^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0-or-later
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /* Task credentials management - see Documentation/security/credentials.rst
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * Written by David Howells (dhowells@redhat.com)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) #include <linux/export.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) #include <linux/cred.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) #include <linux/sched.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) #include <linux/sched/coredump.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) #include <linux/key.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) #include <linux/keyctl.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) #include <linux/init_task.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) #include <linux/security.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) #include <linux/binfmts.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) #include <linux/cn_proc.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) #include <linux/uidgid.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) #include <trace/hooks/creds.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) #if 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) #define kdebug(FMT, ...) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) printk("[%-5.5s%5u] " FMT "\n", \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) current->comm, current->pid, ##__VA_ARGS__)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) #else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) #define kdebug(FMT, ...) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) do { \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) if (0) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) no_printk("[%-5.5s%5u] " FMT "\n", \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) current->comm, current->pid, ##__VA_ARGS__); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) } while (0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) static struct kmem_cache *cred_jar;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) /* init to 2 - one for init_task, one to ensure it is never freed */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) struct group_info init_groups = { .usage = ATOMIC_INIT(2) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) * The initial credentials for the initial task
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) struct cred init_cred = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) .usage = ATOMIC_INIT(4),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) #ifdef CONFIG_DEBUG_CREDENTIALS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) .subscribers = ATOMIC_INIT(2),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) .magic = CRED_MAGIC,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) .uid = GLOBAL_ROOT_UID,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) .gid = GLOBAL_ROOT_GID,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) .suid = GLOBAL_ROOT_UID,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) .sgid = GLOBAL_ROOT_GID,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) .euid = GLOBAL_ROOT_UID,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) .egid = GLOBAL_ROOT_GID,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) .fsuid = GLOBAL_ROOT_UID,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) .fsgid = GLOBAL_ROOT_GID,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) .securebits = SECUREBITS_DEFAULT,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) .cap_inheritable = CAP_EMPTY_SET,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) .cap_permitted = CAP_FULL_SET,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) .cap_effective = CAP_FULL_SET,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) .cap_bset = CAP_FULL_SET,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) .user = INIT_USER,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) .user_ns = &init_user_ns,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) .group_info = &init_groups,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) static inline void set_cred_subscribers(struct cred *cred, int n)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) #ifdef CONFIG_DEBUG_CREDENTIALS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) atomic_set(&cred->subscribers, n);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) static inline int read_cred_subscribers(const struct cred *cred)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) #ifdef CONFIG_DEBUG_CREDENTIALS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) return atomic_read(&cred->subscribers);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) #else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) static inline void alter_cred_subscribers(const struct cred *_cred, int n)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) #ifdef CONFIG_DEBUG_CREDENTIALS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) struct cred *cred = (struct cred *) _cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) atomic_add(n, &cred->subscribers);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) * The RCU callback to actually dispose of a set of credentials
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) static void put_cred_rcu(struct rcu_head *rcu)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) struct cred *cred = container_of(rcu, struct cred, rcu);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) kdebug("put_cred_rcu(%p)", cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) #ifdef CONFIG_DEBUG_CREDENTIALS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) if (cred->magic != CRED_MAGIC_DEAD ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) atomic_read(&cred->usage) != 0 ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) read_cred_subscribers(cred) != 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) panic("CRED: put_cred_rcu() sees %p with"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) " mag %x, put %p, usage %d, subscr %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) cred, cred->magic, cred->put_addr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) atomic_read(&cred->usage),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) read_cred_subscribers(cred));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) #else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) if (atomic_read(&cred->usage) != 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) panic("CRED: put_cred_rcu() sees %p with usage %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) cred, atomic_read(&cred->usage));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) security_cred_free(cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) key_put(cred->session_keyring);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) key_put(cred->process_keyring);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) key_put(cred->thread_keyring);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) key_put(cred->request_key_auth);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) if (cred->group_info)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) put_group_info(cred->group_info);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) free_uid(cred->user);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) put_user_ns(cred->user_ns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) kmem_cache_free(cred_jar, cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) * __put_cred - Destroy a set of credentials
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) * @cred: The record to release
