fsnotify: store struct file not struct path
[sfrench/cifs-2.6.git] / security / keys / process_keys.c
1 /* Management of a process's keyrings
2  *
3  * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/sched.h>
15 #include <linux/keyctl.h>
16 #include <linux/fs.h>
17 #include <linux/err.h>
18 #include <linux/mutex.h>
19 #include <linux/security.h>
20 #include <linux/user_namespace.h>
21 #include <asm/uaccess.h>
22 #include "internal.h"
23
24 /* session keyring create vs join semaphore */
25 static DEFINE_MUTEX(key_session_mutex);
26
27 /* user keyring creation semaphore */
28 static DEFINE_MUTEX(key_user_keyring_mutex);
29
30 /* the root user's tracking struct */
31 struct key_user root_key_user = {
32         .usage          = ATOMIC_INIT(3),
33         .cons_lock      = __MUTEX_INITIALIZER(root_key_user.cons_lock),
34         .lock           = __SPIN_LOCK_UNLOCKED(root_key_user.lock),
35         .nkeys          = ATOMIC_INIT(2),
36         .nikeys         = ATOMIC_INIT(2),
37         .uid            = 0,
38         .user_ns        = &init_user_ns,
39 };
40
41 /*****************************************************************************/
42 /*
43  * install user and user session keyrings for a particular UID
44  */
45 int install_user_keyrings(void)
46 {
47         struct user_struct *user;
48         const struct cred *cred;
49         struct key *uid_keyring, *session_keyring;
50         char buf[20];
51         int ret;
52
53         cred = current_cred();
54         user = cred->user;
55
56         kenter("%p{%u}", user, user->uid);
57
58         if (user->uid_keyring) {
59                 kleave(" = 0 [exist]");
60                 return 0;
61         }
62
63         mutex_lock(&key_user_keyring_mutex);
64         ret = 0;
65
66         if (!user->uid_keyring) {
67                 /* get the UID-specific keyring
68                  * - there may be one in existence already as it may have been
69                  *   pinned by a session, but the user_struct pointing to it
70                  *   may have been destroyed by setuid */
71                 sprintf(buf, "_uid.%u", user->uid);
72
73                 uid_keyring = find_keyring_by_name(buf, true);
74                 if (IS_ERR(uid_keyring)) {
75                         uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
76                                                     cred, KEY_ALLOC_IN_QUOTA,
77                                                     NULL);
78                         if (IS_ERR(uid_keyring)) {
79                                 ret = PTR_ERR(uid_keyring);
80                                 goto error;
81                         }
82                 }
83
84                 /* get a default session keyring (which might also exist
85                  * already) */
86                 sprintf(buf, "_uid_ses.%u", user->uid);
87
88                 session_keyring = find_keyring_by_name(buf, true);
89                 if (IS_ERR(session_keyring)) {
90                         session_keyring =
91                                 keyring_alloc(buf, user->uid, (gid_t) -1,
92                                               cred, KEY_ALLOC_IN_QUOTA, NULL);
93                         if (IS_ERR(session_keyring)) {
94                                 ret = PTR_ERR(session_keyring);
95                                 goto error_release;
96                         }
97
98                         /* we install a link from the user session keyring to
99                          * the user keyring */
100                         ret = key_link(session_keyring, uid_keyring);
101                         if (ret < 0)
102                                 goto error_release_both;
103                 }
104
105                 /* install the keyrings */
106                 user->uid_keyring = uid_keyring;
107                 user->session_keyring = session_keyring;
108         }
109
110         mutex_unlock(&key_user_keyring_mutex);
111         kleave(" = 0");
112         return 0;
113
114 error_release_both:
115         key_put(session_keyring);
116 error_release:
117         key_put(uid_keyring);
118 error:
119         mutex_unlock(&key_user_keyring_mutex);
120         kleave(" = %d", ret);
121         return ret;
122 }
123
124 /*
125  * install a fresh thread keyring directly to new credentials
126  */
127 int install_thread_keyring_to_cred(struct cred *new)
128 {
129         struct key *keyring;
130
131         keyring = keyring_alloc("_tid", new->uid, new->gid, new,
132                                 KEY_ALLOC_QUOTA_OVERRUN, NULL);
133         if (IS_ERR(keyring))
134                 return PTR_ERR(keyring);
135
136         new->thread_keyring = keyring;
137         return 0;
138 }
139
140 /*
141  * install a fresh thread keyring, discarding the old one
142  */
143 static int install_thread_keyring(void)
144 {
