kernel/cred.c

   1 /* Task credentials management - see Documentation/security/credentials.rst
   2  *
   3  * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
   4  * Written by David Howells (dhowells@redhat.com)
   5  *
   6  * This program is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU General Public Licence
   8  * as published by the Free Software Foundation; either version
   9  * 2 of the Licence, or (at your option) any later version.
  10  */
  11 #include <linux/export.h>
  12 #include <linux/cred.h>
  13 #include <linux/slab.h>
  14 #include <linux/sched.h>
  15 #include <linux/sched/coredump.h>
  16 #include <linux/key.h>
  17 #include <linux/keyctl.h>
  18 #include <linux/init_task.h>
  19 #include <linux/security.h>
  20 #include <linux/binfmts.h>
  21 #include <linux/cn_proc.h>
  22 #include <linux/uidgid.h>
  23
  24 #if 0
  25 #define kdebug(FMT, ...)                                                \
  26         printk("[%-5.5s%5u] " FMT "\n",                                 \
  27                current->comm, current->pid, ##__VA_ARGS__)
  28 #else
  29 #define kdebug(FMT, ...)                                                \
  30 do {                                                                    \
  31         if (0)                                                          \
  32                 no_printk("[%-5.5s%5u] " FMT "\n",                      \
  33                           current->comm, current->pid, ##__VA_ARGS__);  \
  34 } while (0)
  35 #endif
  36
  37 static struct kmem_cache *cred_jar;
  38
  39 /* init to 2 - one for init_task, one to ensure it is never freed */
  40 struct group_info init_groups = { .usage = ATOMIC_INIT(2) };
  41
  42 /*
  43  * The initial credentials for the initial task
  44  */
  45 struct cred init_cred = {
  46         .usage                  = ATOMIC_INIT(4),
  47 #ifdef CONFIG_DEBUG_CREDENTIALS
  48         .subscribers            = ATOMIC_INIT(2),
  49         .magic                  = CRED_MAGIC,
  50 #endif
  51         .uid                    = GLOBAL_ROOT_UID,
  52         .gid                    = GLOBAL_ROOT_GID,
  53         .suid                   = GLOBAL_ROOT_UID,
  54         .sgid                   = GLOBAL_ROOT_GID,
  55         .euid                   = GLOBAL_ROOT_UID,
  56         .egid                   = GLOBAL_ROOT_GID,
  57         .fsuid                  = GLOBAL_ROOT_UID,
  58         .fsgid                  = GLOBAL_ROOT_GID,
  59         .securebits             = SECUREBITS_DEFAULT,
  60         .cap_inheritable        = CAP_EMPTY_SET,
  61         .cap_permitted          = CAP_FULL_SET,
  62         .cap_effective          = CAP_FULL_SET,
  63         .cap_bset               = CAP_FULL_SET,
  64         .user                   = INIT_USER,
  65         .user_ns                = &init_user_ns,
  66         .group_info             = &init_groups,
  67 };
  68
  69 static inline void set_cred_subscribers(struct cred *cred, int n)
  70 {
  71 #ifdef CONFIG_DEBUG_CREDENTIALS
  72         atomic_set(&cred->subscribers, n);
  73 #endif
  74 }
  75
  76 static inline int read_cred_subscribers(const struct cred *cred)
  77 {
  78 #ifdef CONFIG_DEBUG_CREDENTIALS
  79         return atomic_read(&cred->subscribers);
  80 #else
  81         return 0;
  82 #endif
  83 }
  84
  85 static inline void alter_cred_subscribers(const struct cred *_cred, int n)
  86 {
  87 #ifdef CONFIG_DEBUG_CREDENTIALS
  88         struct cred *cred = (struct cred *) _cred;
  89
  90         atomic_add(n, &cred->subscribers);
  91 #endif
  92 }
  93
  94 /*
  95  * The RCU callback to actually dispose of a set of credentials
  96  */
  97 static void put_cred_rcu(struct rcu_head *rcu)
  98 {
  99         struct cred *cred = container_of(rcu, struct cred, rcu);
