);
 691         return new;
 692
 693 error:
 694         put_cred(new);
 695         put_cred(old);
 696         return NULL;
 697 }
 698 EXPORT_SYMBOL(prepare_kernel_cred);
 699
 700 /**
 701  * set_security_override - Set the security ID in a set of credentials
 702  * @new: The credentials to alter
 703  * @secid: The LSM security ID to set
 704  *
 705  * Set the LSM security ID in a set of credentials so that the subjective
 706  * security is overridden when an alternative set of credentials is used.
 707  */
 708 int set_security_override(struct cred *new, u32 secid)
 709 {
 710         return security_kernel_act_as(new, secid);
 711 }
 712 EXPORT_SYMBOL(set_security_override);
 713
 714 /**
 715  * set_security_override_from_ctx - Set the security ID in a set of credentials
 716  * @new: The credentials to alter
 717  * @secctx: The LSM security context to generate the security ID from.
 718  *
 719  * Set the LSM security ID in a set of credentials so that the subjective
 720  * security is overridden when an alternative set of credentials is used.  The
 721  * security ID is specified in string form as a security context to be
 722  * interpreted by the LSM.
 723  */
 724 int set_security_override_from_ctx(struct cred *new, const char *secctx)
 725 {
 726         u32 secid;
 727         int ret;
 728
 729         ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
 730         if (ret < 0)
 731                 return ret;
 732
 733         return set_security_override(new, secid);
 734 }
 735 EXPORT_SYMBOL(set_security_override_from_ctx);
 736
 737 /**
 738  * set_create_files_as - Set the LSM file create context in a set of credentials
 739  * @new: The credentials to alter
 740  * @inode: The inode to take the context from
 741  *
 742  * Change the LSM file creation context in a set of credentials to be the same
 743  * as the object context of the specified inode, so that the new inodes have
 744  * the same MAC context as that inode.
 745  */
 746 int set_create_files_as(struct cred *new, struct inode *inode)
 747 {
 748         if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid))
 749                 return -EINVAL;
 750         new->fsuid = inode->i_uid;
 751         new->fsgid = inode->i_gid;
 752         return security_kernel_create_files_as(new, inode);
 753 }
 754 EXPORT_SYMBOL(set_create_files_as);
 755
 756 #ifdef CONFIG_DEBUG_CREDENTIALS
 757
 758 bool creds_are_invalid(const struct cred *cred)
 759 {
 760         if (cred->magic != CRED_MAGIC)
 761                 return true;
 762 #ifdef CONFIG_SECURITY_SELINUX
 763         /*
 764          * cred->security == NULL if security_cred_alloc_blank() or
 765          * security_prepare_creds() returned an error.
 766          */
 767         if (selinux_is_enabled() && cred->security) {
 768                 if ((unsigned long) cred->security < PAGE_SIZE)
 769                         return true;
 770                 if ((*(u32 *)cred->security & 0xffffff00) ==
 771                     (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
 772                         return true;
 773         }
 774 #endif
 775         return false;
 776 }
 777 EXPORT_SYMBOL(creds_are_invalid);
 778
 779 /*
 780  * dump invalid credentials
 781  */
 782 static void dump_invalid_creds(const struct cred *cred, const char *label,
 783                                const struct task_struct *tsk)
 784 {
 785         printk(KERN_ERR "CRED: %s credentials: %p %s%s%s\n",
 786                label, cred,
 787                cred == &init_cred ? "[init]" : "",
 788                cred == tsk->real_cred ? "[real]" : "",
 789                cred == tsk->cred ? "[eff]" : "");
 790         printk(KERN_ERR "CRED: ->magic=%x, put_addr=%p\n",
 791                cred->magic, cred->put_addr);
 792         printk(KERN_ERR "CRED: ->usage=%d, subscr=%d\n",
 793                atomic_read(&cred->usage),
 794                read_cred_subscribers(cred));
 795         printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
 796                 from_kuid_munged(&init_user_ns, cred->uid),
 797                 from_kuid_munged(&init_user_ns, cred->euid),
 798                 from_kuid_munged(&init_user_ns, cred->suid),
 799                 from_kuid_munged(&init_user_ns, cred->fsuid));
 800         printk(KERN_ERR "CRED: ->*gid = { %d,%d,%d,%d }\n",
 801                 from_kgid_munged(&init_user_ns, cred->gid),
 802                 from_kgid_munged(&init_user_ns, cred->egid),
 803                 from_kgid_munged(&init_user_ns, cred->sgid),
 804                 from_kgid_munged(&init_user_ns, cred->fsgid));
 805 #ifdef CONFIG_SECURITY
 806         printk(KERN_ERR "CRED: ->security is %p\n", cred->security);
 807         if ((unsigned long) cred->security >= PAGE_SIZE &&
 808             (((unsigned long) cred->security & 0xffffff00) !=
 809              (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)))
 810                 printk(KERN_ERR "CRED: ->security {%x, %x}\n",
 811                        ((u32*)cred->security)[0],
 812                        ((u32*)cred->security)[1]);
 813 #endif
 814 }
 815
 816 /*
 817  * report use of invalid credentials
 818  */
 819 void __invalid_creds(const struct cred *cred, const char *file, unsigned line)
 820 {
 821         printk(KERN_ERR "CRED: Invalid credentials\n");
 822         printk(KERN_ERR "CRED: At %s:%u\n", file, line);
 823         dump_invalid_creds(cred, "Specified", current);
 824         BUG();
 825 }
 826 EXPORT_SYMBOL(__invalid_creds);
 827
 828 /*
 829  * check the credentials on a process
 830  */
 831 void __validate_process_creds(struct task_struct *tsk,
 832                               const char *file, unsigned line)
 833 {
 834         if (tsk->cred == tsk->real_cred) {
 835                 if (unlikely(read_cred_subscribers(tsk->cred) < 2 ||
 836                              creds_are_invalid(tsk->cred)))
 837                         goto invalid_creds;
 838         } else {
 839                 if (unlikely(read_cred_subscribers(tsk->real_cred) < 1 ||
 840                              read_cred_subscribers(tsk->cred) < 1 ||
 841                              creds_are_invalid(tsk->real_cred) ||
 842                              creds_are_invalid(tsk->cred)))
 843                         goto invalid_creds;
 844         }
 845         return;
 846
 847 invalid_creds:
 848         printk(KERN_ERR "CRED: Invalid process credentials\n");
 849         printk(KERN_ERR "CRED: At %s:%u\n", file, line);
 850
 851         dump_invalid_creds(tsk->real_cred, "Real", tsk);
 852         if (tsk->cred != tsk->real_cred)
 853                 dump_invalid_creds(tsk->cred, "Effective", tsk);
 854         else
 855                 printk(KERN_ERR "CRED: Effective creds == Real creds\n");
 856         BUG();
 857 }
 858 EXPORT_SYMBOL(__validate_process_creds);
 859
 860 /*
 861  * check creds for do_exit()
 862  */
 863 void validate_creds_for_do_exit(struct task_struct *tsk)
 864 {
 865         kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})",
 866                tsk->real_cred, tsk->cred,
 867                atomic_read(&tsk->cred->usage),
 868                read_cred_subscribers(tsk->cred));
 869
 870         __validate_process_creds(tsk, __FILE__, __LINE__);
 871 }
 872
 873 #endif /* CONFIG_DEBUG_CREDENTIALS */