145         struct cred *new;
146         int ret;
147
148         new = prepare_creds();
149         if (!new)
150                 return -ENOMEM;
151
152         BUG_ON(new->thread_keyring);
153
154         ret = install_thread_keyring_to_cred(new);
155         if (ret < 0) {
156                 abort_creds(new);
157                 return ret;
158         }
159
160         return commit_creds(new);
161 }
162
163 /*
164  * install a process keyring directly to a credentials struct
165  * - returns -EEXIST if there was already a process keyring, 0 if one installed,
166  *   and other -ve on any other error
167  */
168 int install_process_keyring_to_cred(struct cred *new)
169 {
170         struct key *keyring;
171         int ret;
172
173         if (new->tgcred->process_keyring)
174                 return -EEXIST;
175
176         keyring = keyring_alloc("_pid", new->uid, new->gid,
177                                 new, KEY_ALLOC_QUOTA_OVERRUN, NULL);
178         if (IS_ERR(keyring))
179                 return PTR_ERR(keyring);
180
181         spin_lock_irq(&new->tgcred->lock);
182         if (!new->tgcred->process_keyring) {
183                 new->tgcred->process_keyring = keyring;
184                 keyring = NULL;
185                 ret = 0;
186         } else {
187                 ret = -EEXIST;
188         }
189         spin_unlock_irq(&new->tgcred->lock);
190         key_put(keyring);
191         return ret;
192 }
193
194 /*
195  * make sure a process keyring is installed
196  * - we
197  */
198 static int install_process_keyring(void)
199 {
200         struct cred *new;
201         int ret;
202
203         new = prepare_creds();
204         if (!new)
205                 return -ENOMEM;
206
207         ret = install_process_keyring_to_cred(new);
208         if (ret < 0) {
209                 abort_creds(new);
210                 return ret != -EEXIST ?: 0;
211         }
212
213         return commit_creds(new);
214 }
215
216 /*
217  * install a session keyring directly to a credentials struct
218  */
219 int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
220 {
221         unsigned long flags;
222         struct key *old;
223
224         might_sleep();
225
226         /* create an empty session keyring */
227         if (!keyring) {
228                 flags = KEY_ALLOC_QUOTA_OVERRUN;
229                 if (cred->tgcred->session_keyring)
230                         flags = KEY_ALLOC_IN_QUOTA;
231
232                 keyring = keyring_alloc("_ses", cred->uid, cred->gid,
233                                         cred, flags, NULL);
234                 if (IS_ERR(keyring))
235                         return PTR_ERR(keyring);
236         } else {
237                 atomic_inc(&keyring->usage);
238         }
239
240         /* install the keyring */
241         spin_lock_irq(&cred->tgcred->lock);
242         old = cred->tgcred->session_keyring;
243         rcu_assign_pointer(cred->tgcred->session_keyring, keyring);
244         spin_unlock_irq(&cred->tgcred->lock);
245
246         /* we're using RCU on the pointer, but there's no point synchronising
247          * on it if it didn't previously point to anything */
248         if (old) {
249                 synchronize_rcu();
250                 key_put(old);
251         }
252
253         return 0;
254 }
255
256 /*
257  * install a session keyring, discarding the old one
258  * - if a keyring is not supplied, an empty one is invented
259  */
260 static int install_session_keyring(struct key *keyring)
261 {
262         struct cred *new;
263         int ret;
264
265         new = prepare_creds();
266         if (!new)
267                 return -ENOMEM;
268
269         ret = install_session_keyring_to_cred(new, NULL);
270         if (ret < 0) {
271                 abort_creds(new);
272                 return ret;
273         }
274
275         return commit_creds(new);
276 }
277
278 /*****************************************************************************/
279 /*
280  * the filesystem user ID changed
281  */
282 void key_fsuid_changed(struct task_struct *tsk)
283 {
284         /* update the ownership of the thread keyring */
285         BUG_ON(!tsk->cred);
286         if (tsk->cred->thread_keyring) {
287                 down_write(&tsk->cred->thread_keyring->sem);
288                 tsk->cred->thread_keyring->uid = tsk->cred->fsuid;
289                 up_write(&tsk->cred->thread_keyring->sem);
290         }
291
292 } /* end key_fsuid_changed() */
293
294 /*****************************************************************************/
295 /*
296  * the filesystem group ID changed
297  */
298 void key_fsgid_changed(struct task_struct *tsk)
299 {
300         /* update the ownership of the thread keyring */
301         BUG_ON(!tsk->cred);
302         if (tsk->cred->thread_keyring) {
303                 down_write(&tsk->cred->thread_keyring->sem);