 100
 101         kdebug("put_cred_rcu(%p)", cred);
 102
 103 #ifdef CONFIG_DEBUG_CREDENTIALS
 104         if (cred->magic != CRED_MAGIC_DEAD ||
 105             atomic_read(&cred->usage) != 0 ||
 106             read_cred_subscribers(cred) != 0)
 107                 panic("CRED: put_cred_rcu() sees %p with"
 108                       " mag %x, put %p, usage %d, subscr %d\n",
 109                       cred, cred->magic, cred->put_addr,
 110                       atomic_read(&cred->usage),
 111                       read_cred_subscribers(cred));
 112 #else
 113         if (atomic_read(&cred->usage) != 0)
 114                 panic("CRED: put_cred_rcu() sees %p with usage %d\n",
 115                       cred, atomic_read(&cred->usage));
 116 #endif
 117
 118         security_cred_free(cred);
 119         key_put(cred->session_keyring);
 120         key_put(cred->process_keyring);
 121         key_put(cred->thread_keyring);
 122         key_put(cred->request_key_auth);
 123         if (cred->group_info)
 124                 put_group_info(cred->group_info);
 125         free_uid(cred->user);
 126         put_user_ns(cred->user_ns);
 127         kmem_cache_free(cred_jar, cred);
 128 }
 129
 130 /**
 131  * __put_cred - Destroy a set of credentials
 132  * @cred: The record to release
 133  *
 134  * Destroy a set of credentials on which no references remain.
 135  */
 136 void __put_cred(struct cred *cred)
 137 {
 138         kdebug("__put_cred(%p{%d,%d})", cred,
 139                atomic_read(&cred->usage),
 140                read_cred_subscribers(cred));
 141
 142         BUG_ON(atomic_read(&cred->usage) != 0);
 143 #ifdef CONFIG_DEBUG_CREDENTIALS
 144         BUG_ON(read_cred_subscribers(cred) != 0);
 145         cred->magic = CRED_MAGIC_DEAD;
 146         cred->put_addr = __builtin_return_address(0);
 147 #endif
 148         BUG_ON(cred == current->cred);
 149         BUG_ON(cred == current->real_cred);
 150
 151         call_rcu(&cred->rcu, put_cred_rcu);
 152 }
 153 EXPORT_SYMBOL(__put_cred);
 154
 155 /*
 156  * Clean up a task's credentials when it exits
 157  */
 158 void exit_creds(struct task_struct *tsk)
 159 {
 160         struct cred *cred;
 161
 162         kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
 163                atomic_read(&tsk->cred->usage),
 164                read_cred_subscribers(tsk->cred));
 165
 166         cred = (struct cred *) tsk->real_cred;
 167         tsk->real_cred = NULL;
 168         validate_creds(cred);
 169         alter_cred_subscribers(cred, -1);
 170         put_cred(cred);
 171
 172         cred = (struct cred *) tsk->cred;
 173         tsk->cred = NULL;
 174         validate_creds(cred);
 175         alter_cred_subscribers(cred, -1);
 176         put_cred(cred);
 177 }
 178
 179 /**
 180  * get_task_cred - Get another task's objective credentials
 181  * @task: The task to query
 182  *
 183  * Get the objective credentials of a task, pinning them so that they can't go
 184  * away.  Accessing a task's credentials directly is not permitted.
 185  *
 186  * The caller must also make sure task doesn't get deleted, either by holding a
 187  * ref on task or by holding tasklist_lock to prevent it from being unlinked.
 188  */
 189 const struct cred *get_task_cred(struct task_struct *task)
 190 {
 191         const struct cred *cred;
 192
 193         rcu_read_lock();
 194
 195         do {
 196                 cred = __task_cred((task));
 197                 BUG_ON(!cred);
 198         } while (!get_cred_rcu(cred));
 199
 200         rcu_read_unlock();
 201         return cred;
 202 }
 203 EXPORT_SYMBOL(get_task_cred);
 204
 205 /*
 206  * Allocate blank credentials, such that the credentials can be filled in at a
 207  * later date without risk of ENOMEM.
