Lines Matching +full:unlock +full:- +full:keys
1 // SPDX-License-Identifier: GPL-2.0-or-later
4 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
24 #include <keys/request_key_auth-type.h>
55 return -EINVAL; in key_get_type_from_user()
57 return -EPERM; in key_get_type_from_user()
58 type[len - 1] = '\0'; in key_get_type_from_user()
85 ret = -EINVAL; in SYSCALL_DEFINE5()
86 if (plen > 1024 * 1024 - 1) in SYSCALL_DEFINE5()
106 ret = -EPERM; in SYSCALL_DEFINE5()
115 ret = -ENOMEM; in SYSCALL_DEFINE5()
120 ret = -EFAULT; in SYSCALL_DEFINE5()
138 ret = key_ref_to_ptr(key_ref)->serial; in SYSCALL_DEFINE5()
162 * If no key is found, /sbin/request-key will be invoked if _callout_info is
163 * non-NULL in an attempt to create a key. The _callout_info string will be
164 * passed to /sbin/request-key to aid with completing the request. If the
165 * _callout_info string is "" then it will be changed to "-".
235 ret = key->serial; in SYSCALL_DEFINE4()
271 ret = key_ref_to_ptr(key_ref)->serial; in keyctl_get_keyring_ID()
302 ret = -EPERM; in keyctl_join_session_keyring()
323 * updating, then -EOPNOTSUPP will be returned.
333 ret = -EINVAL; in keyctl_update_key()
340 ret = -ENOMEM; in keyctl_update_key()
345 ret = -EFAULT; in keyctl_update_key()
373 * certain amount of time (/proc/sys/kernel/keys/gc_delay).
375 * Keys with KEY_FLAG_KEEP set should not be revoked.
388 if (ret != -EACCES) in keyctl_revoke_key()
399 if (test_bit(KEY_FLAG_KEEP, &key->flags)) in keyctl_revoke_key()
400 ret = -EPERM; in keyctl_revoke_key()
416 * Keys with KEY_FLAG_KEEP set should not be invalidated.
432 /* Root is permitted to invalidate certain special keys */ in keyctl_invalidate_key()
438 &key_ref_to_ptr(key_ref)->flags)) in keyctl_invalidate_key()
449 if (test_bit(KEY_FLAG_KEEP, &key->flags)) in keyctl_invalidate_key()
450 ret = -EPERM; in keyctl_invalidate_key()
484 &key_ref_to_ptr(keyring_ref)->flags)) in keyctl_keyring_clear()
494 if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) in keyctl_keyring_clear()
495 ret = -EPERM; in keyctl_keyring_clear()
548 * Keys or keyrings with KEY_FLAG_KEEP set should not be unlinked.
572 if (test_bit(KEY_FLAG_KEEP, &keyring->flags) && in keyctl_keyring_unlink()
573 test_bit(KEY_FLAG_KEEP, &key->flags)) in keyctl_keyring_unlink()
574 ret = -EPERM; in keyctl_keyring_unlink()
602 return -EINVAL; in keyctl_keyring_move()
658 if (PTR_ERR(key_ref) == -EACCES) { in keyctl_describe_key()
676 desclen = strlen(key->description); in keyctl_describe_key()
679 ret = -ENOMEM; in keyctl_describe_key()
682 key->type->name, in keyctl_describe_key()
683 from_kuid_munged(current_user_ns(), key->uid), in keyctl_describe_key()
684 from_kgid_munged(current_user_ns(), key->gid), in keyctl_describe_key()
685 key->perm); in keyctl_describe_key()
694 copy_to_user(buffer + infolen, key->description, in keyctl_describe_key()
696 ret = -EFAULT; in keyctl_describe_key()
709 * (this includes the starting keyring). Only keys with Search permission can
768 if (ret == -EAGAIN) in keyctl_keyring_search()
769 ret = -ENOKEY; in keyctl_keyring_search()
784 ret = key_ref_to_ptr(key_ref)->serial; in keyctl_keyring_search()
807 down_read(&key->sem); in __keyctl_read_key()
810 ret = key->type->read(key, buffer, buflen); in __keyctl_read_key()
811 up_read(&key->sem); in __keyctl_read_key()
836 ret = -ENOKEY; in keyctl_read_key()
850 if (ret != -EACCES) in keyctl_read_key()
854 * - we automatically take account of the fact that it may be in keyctl_read_key()
858 ret = -EACCES; in keyctl_read_key()
862 /* the key is probably readable - now try to read it */ in keyctl_read_key()
864 if (!key->type->read) { in keyctl_read_key()
865 ret = -EOPNOTSUPP; in keyctl_read_key()
879 * Allocating a temporary buffer to hold the keys before in keyctl_read_key()