304                 tsk->cred->thread_keyring->gid = tsk->cred->fsgid;
305                 up_write(&tsk->cred->thread_keyring->sem);
306         }
307
308 } /* end key_fsgid_changed() */
309
310 /*****************************************************************************/
311 /*
312  * search the process keyrings for the first matching key
313  * - we use the supplied match function to see if the description (or other
314  *   feature of interest) matches
315  * - we return -EAGAIN if we didn't find any matching key
316  * - we return -ENOKEY if we found only negative matching keys
317  */
318 key_ref_t search_process_keyrings(struct key_type *type,
319                                   const void *description,
320                                   key_match_func_t match,
321                                   const struct cred *cred)
322 {
323         struct request_key_auth *rka;
324         key_ref_t key_ref, ret, err;
325
326         might_sleep();
327
328         /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
329          * searchable, but we failed to find a key or we found a negative key;
330          * otherwise we want to return a sample error (probably -EACCES) if
331          * none of the keyrings were searchable
332          *
333          * in terms of priority: success > -ENOKEY > -EAGAIN > other error
334          */
335         key_ref = NULL;
336         ret = NULL;
337         err = ERR_PTR(-EAGAIN);
338
339         /* search the thread keyring first */
340         if (cred->thread_keyring) {
341                 key_ref = keyring_search_aux(
342                         make_key_ref(cred->thread_keyring, 1),
343                         cred, type, description, match);
344                 if (!IS_ERR(key_ref))
345                         goto found;
346
347                 switch (PTR_ERR(key_ref)) {
348                 case -EAGAIN: /* no key */
349                         if (ret)
350                                 break;
351                 case -ENOKEY: /* negative key */
352                         ret = key_ref;
353                         break;
354                 default:
355                         err = key_ref;
356                         break;
357                 }
358         }
359
360         /* search the process keyring second */
361         if (cred->tgcred->process_keyring) {
362                 key_ref = keyring_search_aux(
363                         make_key_ref(cred->tgcred->process_keyring, 1),
364                         cred, type, description, match);
365                 if (!IS_ERR(key_ref))
366                         goto found;
367
368                 switch (PTR_ERR(key_ref)) {
369                 case -EAGAIN: /* no key */
370                         if (ret)
371                                 break;
372                 case -ENOKEY: /* negative key */
373                         ret = key_ref;
374                         break;
375                 default:
376                         err = key_ref;
377                         break;
378                 }
379         }
380
381         /* search the session keyring */
382         if (cred->tgcred->session_keyring) {
383                 rcu_read_lock();
384                 key_ref = keyring_search_aux(
385                         make_key_ref(rcu_dereference(
386                                              cred->tgcred->session_keyring),
387                                      1),
388                         cred, type, description, match);
389                 rcu_read_unlock();
390
391                 if (!IS_ERR(key_ref))
392                         goto found;
393
394                 switch (PTR_ERR(key_ref)) {
395                 case -EAGAIN: /* no key */
396                         if (ret)
397                                 break;
398                 case -ENOKEY: /* negative key */
399                         ret = key_ref;
400                         break;
401                 default:
402                         err = key_ref;
403                         break;
404                 }
405         }
406         /* or search the user-session keyring */
407         else if (cred->user->session_keyring) {
408                 key_ref = keyring_search_aux(
409                         make_key_ref(cred->user->session_keyring, 1),
410                         cred, type, description, match);
411                 if (!IS_ERR(key_ref))
412                         goto found;
413
414                 switch (PTR_ERR(key_ref)) {
415                 case -EAGAIN: /* no key */
416                         if (ret)
417                                 break;
418                 case -ENOKEY: /* negative key */
419                         ret = key_ref;
420                         break;
421                 default:
422                         err = key_ref;