 208  */
 209 struct cred *cred_alloc_blank(void)
 210 {
 211         struct cred *new;
 212
 213         new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
 214         if (!new)
 215                 return NULL;
 216
 217         atomic_set(&new->usage, 1);
 218 #ifdef CONFIG_DEBUG_CREDENTIALS
 219         new->magic = CRED_MAGIC;
 220 #endif
 221
 222         if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
 223                 goto error;
 224
 225         return new;
 226
 227 error:
 228         abort_creds(new);
 229         return NULL;
 230 }
 231
 232 /**
 233  * prepare_creds - Prepare a new set of credentials for modification
 234  *
 235  * Prepare a new set of task credentials for modification.  A task's creds
 236  * shouldn't generally be modified directly, therefore this function is used to
 237  * prepare a new copy, which the caller then modifies and then commits by
 238  * calling commit_creds().
 239  *
 240  * Preparation involves making a copy of the objective creds for modification.
 241  *
 242  * Returns a pointer to the new creds-to-be if successful, NULL otherwise.
 243  *
 244  * Call commit_creds() or abort_creds() to clean up.
 245  */
 246 struct cred *prepare_creds(void)
 247 {
 248         struct task_struct *task = current;
 249         const struct cred *old;
 250         struct cred *new;
 251
 252         validate_process_creds();
 253
 254         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
 255         if (!new)
 256                 return NULL;
 257
 258         kdebug("prepare_creds() alloc %p", new);
 259
 260         old = task->cred;
 261         memcpy(new, old, sizeof(struct cred));
 262
 263         atomic_set(&new->usage, 1);
 264         set_cred_subscribers(new, 0);
 265         get_group_info(new->group_info);
 266         get_uid(new->user);
 267         get_user_ns(new->user_ns);
 268
 269 #ifdef CONFIG_KEYS
 270         key_get(new->session_keyring);
 271         key_get(new->process_keyring);
 272         key_get(new->thread_keyring);
 273         key_get(new->request_key_auth);
 274 #endif
 275
 276 #ifdef CONFIG_SECURITY
 277         new->security = NULL;
 278 #endif
 279
 280         if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
 281                 goto error;
 282         validate_creds(new);
 283         return new;
 284
 285 error:
 286         abort_creds(new);
 287         return NULL;
 288 }
 289 EXPORT_SYMBOL(prepare_creds);
 290
 291 /*
 292  * Prepare credentials for current to perform an execve()
 293  * - The caller must hold ->cred_guard_mutex
 294  */
 295 struct cred *prepare_exec_creds(void)
 296 {
 297         struct cred *new;
 298
 299         new = prepare_creds();
 300         if (!new)
 301                 return new;
 302
 303 #ifdef CONFIG_KEYS
 304         /* newly exec'd tasks don't get a thread keyring */
 305         key_put(new->thread_keyring);
 306         new->thread_keyring = NULL;
 307
 308         /* inherit the session keyring; new process keyring */
 309         key_put(new->process_keyring);
 310         new->process_keyring = NULL;
 311 #endif
 312
 313         return new;
 314 }
 315
 316 /*
 317  * Copy credentials for the new process created by fork()
 318  *
 319  * We share if we can, but under some circumstances we have to generate a new
 320  * set.