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) * Destroy a set of credentials on which no references remain.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) void __put_cred(struct cred *cred)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) kdebug("__put_cred(%p{%d,%d})", cred,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) atomic_read(&cred->usage),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) read_cred_subscribers(cred));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) BUG_ON(atomic_read(&cred->usage) != 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) #ifdef CONFIG_DEBUG_CREDENTIALS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) BUG_ON(read_cred_subscribers(cred) != 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) cred->magic = CRED_MAGIC_DEAD;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) cred->put_addr = __builtin_return_address(0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) BUG_ON(cred == current->cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) BUG_ON(cred == current->real_cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) if (cred->non_rcu)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) put_cred_rcu(&cred->rcu);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) call_rcu(&cred->rcu, put_cred_rcu);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) EXPORT_SYMBOL(__put_cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) * Clean up a task's credentials when it exits
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) void exit_creds(struct task_struct *tsk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) struct cred *cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) atomic_read(&tsk->cred->usage),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) read_cred_subscribers(tsk->cred));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) cred = (struct cred *) tsk->real_cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) tsk->real_cred = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) validate_creds(cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) alter_cred_subscribers(cred, -1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) put_cred(cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) cred = (struct cred *) tsk->cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) tsk->cred = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) validate_creds(cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) alter_cred_subscribers(cred, -1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) put_cred(cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) #ifdef CONFIG_KEYS_REQUEST_CACHE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) key_put(tsk->cached_requested_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) tsk->cached_requested_key = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) trace_android_vh_exit_creds(tsk, cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) * get_task_cred - Get another task's objective credentials
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) * @task: The task to query
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) * Get the objective credentials of a task, pinning them so that they can't go
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) * away. Accessing a task's credentials directly is not permitted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) * The caller must also make sure task doesn't get deleted, either by holding a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) * ref on task or by holding tasklist_lock to prevent it from being unlinked.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) const struct cred *get_task_cred(struct task_struct *task)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) const struct cred *cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) do {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) cred = __task_cred((task));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) BUG_ON(!cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) } while (!get_cred_rcu(cred));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) return cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) EXPORT_SYMBOL(get_task_cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) * Allocate blank credentials, such that the credentials can be filled in at a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) * later date without risk of ENOMEM.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) struct cred *cred_alloc_blank(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) struct cred *new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) if (!new)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) atomic_set(&new->usage, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) #ifdef CONFIG_DEBUG_CREDENTIALS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) new->magic = CRED_MAGIC;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) if (security_cred_alloc_blank(new, GFP_KERNEL_ACCOUNT) < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) goto error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) return new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) error:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) abort_creds(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) * prepare_creds - Prepare a new set of credentials for modification
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) * Prepare a new set of task credentials for modification. A task's creds
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) * shouldn't generally be modified directly, therefore this function is used to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) * prepare a new copy, which the caller then modifies and then commits by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) * calling commit_creds().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) * Preparation involves making a copy of the objective creds for modification.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) * Returns a pointer to the new creds-to-be if successful, NULL otherwise.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) * Call commit_creds() or abort_creds() to clean up.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) struct cred *prepare_creds(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) struct task_struct *task = current;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) const struct cred *old;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) struct cred *new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) validate_process_creds();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) if (!new)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) kdebug("prepare_creds() alloc %p", new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) old = task->cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) memcpy(new, old, sizeof(struct cred));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) new->non_rcu = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) atomic_set(&new->usage, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) set_cred_subscribers(new, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) get_group_info(new->group_info);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) get_uid(new->user);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) get_user_ns(new->user_ns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) #ifdef CONFIG_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) key_get(new->session_keyring);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) key_get(new->process_keyring);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) key_get(new->thread_keyring);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) key_get(new->request_key_auth);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) #ifdef CONFIG_SECURITY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) new->security = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) goto error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) validate_creds(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) return new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) error:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) abort_creds(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) EXPORT_SYMBOL(prepare_creds);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) * Prepare credentials for current to perform an execve()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) * - The caller must hold ->cred_guard_mutex