895 ret = -ENOMEM; in keyctl_read_key()
923 ret = -EFAULT; in keyctl_read_key()
940 * caller must have sysadmin capability. If either uid or gid is -1 then that
960 ret = -EINVAL; in keyctl_chown_key()
961 if ((user != (uid_t) -1) && !uid_valid(uid)) in keyctl_chown_key()
963 if ((group != (gid_t) -1) && !gid_valid(gid)) in keyctl_chown_key()
967 if (user == (uid_t) -1 && group == (gid_t) -1) in keyctl_chown_key()
980 ret = -EACCES; in keyctl_chown_key()
981 down_write(&key->sem); in keyctl_chown_key()
987 if (user != (uid_t) -1 && !uid_eq(key->uid, uid)) in keyctl_chown_key()
992 if (group != (gid_t) -1 && !gid_eq(gid, key->gid) && !in_group_p(gid)) in keyctl_chown_key()
1000 if (user != (uid_t) -1 && !uid_eq(uid, key->uid)) { in keyctl_chown_key()
1001 ret = -ENOMEM; in keyctl_chown_key()
1007 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { in keyctl_chown_key()
1013 spin_lock(&newowner->lock); in keyctl_chown_key()
1014 if (newowner->qnkeys + 1 > maxkeys || in keyctl_chown_key()
1015 newowner->qnbytes + key->quotalen > maxbytes || in keyctl_chown_key()
1016 newowner->qnbytes + key->quotalen < in keyctl_chown_key()
1017 newowner->qnbytes) in keyctl_chown_key()
1020 newowner->qnkeys++; in keyctl_chown_key()
1021 newowner->qnbytes += key->quotalen; in keyctl_chown_key()
1022 spin_unlock(&newowner->lock); in keyctl_chown_key()
1024 spin_lock(&key->user->lock); in keyctl_chown_key()
1025 key->user->qnkeys--; in keyctl_chown_key()
1026 key->user->qnbytes -= key->quotalen; in keyctl_chown_key()
1027 spin_unlock(&key->user->lock); in keyctl_chown_key()
1030 atomic_dec(&key->user->nkeys); in keyctl_chown_key()
1031 atomic_inc(&newowner->nkeys); in keyctl_chown_key()
1033 if (key->state != KEY_IS_UNINSTANTIATED) { in keyctl_chown_key()
1034 atomic_dec(&key->user->nikeys); in keyctl_chown_key()
1035 atomic_inc(&newowner->nikeys); in keyctl_chown_key()
1038 zapowner = key->user; in keyctl_chown_key()
1039 key->user = newowner; in keyctl_chown_key()
1040 key->uid = uid; in keyctl_chown_key()
1044 if (group != (gid_t) -1) in keyctl_chown_key()
1045 key->gid = gid; in keyctl_chown_key()
1051 up_write(&key->sem); in keyctl_chown_key()
1059 spin_unlock(&newowner->lock); in keyctl_chown_key()
1061 ret = -EDQUOT; in keyctl_chown_key()
1070 * sysadmin capability, it may only change the permission on keys that it owns.
1078 ret = -EINVAL; in keyctl_setperm_key()
1092 ret = -EACCES; in keyctl_setperm_key()
1093 down_write(&key->sem); in keyctl_setperm_key()
1096 if (uid_eq(key->uid, current_fsuid()) || capable(CAP_SYS_ADMIN)) { in keyctl_setperm_key()
1097 key->perm = perm; in keyctl_setperm_key()
1102 up_write(&key->sem); in keyctl_setperm_key()
1134 return -EINVAL; in get_instantiation_keyring()
1139 *_dest_keyring = key_get(rka->dest_keyring); in get_instantiation_keyring()
1143 return -ENOKEY; in get_instantiation_keyring()
1155 return -ENOMEM; in keyctl_change_reqkey_auth()
1157 key_put(new->request_key_auth); in keyctl_change_reqkey_auth()
1158 new->request_key_auth = key_get(key); in keyctl_change_reqkey_auth()
1188 ret = -EINVAL; in keyctl_instantiate_key_common()
1189 if (plen > 1024 * 1024 - 1) in keyctl_instantiate_key_common()
1194 ret = -EPERM; in keyctl_instantiate_key_common()
1195 instkey = cred->request_key_auth; in keyctl_instantiate_key_common()
1199 rka = instkey->payload.data[0]; in keyctl_instantiate_key_common()
1200 if (rka->target_key->serial != id) in keyctl_instantiate_key_common()
1207 ret = -ENOMEM; in keyctl_instantiate_key_common()
1212 ret = -EFAULT; in keyctl_instantiate_key_common()
1224 ret = key_instantiate_and_link(rka->target_key, payload, plen, in keyctl_instantiate_key_common()
1310 * Negative keys are used to rate limit repeated request_key() calls by causing
1311 * them to return -ENOKEY until the negative key expires.