 321  *
 322  * The new process gets the current process's subjective credentials as its
 323  * objective and subjective credentials
 324  */
 325 int copy_creds(struct task_struct *p, unsigned long clone_flags)
 326 {
 327         struct cred *new;
 328         int ret;
 329
 330         if (
 331 #ifdef CONFIG_KEYS
 332                 !p->cred->thread_keyring &&
 333 #endif
 334                 clone_flags & CLONE_THREAD
 335             ) {
 336                 p->real_cred = get_cred(p->cred);
 337                 get_cred(p->cred);
 338                 alter_cred_subscribers(p->cred, 2);
 339                 kdebug("share_creds(%p{%d,%d})",
 340                        p->cred, atomic_read(&p->cred->usage),
 341                        read_cred_subscribers(p->cred));
 342                 atomic_inc(&p->cred->user->processes);
 343                 return 0;
 344         }
 345
 346         new = prepare_creds();
 347         if (!new)
 348                 return -ENOMEM;
 349
 350         if (clone_flags & CLONE_NEWUSER) {
 351                 ret = create_user_ns(new);
 352                 if (ret < 0)
 353                         goto error_put;
 354         }
 355
 356 #ifdef CONFIG_KEYS
 357         /* new threads get their own thread keyrings if their parent already
 358          * had one */
 359         if (new->thread_keyring) {
 360                 key_put(new->thread_keyring);
 361                 new->thread_keyring = NULL;
 362                 if (clone_flags & CLONE_THREAD)
 363                         install_thread_keyring_to_cred(new);
 364         }
 365
 366         /* The process keyring is only shared between the threads in a process;
 367          * anything outside of those threads doesn't inherit.
 368          */
 369         if (!(clone_flags & CLONE_THREAD)) {
 370                 key_put(new->process_keyring);
 371                 new->process_keyring = NULL;
 372         }
 373 #endif
 374
 375         atomic_inc(&new->user->processes);
 376         p->cred = p->real_cred = get_cred(new);
 377         alter_cred_subscribers(new, 2);
 378         validate_creds(new);
 379         return 0;
 380
 381 error_put:
 382         put_cred(new);
 383         return ret;
 384 }
 385
 386 static bool cred_cap_issubset(const struct cred *set, const struct cred *subset)
 387 {
 388         const struct user_namespace *set_ns = set->user_ns;
 389         const struct user_namespace *subset_ns = subset->user_ns;
 390
 391         /* If the two credentials are in the same user namespace see if
 392          * the capabilities of subset are a subset of set.
 393          */
 394         if (set_ns == subset_ns)
 395                 return cap_issubset(subset->cap_permitted, set->cap_permitted);
 396
 397         /* The credentials are in a different user namespaces
 398          * therefore one is a subset of the other only if a set is an
 399          * ancestor of subset and set->euid is owner of subset or one
 400          * of subsets ancestors.
 401          */
 402         for (;subset_ns != &init_user_ns; subset_ns = subset_ns->parent) {
 403                 if ((set_ns == subset_ns->parent)  &&
 404                     uid_eq(subset_ns->owner, set->euid))
 405                         return true;
 406         }
 407
 408         return false;
 409 }
 410
 411 /**
 412  * commit_creds - Install new credentials upon the current task
 413  * @new: The credentials to be assigned
 414  *
 415  * Install a new set of credentials to the current task, using RCU to replace
 416  * the old set.  Both the objective and the subjective credentials pointers are
 417  * updated.  This function may not be called if the subjective credentials are
 418  * in an overridden state.
 419  *
 420  * This function eats the caller's reference to the new credentials.
 421  *
 422  * Always returns 0 thus allowing this function to be tail-called at the end
 423  * of, say, sys_setgid().