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) struct cred *prepare_exec_creds(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) struct cred *new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) new = prepare_creds();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) if (!new)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) return new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) #ifdef CONFIG_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) /* newly exec'd tasks don't get a thread keyring */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) key_put(new->thread_keyring);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) new->thread_keyring = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) /* inherit the session keyring; new process keyring */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) key_put(new->process_keyring);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) new->process_keyring = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) new->suid = new->fsuid = new->euid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) new->sgid = new->fsgid = new->egid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) return new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) * Copy credentials for the new process created by fork()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) * We share if we can, but under some circumstances we have to generate a new
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) * set.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) * The new process gets the current process's subjective credentials as its
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) * objective and subjective credentials
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) int copy_creds(struct task_struct *p, unsigned long clone_flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) struct cred *new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) #ifdef CONFIG_KEYS_REQUEST_CACHE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) p->cached_requested_key = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) if (
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) #ifdef CONFIG_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) !p->cred->thread_keyring &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) clone_flags & CLONE_THREAD
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) ) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) p->real_cred = get_cred(p->cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) get_cred(p->cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) alter_cred_subscribers(p->cred, 2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) kdebug("share_creds(%p{%d,%d})",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) p->cred, atomic_read(&p->cred->usage),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) read_cred_subscribers(p->cred));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) atomic_inc(&p->cred->user->processes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) new = prepare_creds();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) if (!new)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) if (clone_flags & CLONE_NEWUSER) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) ret = create_user_ns(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) if (ret < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) goto error_put;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) #ifdef CONFIG_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) /* new threads get their own thread keyrings if their parent already
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) * had one */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) if (new->thread_keyring) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) key_put(new->thread_keyring);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) new->thread_keyring = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) if (clone_flags & CLONE_THREAD)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) install_thread_keyring_to_cred(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) /* The process keyring is only shared between the threads in a process;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) * anything outside of those threads doesn't inherit.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) if (!(clone_flags & CLONE_THREAD)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) key_put(new->process_keyring);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) new->process_keyring = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) atomic_inc(&new->user->processes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) p->cred = p->real_cred = get_cred(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) alter_cred_subscribers(new, 2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) validate_creds(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) error_put:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) put_cred(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) static bool cred_cap_issubset(const struct cred *set, const struct cred *subset)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) const struct user_namespace *set_ns = set->user_ns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) const struct user_namespace *subset_ns = subset->user_ns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) /* If the two credentials are in the same user namespace see if
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) * the capabilities of subset are a subset of set.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) if (set_ns == subset_ns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) return cap_issubset(subset->cap_permitted, set->cap_permitted);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) /* The credentials are in a different user namespaces
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) * therefore one is a subset of the other only if a set is an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) * ancestor of subset and set->euid is owner of subset or one
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) * of subsets ancestors.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) for (;subset_ns != &init_user_ns; subset_ns = subset_ns->parent) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) if ((set_ns == subset_ns->parent) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) uid_eq(subset_ns->owner, set->euid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) * commit_creds - Install new credentials upon the current task
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) * @new: The credentials to be assigned
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) * Install a new set of credentials to the current task, using RCU to replace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) * the old set. Both the objective and the subjective credentials pointers are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) * updated. This function may not be called if the subjective credentials are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) * in an overridden state.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) * This function eats the caller's reference to the new credentials.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) * Always returns 0 thus allowing this function to be tail-called at the end
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) * of, say, sys_setgid().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) int commit_creds(struct cred *new)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) struct task_struct *task = current;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) const struct cred *old = task->real_cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) kdebug("commit_creds(%p{%d,%d})", new,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) atomic_read(&new->usage),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) read_cred_subscribers(new));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) BUG_ON(task->cred != old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) #ifdef CONFIG_DEBUG_CREDENTIALS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) BUG_ON(read_cred_subscribers(old) < 2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) validate_creds(old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) validate_creds(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) BUG_ON(atomic_read(&new->usage) < 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) get_cred(new); /* we will require a ref for the subj creds too */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) /* dumpability changes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) if (!uid_eq(old->euid, new->euid) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461) !gid_eq(old->egid, new->egid) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) !uid_eq(old->fsuid, new->fsuid) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) !gid_eq(old->fsgid, new->fsgid) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) !cred_cap_issubset(old, new)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) if (task->mm)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466) set_dumpable(task->mm, suid_dumpable);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) task->pdeath_signal = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) * If a task drops privileges and becomes nondumpable,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) * the dumpability change must become visible before