1330 * Negative keys are used to rate limit repeated request_key() calls by causing
1352 return -EINVAL; in keyctl_reject_key()
1356 ret = -EPERM; in keyctl_reject_key()
1357 instkey = cred->request_key_auth; in keyctl_reject_key()
1361 rka = instkey->payload.data[0]; in keyctl_reject_key()
1362 if (rka->target_key->serial != id) in keyctl_reject_key()
1372 ret = key_reject_and_link(rka->target_key, timeout, error, in keyctl_reject_key()
1387 * Read or set the default keyring in which request_key() will cache keys and
1405 return -ENOMEM; in keyctl_set_reqkey_keyring()
1430 ret = -EINVAL; in keyctl_set_reqkey_keyring()
1435 new->jit_keyring = reqkey_defl; in keyctl_set_reqkey_keyring()
1453 * Keys with KEY_FLAG_KEEP set should not be timed out.
1468 if (PTR_ERR(key_ref) == -EACCES) { in keyctl_set_timeout()
1487 if (test_bit(KEY_FLAG_KEEP, &key->flags)) { in keyctl_set_timeout()
1488 ret = -EPERM; in keyctl_set_timeout()
1504 * available all the keys from the caller of the request_key() that created a
1522 ret = -EINVAL; in keyctl_assume_authority()
1534 * - the authorisation key must be in the current task's keyrings in keyctl_assume_authority()
1545 ret = authkey->serial; in keyctl_assume_authority()
1572 if (PTR_ERR(key_ref) != -EACCES) in keyctl_get_security()
1596 ret = -EFAULT; in keyctl_get_security()
1604 ret = -EFAULT; in keyctl_get_security()
1619 * parent process must be single-threaded and must have the same effective
1639 ret = -ENOMEM; in keyctl_session_to_parent()
1647 newwork = &cred->rcu; in keyctl_session_to_parent()
1649 cred->session_keyring = key_ref_to_ptr(keyring_r); in keyctl_session_to_parent()
1657 ret = -EPERM; in keyctl_session_to_parent()
1659 parent = rcu_dereference_protected(me->real_parent, in keyctl_session_to_parent()
1663 if (parent->pid <= 1 || !parent->mm) in keyctl_session_to_parent()
1664 goto unlock; in keyctl_session_to_parent()
1668 goto unlock; in keyctl_session_to_parent()
1675 mycred->session_keyring == pcred->session_keyring) { in keyctl_session_to_parent()
1677 goto unlock; in keyctl_session_to_parent()
1682 if (!uid_eq(pcred->uid, mycred->euid) || in keyctl_session_to_parent()
1683 !uid_eq(pcred->euid, mycred->euid) || in keyctl_session_to_parent()
1684 !uid_eq(pcred->suid, mycred->euid) || in keyctl_session_to_parent()
1685 !gid_eq(pcred->gid, mycred->egid) || in keyctl_session_to_parent()
1686 !gid_eq(pcred->egid, mycred->egid) || in keyctl_session_to_parent()
1687 !gid_eq(pcred->sgid, mycred->egid)) in keyctl_session_to_parent()
1688 goto unlock; in keyctl_session_to_parent()
1691 if ((pcred->session_keyring && in keyctl_session_to_parent()
1692 !uid_eq(pcred->session_keyring->uid, mycred->euid)) || in keyctl_session_to_parent()
1693 !uid_eq(mycred->session_keyring->uid, mycred->euid)) in keyctl_session_to_parent()
1694 goto unlock; in keyctl_session_to_parent()
1704 unlock: in keyctl_session_to_parent()
1725 * Otherwise, both _type and _restriction must be non-NULL.
1741 ret = -EINVAL; in keyctl_restrict_keyring()
1782 if (watch_id < -1 || watch_id > 0xff) in keyctl_watch_key()
1783 return -EINVAL; in keyctl_watch_key()
1797 ret = -ENOMEM; in keyctl_watch_key()
1798 if (!key->watchers) { in keyctl_watch_key()
1810 watch->id = key->serial; in keyctl_watch_key()
1811 watch->info_id = (u32)watch_id << WATCH_INFO_ID__SHIFT; in keyctl_watch_key()
1817 down_write(&key->sem); in keyctl_watch_key()
1818 if (!key->watchers) { in keyctl_watch_key()
1819 key->watchers = wlist; in keyctl_watch_key()
1823 ret = add_watch_to_object(watch, key->watchers); in keyctl_watch_key()
1824 up_write(&key->sem); in keyctl_watch_key()
1829 ret = -EBADSLT; in keyctl_watch_key()
1830 if (key->watchers) { in keyctl_watch_key()
1831 down_write(&key->sem); in keyctl_watch_key()
1832 ret = remove_watch_from_object(key->watchers, in keyctl_watch_key()
1835 up_write(&key->sem); in keyctl_watch_key()
1862 return -EFAULT; in keyctl_capabilities()
1864 clear_user(_buffer + size, buflen - size) != 0) in keyctl_capabilities()
1865 return -EFAULT; in keyctl_capabilities()
1989 return -EINVAL; in SYSCALL_DEFINE5()
2024 return -EOPNOTSUPP; in SYSCALL_DEFINE5()