 424  */
 425 int commit_creds(struct cred *new)
 426 {
 427         struct task_struct *task = current;
 428         const struct cred *old = task->real_cred;
 429
 430         kdebug("commit_creds(%p{%d,%d})", new,
 431                atomic_read(&new->usage),
 432                read_cred_subscribers(new));
 433
 434         BUG_ON(task->cred != old);
 435 #ifdef CONFIG_DEBUG_CREDENTIALS
 436         BUG_ON(read_cred_subscribers(old) < 2);
 437         validate_creds(old);
 438         validate_creds(new);
 439 #endif
 440         BUG_ON(atomic_read(&new->usage) < 1);
 441
 442         get_cred(new); /* we will require a ref for the subj creds too */
 443
 444         /* dumpability changes */
 445         if (!uid_eq(old->euid, new->euid) ||
 446             !gid_eq(old->egid, new->egid) ||
 447             !uid_eq(old->fsuid, new->fsuid) ||
 448             !gid_eq(old->fsgid, new->fsgid) ||
 449             !cred_cap_issubset(old, new)) {
 450                 if (task->mm)
 451                         set_dumpable(task->mm, suid_dumpable);
 452                 task->pdeath_signal = 0;
 453                 smp_wmb();
 454         }
 455
 456         /* alter the thread keyring */
 457         if (!uid_eq(new->fsuid, old->fsuid))
 458                 key_fsuid_changed(task);
 459         if (!gid_eq(new->fsgid, old->fsgid))
 460                 key_fsgid_changed(task);
 461
 462         /* do it
 463          * RLIMIT_NPROC limits on user->processes have already been checked
 464          * in set_user().
 465          */
 466         alter_cred_subscribers(new, 2);
 467         if (new->user != old->user)
 468                 atomic_inc(&new->user->processes);
 469         rcu_assign_pointer(task->real_cred, new);
 470         rcu_assign_pointer(task->cred, new);
 471         if (new->user != old->user)
 472                 atomic_dec(&old->user->processes);
 473         alter_cred_subscribers(old, -2);
 474
 475         /* send notifications */
 476         if (!uid_eq(new->uid,   old->uid)  ||
 477             !uid_eq(new->euid,  old->euid) ||
 478             !uid_eq(new->suid,  old->suid) ||
 479             !uid_eq(new->fsuid, old->fsuid))
 480                 proc_id_connector(task, PROC_EVENT_UID);
 481
 482         if (!gid_eq(new->gid,   old->gid)  ||
 483             !gid_eq(new->egid,  old->egid) ||
 484             !gid_eq(new->sgid,  old->sgid) ||
 485             !gid_eq(new->fsgid, old->fsgid))
 486                 proc_id_connector(task, PROC_EVENT_GID);
 487
 488         /* release the old obj and subj refs both */
 489         put_cred(old);
 490         put_cred(old);
 491         return 0;
 492 }
 493 EXPORT_SYMBOL(commit_creds);
 494
 495 /**
 496  * abort_creds - Discard a set of credentials and unlock the current task
 497  * @new: The credentials that were going to be applied
 498  *
 499  * Discard a set of credentials that were under construction and unlock the
 500  * current task.
 501  */
 502 void abort_creds(struct cred *new)
 503 {
 504         kdebug("abort_creds(%p{%d,%d})", new,
 505                atomic_read(&new->usage),
 506                read_cred_subscribers(new));
 507
 508 #ifdef CONFIG_DEBUG_CREDENTIALS
 509         BUG_ON(read_cred_subscribers(new) != 0);
 510 #endif
 511         BUG_ON(atomic_read(&new->usage) < 1);
 512         put_cred(new);
 513 }
 514 EXPORT_SYMBOL(abort_creds);
 515
 516 /**
 517  * override_creds - Override the current process's subjective credentials
 518  * @new: The credentials to be assigned
 519  *
 520  * Install a set of temporary override subjective credentials on the current
 521  * process, returning the old set for later reversion.
 522  */
 523 const struct cred *override_creds(const struct cred *new)
 524 {
 525         const struct cred *old = current->cred;
 526
 527         kdebug("override_creds(%p{%d,%d})", new,
 528                atomic_read(&new->usage),
 529                read_cred_subscribers(new));
 530
 531         validate_creds(old);
 532         validate_creds(new);
 533         get_cred(new);
 534         alter_cred_subscribers(new, 1);
 535         rcu_assign_pointer(current->cred, new);
 536         alter_cred_subscribers(old, -1);
 537
 538         kdebug("override_creds() = %p{%d,%d}", old,
 539                atomic_read(&old->usage),
 540                read_cred_subscribers(old));
 541         return old;
 542 }
 543 EXPORT_SYMBOL(override_creds);
 544
 545 /**
 546  * revert_creds - Revert a temporary subjective credentials override
 547  * @old: The credentials to be restored
 548  *
 549  * Revert a temporary set of override subjective credentials to an old set,
 550  * discarding the override set.