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) * the credential change; otherwise, a __ptrace_may_access()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) * racing with this change may be able to attach to a task it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473) * shouldn't be able to attach to (as if the task had dropped
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474) * privileges without becoming nondumpable).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) * Pairs with a read barrier in __ptrace_may_access().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) smp_wmb();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480) /* alter the thread keyring */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481) if (!uid_eq(new->fsuid, old->fsuid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) key_fsuid_changed(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483) if (!gid_eq(new->fsgid, old->fsgid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) key_fsgid_changed(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486) /* do it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) * RLIMIT_NPROC limits on user->processes have already been checked
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488) * in set_user().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) alter_cred_subscribers(new, 2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) if (new->user != old->user)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) atomic_inc(&new->user->processes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) rcu_assign_pointer(task->real_cred, new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) rcu_assign_pointer(task->cred, new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) trace_android_vh_commit_creds(task, new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) if (new->user != old->user)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) atomic_dec(&old->user->processes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498) alter_cred_subscribers(old, -2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) /* send notifications */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) if (!uid_eq(new->uid, old->uid) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) !uid_eq(new->euid, old->euid) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) !uid_eq(new->suid, old->suid) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504) !uid_eq(new->fsuid, old->fsuid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505) proc_id_connector(task, PROC_EVENT_UID);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507) if (!gid_eq(new->gid, old->gid) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508) !gid_eq(new->egid, old->egid) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509) !gid_eq(new->sgid, old->sgid) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) !gid_eq(new->fsgid, old->fsgid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) proc_id_connector(task, PROC_EVENT_GID);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) /* release the old obj and subj refs both */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) put_cred(old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515) put_cred(old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518) EXPORT_SYMBOL(commit_creds);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521) * abort_creds - Discard a set of credentials and unlock the current task
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) * @new: The credentials that were going to be applied
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524) * Discard a set of credentials that were under construction and unlock the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525) * current task.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527) void abort_creds(struct cred *new)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529) kdebug("abort_creds(%p{%d,%d})", new,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530) atomic_read(&new->usage),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531) read_cred_subscribers(new));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) #ifdef CONFIG_DEBUG_CREDENTIALS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534) BUG_ON(read_cred_subscribers(new) != 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536) BUG_ON(atomic_read(&new->usage) < 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) put_cred(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539) EXPORT_SYMBOL(abort_creds);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542) * override_creds - Override the current process's subjective credentials
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) * @new: The credentials to be assigned
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) * Install a set of temporary override subjective credentials on the current
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546) * process, returning the old set for later reversion.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548) const struct cred *override_creds(const struct cred *new)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550) const struct cred *old = current->cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552) kdebug("override_creds(%p{%d,%d})", new,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553) atomic_read(&new->usage),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554) read_cred_subscribers(new));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556) validate_creds(old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557) validate_creds(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560) * NOTE! This uses 'get_new_cred()' rather than 'get_cred()'.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562) * That means that we do not clear the 'non_rcu' flag, since
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563) * we are only installing the cred into the thread-synchronous
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564) * '->cred' pointer, not the '->real_cred' pointer that is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565) * visible to other threads under RCU.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567) * Also note that we did validate_creds() manually, not depending
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568) * on the validation in 'get_cred()'.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570) get_new_cred((struct cred *)new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) alter_cred_subscribers(new, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572) rcu_assign_pointer(current->cred, new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573) trace_android_vh_override_creds(current, new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574) alter_cred_subscribers(old, -1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576) kdebug("override_creds() = %p{%d,%d}", old,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577) atomic_read(&old->usage),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578) read_cred_subscribers(old));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579) return old;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581) EXPORT_SYMBOL(override_creds);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584) * revert_creds - Revert a temporary subjective credentials override
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) * @old: The credentials to be restored