423                         break;
424                 }
425         }
426
427         /* if this process has an instantiation authorisation key, then we also
428          * search the keyrings of the process mentioned there
429          * - we don't permit access to request_key auth keys via this method
430          */
431         if (cred->request_key_auth &&
432             cred == current_cred() &&
433             type != &key_type_request_key_auth
434             ) {
435                 /* defend against the auth key being revoked */
436                 down_read(&cred->request_key_auth->sem);
437
438                 if (key_validate(cred->request_key_auth) == 0) {
439                         rka = cred->request_key_auth->payload.data;
440
441                         key_ref = search_process_keyrings(type, description,
442                                                           match, rka->cred);
443
444                         up_read(&cred->request_key_auth->sem);
445
446                         if (!IS_ERR(key_ref))
447                                 goto found;
448
449                         switch (PTR_ERR(key_ref)) {
450                         case -EAGAIN: /* no key */
451                                 if (ret)
452                                         break;
453                         case -ENOKEY: /* negative key */
454                                 ret = key_ref;
455                                 break;
456                         default:
457                                 err = key_ref;
458                                 break;
459                         }
460                 } else {
461                         up_read(&cred->request_key_auth->sem);
462                 }
463         }
464
465         /* no key - decide on the error we're going to go for */
466         key_ref = ret ? ret : err;
467
468 found:
469         return key_ref;
470
471 } /* end search_process_keyrings() */
472
473 /*****************************************************************************/
474 /*
475  * see if the key we're looking at is the target key
476  */
477 static int lookup_user_key_possessed(const struct key *key, const void *target)
478 {
479         return key == target;
480
481 } /* end lookup_user_key_possessed() */
482
483 /*****************************************************************************/
484 /*
485  * lookup a key given a key ID from userspace with a given permissions mask
486  * - don't create special keyrings unless so requested
487  * - partially constructed keys aren't found unless requested
488  */
489 key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
490                           key_perm_t perm)
491 {
492         struct request_key_auth *rka;
493         const struct cred *cred;
494         struct key *key;
495         key_ref_t key_ref, skey_ref;
496         int ret;
497
498 try_again:
499         cred = get_current_cred();
500         key_ref = ERR_PTR(-ENOKEY);
501
502         switch (id) {
503         case KEY_SPEC_THREAD_KEYRING:
504                 if (!cred->thread_keyring) {
505                         if (!(lflags & KEY_LOOKUP_CREATE))
506                                 goto error;
507
508                         ret = install_thread_keyring();
509                         if (ret < 0) {
510                                 key_ref = ERR_PTR(ret);
511                                 goto error;
512                         }
513                         goto reget_creds;
514                 }
515
516                 key = cred->thread_keyring;
517                 atomic_inc(&key->usage);
518                 key_ref = make_key_ref(key, 1);
519                 break;
520
521         case KEY_SPEC_PROCESS_KEYRING:
522                 if (!cred->tgcred->process_keyring) {
523                         if (!(lflags & KEY_LOOKUP_CREATE))
524                                 goto error;
525
526                         ret = install_process_keyring();
527                         if (ret < 0) {
528                                 key_ref = ERR_PTR(ret);
529                                 goto error;
530                         }
531                         goto reget_creds;
532                 }
533
534                 key = cred->tgcred->process_keyring;
535                 atomic_inc(&key->usage);
536                 key_ref = make_key_ref(key, 1);
537                 break;
538
539         case KEY_SPEC_SESSION_KEYRING:
540                 if (!cred->tgcred->session_keyring) {
541                         /* always install a session keyring upon access if one
542                          * doesn't exist yet */
543                         ret = install_user_keyrings();
544                         if (ret < 0)
545                                 goto error;
546                         ret = install_session_keyring(