 551  */
 552 void revert_creds(const struct cred *old)
 553 {
 554         const struct cred *override = current->cred;
 555
 556         kdebug("revert_creds(%p{%d,%d})", old,
 557                atomic_read(&old->usage),
 558                read_cred_subscribers(old));
 559
 560         validate_creds(old);
 561         validate_creds(override);
 562         alter_cred_subscribers(old, 1);
 563         rcu_assign_pointer(current->cred, old);
 564         alter_cred_subscribers(override, -1);
 565         put_cred(override);
 566 }
 567 EXPORT_SYMBOL(revert_creds);
 568
 569 /**
 570  * cred_fscmp - Compare two credentials with respect to filesystem access.
 571  * @a: The first credential
 572  * @b: The second credential
 573  *
 574  * cred_cmp() will return zero if both credentials have the same
 575  * fsuid, fsgid, and supplementary groups.  That is, if they will both
 576  * provide the same access to files based on mode/uid/gid.
 577  * If the credentials are different, then either -1 or 1 will
 578  * be returned depending on whether @a comes before or after @b
 579  * respectively in an arbitrary, but stable, ordering of credentials.
 580  *
 581  * Return: -1, 0, or 1 depending on comparison
 582  */
 583 int cred_fscmp(const struct cred *a, const struct cred *b)
 584 {
 585         struct group_info *ga, *gb;
 586         int g;
 587
 588         if (a == b)
 589                 return 0;
 590         if (uid_lt(a->fsuid, b->fsuid))
 591                 return -1;
 592         if (uid_gt(a->fsuid, b->fsuid))
 593                 return 1;
 594
 595         if (gid_lt(a->fsgid, b->fsgid))
 596                 return -1;
 597         if (gid_gt(a->fsgid, b->fsgid))
 598                 return 1;
 599
 600         ga = a->group_info;
 601         gb = b->group_info;
 602         if (ga == gb)
 603                 return 0;
 604         if (ga == NULL)
 605                 return -1;
 606         if (gb == NULL)
 607                 return 1;
 608         if (ga->ngroups < gb->ngroups)
 609                 return -1;
 610         if (ga->ngroups > gb->ngroups)
 611                 return 1;
 612
 613         for (g = 0; g < ga->ngroups; g++) {
 614                 if (gid_lt(ga->gid[g], gb->gid[g]))
 615                         return -1;
 616                 if (gid_gt(ga->gid[g], gb->gid[g]))
 617                         return 1;
 618         }
 619         return 0;
 620 }
 621 EXPORT_SYMBOL(cred_fscmp);
 622
 623 /*
 624  * initialise the credentials stuff
 625  */
 626 void __init cred_init(void)
 627 {
 628         /* allocate a slab in which we can store credentials */
 629         cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred), 0,
 630                         SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT, NULL);
 631 }
 632
 633 /**
 634  * prepare_kernel_cred - Prepare a set of credentials for a kernel service
 635  * @daemon: A userspace daemon to be used as a reference
 636  *
 637  * Prepare a set of credentials for a kernel service.  This can then be used to
 638  * override a task's own credentials so that work can be done on behalf of that
 639  * task that requires a different subjective context.
 640  *
 641  * @daemon is used to provide a base for the security record, but can be NULL.
 642  * If @daemon is supplied, then the security data will be derived from that;
 643  * otherwise they'll be set to 0 and no groups, full capabilities and no keys.
 644  *
 645  * The caller may change these controls afterwards if desired.
 646  *
 647  * Returns the new credentials or NULL if out of memory.
 648  *
 649  * Does not take, and does not return holding current->cred_replace_mutex.