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587) * Revert a temporary set of override subjective credentials to an old set,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588) * discarding the override set.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590) void revert_creds(const struct cred *old)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592) const struct cred *override = current->cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594) kdebug("revert_creds(%p{%d,%d})", old,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595) atomic_read(&old->usage),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596) read_cred_subscribers(old));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598) validate_creds(old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599) validate_creds(override);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 600) alter_cred_subscribers(old, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 601) rcu_assign_pointer(current->cred, old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 602) trace_android_vh_revert_creds(current, old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 603) alter_cred_subscribers(override, -1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 604) put_cred(override);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 605) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 606) EXPORT_SYMBOL(revert_creds);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 607)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 608) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 609) * cred_fscmp - Compare two credentials with respect to filesystem access.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 610) * @a: The first credential
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 611) * @b: The second credential
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 612) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 613) * cred_cmp() will return zero if both credentials have the same
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 614) * fsuid, fsgid, and supplementary groups. That is, if they will both
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 615) * provide the same access to files based on mode/uid/gid.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 616) * If the credentials are different, then either -1 or 1 will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 617) * be returned depending on whether @a comes before or after @b
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 618) * respectively in an arbitrary, but stable, ordering of credentials.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 619) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 620) * Return: -1, 0, or 1 depending on comparison
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 621) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 622) int cred_fscmp(const struct cred *a, const struct cred *b)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 623) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 624) struct group_info *ga, *gb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 625) int g;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 626)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 627) if (a == b)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 628) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 629) if (uid_lt(a->fsuid, b->fsuid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 630) return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 631) if (uid_gt(a->fsuid, b->fsuid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 632) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 633)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 634) if (gid_lt(a->fsgid, b->fsgid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 635) return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 636) if (gid_gt(a->fsgid, b->fsgid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 637) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 638)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 639) ga = a->group_info;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 640) gb = b->group_info;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 641) if (ga == gb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 642) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 643) if (ga == NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 644) return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 645) if (gb == NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 646) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 647) if (ga->ngroups < gb->ngroups)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 648) return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 649) if (ga->ngroups > gb->ngroups)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 650) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 651)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 652) for (g = 0; g < ga->ngroups; g++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 653) if (gid_lt(ga->gid[g], gb->gid[g]))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 654) return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 655) if (gid_gt(ga->gid[g], gb->gid[g]))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 656) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 657) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 658) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 659) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 660) EXPORT_SYMBOL(cred_fscmp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 661)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 662) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 663) * initialise the credentials stuff
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 664) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 665) void __init cred_init(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 666) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 667) /* allocate a slab in which we can store credentials */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 668) cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred), 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 669) SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 670) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 671)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 672) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 673) * prepare_kernel_cred - Prepare a set of credentials for a kernel service
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 674) * @daemon: A userspace daemon to be used as a reference
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 675) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 676) * Prepare a set of credentials for a kernel service. This can then be used to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 677) * override a task's own credentials so that work can be done on behalf of that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 678) * task that requires a different subjective context.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 679) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 680) * @daemon is used to provide a base for the security record, but can be NULL.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 681) * If @daemon is supplied, then the security data will be derived from that;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 682) * otherwise they'll be set to 0 and no groups, full capabilities and no keys.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 683) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 684) * The caller may change these controls afterwards if desired.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 685) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 686) * Returns the new credentials or NULL if out of memory.