547                                 cred->user->session_keyring);
548
549                         if (ret < 0)
550                                 goto error;
551                         goto reget_creds;
552                 }
553
554                 rcu_read_lock();
555                 key = rcu_dereference(cred->tgcred->session_keyring);
556                 atomic_inc(&key->usage);
557                 rcu_read_unlock();
558                 key_ref = make_key_ref(key, 1);
559                 break;
560
561         case KEY_SPEC_USER_KEYRING:
562                 if (!cred->user->uid_keyring) {
563                         ret = install_user_keyrings();
564                         if (ret < 0)
565                                 goto error;
566                 }
567
568                 key = cred->user->uid_keyring;
569                 atomic_inc(&key->usage);
570                 key_ref = make_key_ref(key, 1);
571                 break;
572
573         case KEY_SPEC_USER_SESSION_KEYRING:
574                 if (!cred->user->session_keyring) {
575                         ret = install_user_keyrings();
576                         if (ret < 0)
577                                 goto error;
578                 }
579
580                 key = cred->user->session_keyring;
581                 atomic_inc(&key->usage);
582                 key_ref = make_key_ref(key, 1);
583                 break;
584
585         case KEY_SPEC_GROUP_KEYRING:
586                 /* group keyrings are not yet supported */
587                 key_ref = ERR_PTR(-EINVAL);
588                 goto error;
589
590         case KEY_SPEC_REQKEY_AUTH_KEY:
591                 key = cred->request_key_auth;
592                 if (!key)
593                         goto error;
594
595                 atomic_inc(&key->usage);
596                 key_ref = make_key_ref(key, 1);
597                 break;
598
599         case KEY_SPEC_REQUESTOR_KEYRING:
600                 if (!cred->request_key_auth)
601                         goto error;
602
603                 down_read(&cred->request_key_auth->sem);
604                 if (cred->request_key_auth->flags & KEY_FLAG_REVOKED) {
605                         key_ref = ERR_PTR(-EKEYREVOKED);
606                         key = NULL;
607                 } else {
608                         rka = cred->request_key_auth->payload.data;
609                         key = rka->dest_keyring;
610                         atomic_inc(&key->usage);
611                 }
612                 up_read(&cred->request_key_auth->sem);
613                 if (!key)
614                         goto error;
615                 key_ref = make_key_ref(key, 1);
616                 break;
617
618         default:
619                 key_ref = ERR_PTR(-EINVAL);
620                 if (id < 1)
621                         goto error;
622
623                 key = key_lookup(id);
624                 if (IS_ERR(key)) {
625                         key_ref = ERR_CAST(key);
626                         goto error;
627                 }
628
629                 key_ref = make_key_ref(key, 0);
630
631                 /* check to see if we possess the key */
632                 skey_ref = search_process_keyrings(key->type, key,
633                                                    lookup_user_key_possessed,
634                                                    cred);
635
636                 if (!IS_ERR(skey_ref)) {
637                         key_put(key);
638                         key_ref = skey_ref;
639                 }
640
641                 break;
642         }
643
644         /* unlink does not use the nominated key in any way, so can skip all
645          * the permission checks as it is only concerned with the keyring */
646         if (lflags & KEY_LOOKUP_FOR_UNLINK) {
647                 ret = 0;
648                 goto error;
649         }
650
651         if (!(lflags & KEY_LOOKUP_PARTIAL)) {
652                 ret = wait_for_key_construction(key, true);
653                 switch (ret) {
654                 case -ERESTARTSYS:
655                         goto invalid_key;
656                 default:
657                         if (perm)
658                                 goto invalid_key;
659                 case 0:
660                         break;
661                 }
662         } else if (perm) {
663                 ret = key_validate(key);
664                 if (ret < 0)
665                         goto invalid_key;
666         }
667
668         ret = -EIO;
669         if (!(lflags & KEY_LOOKUP_PARTIAL) &&
670             !test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
671                 goto invalid_key;
672
673         /* check the permissions */
674         ret = key_task_permission(key_ref, cred, perm);
675         if (ret < 0)
676                 goto invalid_key;
677
678 error:
679         put_cred(cred);
680         return key_ref;
681
682 invalid_key:
683         key_ref_put(key_ref);
684         key_ref = ERR_PTR(ret);
685         goto error;
686
687         /* if we attempted to install a keyring, then it may have caused new
688          * creds to be installed */
689 reget_creds:
690         put_cred(cred);
691         goto try_again;
692
693 } /* end lookup_user_key() */
694
695 /*****************************************************************************/
696 /*
697  * join the named keyring as the session keyring if possible, or attempt to
698  * create a new one of that name if not
699  * - if the name is NULL, an empty anonymous keyring is installed instead
700  * - named session keyring joining is done with a semaphore held
701  */
702 long join_session_keyring(const char *name)
703 {
704         const struct cred *old;
705         struct cred *new;
706         struct key *keyring;
707         long ret, serial;
708
709         /* only permit this if there's a single thread in the thread group -
710          * this avoids us having to adjust the creds on all threads and risking
711          * ENOMEM */
712         if (!current_is_single_threaded())
713                 return -EMLINK;
714
715         new = prepare_creds();
716         if (!new)
717                 return -ENOMEM;
718         old = current_cred();
719
720         /* if no name is provided, install an anonymous keyring */
721         if (!name) {
722                 ret = install_session_keyring_to_cred(new, NULL);
723                 if (ret < 0)
724                         goto error;
725
726                 serial = new->tgcred->session_keyring->serial;
727                 ret = commit_creds(new);
728                 if (ret == 0)
729                         ret = serial;
730                 goto okay;
731         }
732
733         /* allow the user to join or create a named keyring */
734         mutex_lock(&key_session_mutex);
735
736         /* look for an existing keyring of this name */
737         keyring = find_keyring_by_name(name, false);
738         if (PTR_ERR(keyring) == -ENOKEY) {
739                 /* not found - try and create a new one */
740                 keyring = keyring_alloc(name, old->uid, old->gid, old,
741                                         KEY_ALLOC_IN_QUOTA, NULL);
742                 if (IS_ERR(keyring)) {
743                         ret = PTR_ERR(keyring);
744                         goto error2;
745                 }
746         } else if (IS_ERR(keyring)) {
747                 ret = PTR_ERR(keyring);
748                 goto error2;
749         }
750
751         /* we've got a keyring - now to install it */
752         ret = install_session_keyring_to_cred(new, keyring);
753         if (ret < 0)
754                 goto error2;
755
756         commit_creds(new);
757         mutex_unlock(&key_session_mutex);
758
759         ret = keyring->serial;
760         key_put(keyring);
761 okay:
762         return ret;
763
764 error2:
765         mutex_unlock(&key_session_mutex);
766 error:
767         abort_creds(new);
768         return ret;
769 }
770
771 /*
772  * Replace a process's session keyring when that process resumes userspace on
773  * behalf of one of its children
774  */
775 void key_replace_session_keyring(void)
776 {
777         const struct cred *old;
778         struct cred *new;
779
780         if (!current->replacement_session_keyring)
781                 return;
782
783         write_lock_irq(&tasklist_lock);
784         new = current->replacement_session_keyring;
785         current->replacement_session_keyring = NULL;
786         write_unlock_irq(&tasklist_lock);
787
788         if (!new)
789                 return;
790
791         old = current_cred();
792         new->  uid      = old->  uid;
793         new-> euid      = old-> euid;
794         new-> suid      = old-> suid;
795         new->fsuid      = old->fsuid;
796         new->  gid      = old->  gid;
797         new-> egid      = old-> egid;
798         new-> sgid      = old-> sgid;
799         new->fsgid      = old->fsgid;
800         new->user       = get_uid(old->user);
801         new->group_info = get_group_info(old->group_info);
802
803         new->securebits = old->securebits;
804         new->cap_inheritable    = old->cap_inheritable;
805         new->cap_permitted      = old->cap_permitted;
806         new->cap_effective      = old->cap_effective;
807         new->cap_bset           = old->cap_bset;
808
809         new->jit_keyring        = old->jit_keyring;
810         new->thread_keyring     = key_get(old->thread_keyring);
811         new->tgcred->tgid       = old->tgcred->tgid;
812         new->tgcred->process_keyring = key_get(old->tgcred->process_keyring);
813
814         security_transfer_creds(new, old);
815
816         commit_creds(new);
817 }