 650  */
 651 struct cred *prepare_kernel_cred(struct task_struct *daemon)
 652 {
 653         const struct cred *old;
 654         struct cred *new;
 655
 656         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
 657         if (!new)
 658                 return NULL;
 659
 660         kdebug("prepare_kernel_cred() alloc %p", new);
 661
 662         if (daemon)
 663                 old = get_task_cred(daemon);
 664         else
 665                 old = get_cred(&init_cred);
 666
 667         validate_creds(old);
 668
 669         *new = *old;
 670         atomic_set(&new->usage, 1);
 671         set_cred_subscribers(new, 0);
 672         get_uid(new->user);
 673         get_user_ns(new->user_ns);
 674         get_group_info(new->group_info);
 675
 676 #ifdef CONFIG_KEYS
 677         new->session_keyring = NULL;
 678         new->process_keyring = NULL;
 679         new->thread_keyring = NULL;
 680         new->request_key_auth = NULL;
 681         new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
 682 #endif
 683
 684 #ifdef CONFIG_SECURITY
 685         new->security = NULL;
 686 #endif
 687         if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
 688                 goto error;
 689
 690         put_cred(old);
 691         validate_creds(new);
 692         return new;
 693
 694 error:
 695         put_cred(new);
 696         put_cred(old);
 697         return NULL;
 698 }
 699 EXPORT_SYMBOL(prepare_kernel_cred);
 700
 701 /**
 702  * set_security_override - Set the security ID in a set of credentials
 703  * @new: The credentials to alter
 704  * @secid: The LSM security ID to set
 705  *
 706  * Set the LSM security ID in a set of credentials so that the subjective
 707  * security is overridden when an alternative set of credentials is used.
 708  */
 709 int set_security_override(struct cred *new, u32 secid)
 710 {
 711         return security_kernel_act_as(new, secid);
 712 }
 713 EXPORT_SYMBOL(set_security_override);
 714
 715 /**
 716  * set_security_override_from_ctx - Set the security ID in a set of credentials
 717  * @new: The credentials to alter
 718  * @secctx: The LSM security context to generate the security ID from.
 719  *
 720  * Set the LSM security ID in a set of credentials so that the subjective
 721  * security is overridden when an alternative set of credentials is used.  The
 722  * security ID is specified in string form as a security context to be
 723  * interpreted by the LSM.
 724  */
 725 int set_security_override_from_ctx(struct cred *new, const char *secctx)
 726 {
 727         u32 secid;
 728         int ret;
 729
 730         ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
 731         if (ret < 0)
 732                 return ret;
 733
 734         return set_security_override(new, secid);
 735 }
 736 EXPORT_SYMBOL(set_security_override_from_ctx);
 737
 738 /**
 739  * set_create_files_as - Set the LSM file create context in a set of credentials
 740  * @new: The credentials to alter
 741  * @inode: The inode to take the context from
 742  *
 743  * Change the LSM file creation context in a set of credentials to be the same
 744  * as the object context of the specified inode, so that the new inodes have
 745  * the same MAC context as that inode.