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 687) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 688) struct cred *prepare_kernel_cred(struct task_struct *daemon)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 689) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 690) const struct cred *old;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 691) struct cred *new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 692)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 693) new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 694) if (!new)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 695) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 696)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 697) kdebug("prepare_kernel_cred() alloc %p", new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 698)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 699) if (daemon)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 700) old = get_task_cred(daemon);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 701) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 702) old = get_cred(&init_cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 703)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 704) validate_creds(old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 705)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 706) *new = *old;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 707) new->non_rcu = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 708) atomic_set(&new->usage, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 709) set_cred_subscribers(new, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 710) get_uid(new->user);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 711) get_user_ns(new->user_ns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 712) get_group_info(new->group_info);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 713)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 714) #ifdef CONFIG_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 715) new->session_keyring = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 716) new->process_keyring = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 717) new->thread_keyring = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 718) new->request_key_auth = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 719) new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 720) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 721)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 722) #ifdef CONFIG_SECURITY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 723) new->security = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 724) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 725) if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 726) goto error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 727)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 728) put_cred(old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 729) validate_creds(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 730) return new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 731)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 732) error:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 733) put_cred(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 734) put_cred(old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 735) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 736) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 737) EXPORT_SYMBOL(prepare_kernel_cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 738)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 739) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 740) * set_security_override - Set the security ID in a set of credentials
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 741) * @new: The credentials to alter
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 742) * @secid: The LSM security ID to set
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 743) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 744) * Set the LSM security ID in a set of credentials so that the subjective
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 745) * security is overridden when an alternative set of credentials is used.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 746) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 747) int set_security_override(struct cred *new, u32 secid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 748) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 749) return security_kernel_act_as(new, secid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 750) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 751) EXPORT_SYMBOL(set_security_override);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 752)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 753) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 754) * set_security_override_from_ctx - Set the security ID in a set of credentials
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 755) * @new: The credentials to alter
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 756) * @secctx: The LSM security context to generate the security ID from.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 757) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 758) * Set the LSM security ID in a set of credentials so that the subjective
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 759) * security is overridden when an alternative set of credentials is used. The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 760) * security ID is specified in string form as a security context to be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 761) * interpreted by the LSM.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 762) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 763) int set_security_override_from_ctx(struct cred *new, const char *secctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 764) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 765) u32 secid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 766) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 767)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 768) ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 769) if (ret < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 770) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 771)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 772) return set_security_override(new, secid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 773) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 774) EXPORT_SYMBOL(set_security_override_from_ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 775)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 776) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 777) * set_create_files_as - Set the LSM file create context in a set of credentials
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 778) * @new: The credentials to alter
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 779) * @inode: The inode to take the context from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 780) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 781) * Change the LSM file creation context in a set of credentials to be the same
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 782) * as the object context of the specified inode, so that the new inodes have
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 783) * the same MAC context as that inode.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 784) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 785) int set_create_files_as(struct cred *new, struct inode *inode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 786) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 787) if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 788) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 789) new->fsuid = inode->i_uid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 790) new->fsgid = inode->i_gid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 791) return security_kernel_create_files_as(new, inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 792) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 793) EXPORT_SYMBOL(set_create_files_as);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 794)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 795) #ifdef CONFIG_DEBUG_CREDENTIALS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 796)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 797) bool creds_are_invalid(const struct cred *cred)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 798) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 799) if (cred->magic != CRED_MAGIC)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 800) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 801) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 802) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 803) EXPORT_SYMBOL(creds_are_invalid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 804)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 805) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 806) * dump invalid credentials