 746  */
 747 int set_create_files_as(struct cred *new, struct inode *inode)
 748 {
 749         if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid))
 750                 return -EINVAL;
 751         new->fsuid = inode->i_uid;
 752         new->fsgid = inode->i_gid;
 753         return security_kernel_create_files_as(new, inode);
 754 }
 755 EXPORT_SYMBOL(set_create_files_as);
 756
 757 #ifdef CONFIG_DEBUG_CREDENTIALS
 758
 759 bool creds_are_invalid(const struct cred *cred)
 760 {
 761         if (cred->magic != CRED_MAGIC)
 762                 return true;
 763         return false;
 764 }
 765 EXPORT_SYMBOL(creds_are_invalid);
 766
 767 /*
 768  * dump invalid credentials
 769  */
 770 static void dump_invalid_creds(const struct cred *cred, const char *label,
 771                                const struct task_struct *tsk)
 772 {
 773         printk(KERN_ERR "CRED: %s credentials: %p %s%s%s\n",
 774                label, cred,
 775                cred == &init_cred ? "[init]" : "",
 776                cred == tsk->real_cred ? "[real]" : "",
 777                cred == tsk->cred ? "[eff]" : "");
 778         printk(KERN_ERR "CRED: ->magic=%x, put_addr=%p\n",
 779                cred->magic, cred->put_addr);
 780         printk(KERN_ERR "CRED: ->usage=%d, subscr=%d\n",
 781                atomic_read(&cred->usage),
 782                read_cred_subscribers(cred));
 783         printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
 784                 from_kuid_munged(&init_user_ns, cred->uid),
 785                 from_kuid_munged(&init_user_ns, cred->euid),
 786                 from_kuid_munged(&init_user_ns, cred->suid),
 787                 from_kuid_munged(&init_user_ns, cred->fsuid));
 788         printk(KERN_ERR "CRED: ->*gid = { %d,%d,%d,%d }\n",
 789                 from_kgid_munged(&init_user_ns, cred->gid),
 790                 from_kgid_munged(&init_user_ns, cred->egid),
 791                 from_kgid_munged(&init_user_ns, cred->sgid),
 792                 from_kgid_munged(&init_user_ns, cred->fsgid));
 793 #ifdef CONFIG_SECURITY
 794         printk(KERN_ERR "CRED: ->security is %p\n", cred->security);
 795         if ((unsigned long) cred->security >= PAGE_SIZE &&
 796             (((unsigned long) cred->security & 0xffffff00) !=
 797              (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)))
 798                 printk(KERN_ERR "CRED: ->security {%x, %x}\n",
 799                        ((u32*)cred->security)[0],
 800                        ((u32*)cred->security)[1]);
 801 #endif
 802 }
 803
 804 /*
 805  * report use of invalid credentials
 806  */
 807 void __invalid_creds(const struct cred *cred, const char *file, unsigned line)
 808 {
 809         printk(KERN_ERR "CRED: Invalid credentials\n");
 810         printk(KERN_ERR "CRED: At %s:%u\n", file, line);
 811         dump_invalid_creds(cred, "Specified", current);
 812         BUG();
 813 }
 814 EXPORT_SYMBOL(__invalid_creds);
 815
 816 /*
 817  * check the credentials on a process
 818  */
 819 void __validate_process_creds(struct task_struct *tsk,
 820                               const char *file, unsigned line)
 821 {
 822         if (tsk->cred == tsk->real_cred) {
 823                 if (unlikely(read_cred_subscribers(tsk->cred) < 2 ||
 824                              creds_are_invalid(tsk->cred)))
 825                         goto invalid_creds;
 826         } else {
 827                 if (unlikely(read_cred_subscribers(tsk->real_cred) < 1 ||
 828                              read_cred_subscribers(tsk->cred) < 1 ||
 829                              creds_are_invalid(tsk->real_cred) ||
 830                              creds_are_invalid(tsk->cred)))
 831                         goto invalid_creds;
 832         }
 833         return;
 834
 835 invalid_creds:
 836         printk(KERN_ERR "CRED: Invalid process credentials\n");
 837         printk(KERN_ERR "CRED: At %s:%u\n", file, line);
 838
 839         dump_invalid_creds(tsk->real_cred, "Real", tsk);
 840         if (tsk->cred != tsk->real_cred)
 841                 dump_invalid_creds(tsk->cred, "Effective", tsk);
 842         else
 843                 printk(KERN_ERR "CRED: Effective creds == Real creds\n");
 844         BUG();
 845 }
 846 EXPORT_SYMBOL(__validate_process_creds);
 847
 848 /*
 849  * check creds for do_exit()
 850  */
 851 void validate_creds_for_do_exit(struct task_struct *tsk)
 852 {
 853         kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})",
 854                tsk->real_cred, tsk->cred,
 855                atomic_read(&tsk->cred->usage),
 856                read_cred_subscribers(tsk->cred));
 857
 858         __validate_process_creds(tsk, __FILE__, __LINE__);
 859 }
 860
 861 #endif /* CONFIG_DEBUG_CREDENTIALS */