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 807) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 808) static void dump_invalid_creds(const struct cred *cred, const char *label,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 809) const struct task_struct *tsk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 810) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 811) printk(KERN_ERR "CRED: %s credentials: %p %s%s%s\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 812) label, cred,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 813) cred == &init_cred ? "[init]" : "",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 814) cred == tsk->real_cred ? "[real]" : "",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 815) cred == tsk->cred ? "[eff]" : "");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 816) printk(KERN_ERR "CRED: ->magic=%x, put_addr=%p\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 817) cred->magic, cred->put_addr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 818) printk(KERN_ERR "CRED: ->usage=%d, subscr=%d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 819) atomic_read(&cred->usage),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 820) read_cred_subscribers(cred));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 821) printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 822) from_kuid_munged(&init_user_ns, cred->uid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 823) from_kuid_munged(&init_user_ns, cred->euid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 824) from_kuid_munged(&init_user_ns, cred->suid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 825) from_kuid_munged(&init_user_ns, cred->fsuid));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 826) printk(KERN_ERR "CRED: ->*gid = { %d,%d,%d,%d }\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 827) from_kgid_munged(&init_user_ns, cred->gid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 828) from_kgid_munged(&init_user_ns, cred->egid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 829) from_kgid_munged(&init_user_ns, cred->sgid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 830) from_kgid_munged(&init_user_ns, cred->fsgid));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 831) #ifdef CONFIG_SECURITY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 832) printk(KERN_ERR "CRED: ->security is %p\n", cred->security);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 833) if ((unsigned long) cred->security >= PAGE_SIZE &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 834) (((unsigned long) cred->security & 0xffffff00) !=
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 835) (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 836) printk(KERN_ERR "CRED: ->security {%x, %x}\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 837) ((u32*)cred->security)[0],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 838) ((u32*)cred->security)[1]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 839) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 840) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 841)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 842) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 843) * report use of invalid credentials
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 844) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 845) void __invalid_creds(const struct cred *cred, const char *file, unsigned line)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 846) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 847) printk(KERN_ERR "CRED: Invalid credentials\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 848) printk(KERN_ERR "CRED: At %s:%u\n", file, line);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 849) dump_invalid_creds(cred, "Specified", current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 850) BUG();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 851) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 852) EXPORT_SYMBOL(__invalid_creds);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 853)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 854) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 855) * check the credentials on a process
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 856) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 857) void __validate_process_creds(struct task_struct *tsk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 858) const char *file, unsigned line)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 859) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 860) if (tsk->cred == tsk->real_cred) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 861) if (unlikely(read_cred_subscribers(tsk->cred) < 2 ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 862) creds_are_invalid(tsk->cred)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 863) goto invalid_creds;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 864) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 865) if (unlikely(read_cred_subscribers(tsk->real_cred) < 1 ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 866) read_cred_subscribers(tsk->cred) < 1 ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 867) creds_are_invalid(tsk->real_cred) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 868) creds_are_invalid(tsk->cred)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 869) goto invalid_creds;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 870) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 871) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 872)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 873) invalid_creds:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 874) printk(KERN_ERR "CRED: Invalid process credentials\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 875) printk(KERN_ERR "CRED: At %s:%u\n", file, line);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 876)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 877) dump_invalid_creds(tsk->real_cred, "Real", tsk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 878) if (tsk->cred != tsk->real_cred)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 879) dump_invalid_creds(tsk->cred, "Effective", tsk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 880) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 881) printk(KERN_ERR "CRED: Effective creds == Real creds\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 882) BUG();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 883) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 884) EXPORT_SYMBOL(__validate_process_creds);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 885)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 886) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 887) * check creds for do_exit()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 888) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 889) void validate_creds_for_do_exit(struct task_struct *tsk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 890) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 891) kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 892) tsk->real_cred, tsk->cred,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 893) atomic_read(&tsk->cred->usage),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 894) read_cred_subscribers(tsk->cred));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 895)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 896) __validate_process_creds(tsk, __FILE__, __LINE__);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 897) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 898)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 899) #endif /* CONFIG_DEBUG_CREDENTIALS */
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags