1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Task credentials management - see Documentation/security/credentials.rst
3 *
4 * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
6 */
7 #include <linux/export.h>
8 #include <linux/cred.h>
9 #include <linux/slab.h>
10 #include <linux/sched.h>
11 #include <linux/sched/coredump.h>
12 #include <linux/key.h>
13 #include <linux/keyctl.h>
14 #include <linux/init_task.h>
15 #include <linux/security.h>
16 #include <linux/binfmts.h>
17 #include <linux/cn_proc.h>
18 #include <linux/uidgid.h>
19
20 #include <trace/hooks/creds.h>
21
22 #if 0
23 #define kdebug(FMT, ...) \
24 printk("[%-5.5s%5u] " FMT "\n", \
25 current->comm, current->pid, ##__VA_ARGS__)
26 #else
27 #define kdebug(FMT, ...) \
28 do { \
29 if (0) \
30 no_printk("[%-5.5s%5u] " FMT "\n", \
31 current->comm, current->pid, ##__VA_ARGS__); \
32 } while (0)
33 #endif
34
35 static struct kmem_cache *cred_jar;
36
37 /* init to 2 - one for init_task, one to ensure it is never freed */
38 struct group_info init_groups = { .usage = ATOMIC_INIT(2) };
39
40 /*
41 * The initial credentials for the initial task
42 */
43 struct cred init_cred = {
44 .usage = ATOMIC_INIT(4),
45 #ifdef CONFIG_DEBUG_CREDENTIALS
46 .subscribers = ATOMIC_INIT(2),
47 .magic = CRED_MAGIC,
48 #endif
49 .uid = GLOBAL_ROOT_UID,
50 .gid = GLOBAL_ROOT_GID,
51 .suid = GLOBAL_ROOT_UID,
52 .sgid = GLOBAL_ROOT_GID,
53 .euid = GLOBAL_ROOT_UID,
54 .egid = GLOBAL_ROOT_GID,
55 .fsuid = GLOBAL_ROOT_UID,
56 .fsgid = GLOBAL_ROOT_GID,
57 .securebits = SECUREBITS_DEFAULT,
58 .cap_inheritable = CAP_EMPTY_SET,
59 .cap_permitted = CAP_FULL_SET,
60 .cap_effective = CAP_FULL_SET,
61 .cap_bset = CAP_FULL_SET,
62 .user = INIT_USER,
63 .user_ns = &init_user_ns,
64 .group_info = &init_groups,
65 };
66
set_cred_subscribers(struct cred * cred,int n)67 static inline void set_cred_subscribers(struct cred *cred, int n)
68 {
69 #ifdef CONFIG_DEBUG_CREDENTIALS
70 atomic_set(&cred->subscribers, n);
71 #endif
72 }
73
read_cred_subscribers(const struct cred * cred)74 static inline int read_cred_subscribers(const struct cred *cred)
75 {
76 #ifdef CONFIG_DEBUG_CREDENTIALS
77 return atomic_read(&cred->subscribers);
78 #else
79 return 0;
80 #endif
81 }
82
alter_cred_subscribers(const struct cred * _cred,int n)83 static inline void alter_cred_subscribers(const struct cred *_cred, int n)
84 {
85 #ifdef CONFIG_DEBUG_CREDENTIALS
86 struct cred *cred = (struct cred *) _cred;
87
88 atomic_add(n, &cred->subscribers);
89 #endif
90 }
91
92 /*
93 * The RCU callback to actually dispose of a set of credentials
94 */
put_cred_rcu(struct rcu_head * rcu)95 static void put_cred_rcu(struct rcu_head *rcu)
96 {
97 struct cred *cred = container_of(rcu, struct cred, rcu);
98
99 kdebug("put_cred_rcu(%p)", cred);
100
101 #ifdef CONFIG_DEBUG_CREDENTIALS
102 if (cred->magic != CRED_MAGIC_DEAD ||
103 atomic_read(&cred->usage) != 0 ||
104 read_cred_subscribers(cred) != 0)
105 panic("CRED: put_cred_rcu() sees %p with"
106 " mag %x, put %p, usage %d, subscr %d\n",
107 cred, cred->magic, cred->put_addr,
108 atomic_read(&cred->usage),
109 read_cred_subscribers(cred));
110 #else
111 if (atomic_read(&cred->usage) != 0)
112 panic("CRED: put_cred_rcu() sees %p with usage %d\n",
113 cred, atomic_read(&cred->usage));
114 #endif
115
116 security_cred_free(cred);
117 key_put(cred->session_keyring);
118 key_put(cred->process_keyring);
119 key_put(cred->thread_keyring);
120 key_put(cred->request_key_auth);
121 if (cred->group_info)
122 put_group_info(cred->group_info);
123 free_uid(cred->user);
124 put_user_ns(cred->user_ns);
125 kmem_cache_free(cred_jar, cred);
126 }
127
128 /**
129 * __put_cred - Destroy a set of credentials
130 * @cred: The record to release
131 *
132 * Destroy a set of credentials on which no references remain.
133 */
__put_cred(struct cred * cred)134 void __put_cred(struct cred *cred)
135 {
136 kdebug("__put_cred(%p{%d,%d})", cred,
137 atomic_read(&cred->usage),
138 read_cred_subscribers(cred));
139
140 BUG_ON(atomic_read(&cred->usage) != 0);
141 #ifdef CONFIG_DEBUG_CREDENTIALS
142 BUG_ON(read_cred_subscribers(cred) != 0);
143 cred->magic = CRED_MAGIC_DEAD;
144 cred->put_addr = __builtin_return_address(0);
145 #endif
146 BUG_ON(cred == current->cred);
147 BUG_ON(cred == current->real_cred);
148
149 if (cred->non_rcu)
150 put_cred_rcu(&cred->rcu);
151 else
152 call_rcu(&cred->rcu, put_cred_rcu);
153 }
154 EXPORT_SYMBOL(__put_cred);
155
156 /*
157 * Clean up a task's credentials when it exits
158 */
exit_creds(struct task_struct * tsk)159 void exit_creds(struct task_struct *tsk)
160 {
161 struct cred *cred;
162
163 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
164 atomic_read(&tsk->cred->usage),
165 read_cred_subscribers(tsk->cred));
166
167 cred = (struct cred *) tsk->real_cred;
168 tsk->real_cred = NULL;
169 validate_creds(cred);
170 alter_cred_subscribers(cred, -1);
171 put_cred(cred);
172
173 cred = (struct cred *) tsk->cred;
174 tsk->cred = NULL;
175 validate_creds(cred);
176 alter_cred_subscribers(cred, -1);
177 put_cred(cred);
178
179 #ifdef CONFIG_KEYS_REQUEST_CACHE
180 key_put(tsk->cached_requested_key);
181 tsk->cached_requested_key = NULL;
182 #endif
183 trace_android_vh_exit_creds(tsk, cred);
184 }
185
186 /**
187 * get_task_cred - Get another task's objective credentials
188 * @task: The task to query
189 *
190 * Get the objective credentials of a task, pinning them so that they can't go
191 * away. Accessing a task's credentials directly is not permitted.
192 *
193 * The caller must also make sure task doesn't get deleted, either by holding a
194 * ref on task or by holding tasklist_lock to prevent it from being unlinked.
195 */
get_task_cred(struct task_struct * task)196 const struct cred *get_task_cred(struct task_struct *task)
197 {
198 const struct cred *cred;
199
200 rcu_read_lock();
201
202 do {
203 cred = __task_cred((task));
204 BUG_ON(!cred);
205 } while (!get_cred_rcu(cred));
206
207 rcu_read_unlock();
208 return cred;
209 }
210 EXPORT_SYMBOL(get_task_cred);
211
212 /*
213 * Allocate blank credentials, such that the credentials can be filled in at a
214 * later date without risk of ENOMEM.
215 */
cred_alloc_blank(void)216 struct cred *cred_alloc_blank(void)
217 {
218 struct cred *new;
219
220 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
221 if (!new)
222 return NULL;
223
224 atomic_set(&new->usage, 1);
225 #ifdef CONFIG_DEBUG_CREDENTIALS
226 new->magic = CRED_MAGIC;
227 #endif
228
229 if (security_cred_alloc_blank(new, GFP_KERNEL_ACCOUNT) < 0)
230 goto error;
231
232 return new;
233
234 error:
235 abort_creds(new);
236 return NULL;
237 }
238
239 /**
240 * prepare_creds - Prepare a new set of credentials for modification
241 *
242 * Prepare a new set of task credentials for modification. A task's creds
243 * shouldn't generally be modified directly, therefore this function is used to
244 * prepare a new copy, which the caller then modifies and then commits by
245 * calling commit_creds().
246 *
247 * Preparation involves making a copy of the objective creds for modification.
248 *
249 * Returns a pointer to the new creds-to-be if successful, NULL otherwise.
250 *
251 * Call commit_creds() or abort_creds() to clean up.
252 */
prepare_creds(void)253 struct cred *prepare_creds(void)
254 {
255 struct task_struct *task = current;
256 const struct cred *old;
257 struct cred *new;
258
259 validate_process_creds();
260
261 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
262 if (!new)
263 return NULL;
264
265 kdebug("prepare_creds() alloc %p", new);
266
267 old = task->cred;
268 memcpy(new, old, sizeof(struct cred));
269
270 new->non_rcu = 0;
271 atomic_set(&new->usage, 1);
272 set_cred_subscribers(new, 0);
273 get_group_info(new->group_info);
274 get_uid(new->user);
275 get_user_ns(new->user_ns);
276
277 #ifdef CONFIG_KEYS
278 key_get(new->session_keyring);
279 key_get(new->process_keyring);
280 key_get(new->thread_keyring);
281 key_get(new->request_key_auth);
282 #endif
283
284 #ifdef CONFIG_SECURITY
285 new->security = NULL;
286 #endif
287
288 if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
289 goto error;
290 validate_creds(new);
291 return new;
292
293 error:
294 abort_creds(new);
295 return NULL;
296 }
297 EXPORT_SYMBOL(prepare_creds);
298
299 /*
300 * Prepare credentials for current to perform an execve()
301 * - The caller must hold ->cred_guard_mutex
302 */
prepare_exec_creds(void)303 struct cred *prepare_exec_creds(void)
304 {
305 struct cred *new;
306
307 new = prepare_creds();
308 if (!new)
309 return new;
310
311 #ifdef CONFIG_KEYS
312 /* newly exec'd tasks don't get a thread keyring */
313 key_put(new->thread_keyring);
314 new->thread_keyring = NULL;
315
316 /* inherit the session keyring; new process keyring */
317 key_put(new->process_keyring);
318 new->process_keyring = NULL;
319 #endif
320
321 new->suid = new->fsuid = new->euid;
322 new->sgid = new->fsgid = new->egid;
323
324 return new;
325 }
326
327 /*
328 * Copy credentials for the new process created by fork()
329 *
330 * We share if we can, but under some circumstances we have to generate a new
331 * set.
332 *
333 * The new process gets the current process's subjective credentials as its
334 * objective and subjective credentials
335 */
copy_creds(struct task_struct * p,unsigned long clone_flags)336 int copy_creds(struct task_struct *p, unsigned long clone_flags)
337 {
338 struct cred *new;
339 int ret;
340
341 #ifdef CONFIG_KEYS_REQUEST_CACHE
342 p->cached_requested_key = NULL;
343 #endif
344
345 if (
346 #ifdef CONFIG_KEYS
347 !p->cred->thread_keyring &&
348 #endif
349 clone_flags & CLONE_THREAD
350 ) {
351 p->real_cred = get_cred(p->cred);
352 get_cred(p->cred);
353 alter_cred_subscribers(p->cred, 2);
354 kdebug("share_creds(%p{%d,%d})",
355 p->cred, atomic_read(&p->cred->usage),
356 read_cred_subscribers(p->cred));
357 atomic_inc(&p->cred->user->processes);
358 return 0;
359 }
360
361 new = prepare_creds();
362 if (!new)
363 return -ENOMEM;
364
365 if (clone_flags & CLONE_NEWUSER) {
366 ret = create_user_ns(new);
367 if (ret < 0)
368 goto error_put;
369 }
370
371 #ifdef CONFIG_KEYS
372 /* new threads get their own thread keyrings if their parent already
373 * had one */
374 if (new->thread_keyring) {
375 key_put(new->thread_keyring);
376 new->thread_keyring = NULL;
377 if (clone_flags & CLONE_THREAD)
378 install_thread_keyring_to_cred(new);
379 }
380
381 /* The process keyring is only shared between the threads in a process;
382 * anything outside of those threads doesn't inherit.
383 */
384 if (!(clone_flags & CLONE_THREAD)) {
385 key_put(new->process_keyring);
386 new->process_keyring = NULL;
387 }
388 #endif
389
390 atomic_inc(&new->user->processes);
391 p->cred = p->real_cred = get_cred(new);
392 alter_cred_subscribers(new, 2);
393 validate_creds(new);
394 return 0;
395
396 error_put:
397 put_cred(new);
398 return ret;
399 }
400
cred_cap_issubset(const struct cred * set,const struct cred * subset)401 static bool cred_cap_issubset(const struct cred *set, const struct cred *subset)
402 {
403 const struct user_namespace *set_ns = set->user_ns;
404 const struct user_namespace *subset_ns = subset->user_ns;
405
406 /* If the two credentials are in the same user namespace see if
407 * the capabilities of subset are a subset of set.
408 */
409 if (set_ns == subset_ns)
410 return cap_issubset(subset->cap_permitted, set->cap_permitted);
411
412 /* The credentials are in a different user namespaces
413 * therefore one is a subset of the other only if a set is an
414 * ancestor of subset and set->euid is owner of subset or one
415 * of subsets ancestors.
416 */
417 for (;subset_ns != &init_user_ns; subset_ns = subset_ns->parent) {
418 if ((set_ns == subset_ns->parent) &&
419 uid_eq(subset_ns->owner, set->euid))
420 return true;
421 }
422
423 return false;
424 }
425
426 /**
427 * commit_creds - Install new credentials upon the current task
428 * @new: The credentials to be assigned
429 *
430 * Install a new set of credentials to the current task, using RCU to replace
431 * the old set. Both the objective and the subjective credentials pointers are
432 * updated. This function may not be called if the subjective credentials are
433 * in an overridden state.
434 *
435 * This function eats the caller's reference to the new credentials.
436 *
437 * Always returns 0 thus allowing this function to be tail-called at the end
438 * of, say, sys_setgid().
439 */
commit_creds(struct cred * new)440 int commit_creds(struct cred *new)
441 {
442 struct task_struct *task = current;
443 const struct cred *old = task->real_cred;
444
445 kdebug("commit_creds(%p{%d,%d})", new,
446 atomic_read(&new->usage),
447 read_cred_subscribers(new));
448
449 BUG_ON(task->cred != old);
450 #ifdef CONFIG_DEBUG_CREDENTIALS
451 BUG_ON(read_cred_subscribers(old) < 2);
452 validate_creds(old);
453 validate_creds(new);
454 #endif
455 BUG_ON(atomic_read(&new->usage) < 1);
456
457 get_cred(new); /* we will require a ref for the subj creds too */
458
459 /* dumpability changes */
460 if (!uid_eq(old->euid, new->euid) ||
461 !gid_eq(old->egid, new->egid) ||
462 !uid_eq(old->fsuid, new->fsuid) ||
463 !gid_eq(old->fsgid, new->fsgid) ||
464 !cred_cap_issubset(old, new)) {
465 if (task->mm)
466 set_dumpable(task->mm, suid_dumpable);
467 task->pdeath_signal = 0;
468 /*
469 * If a task drops privileges and becomes nondumpable,
470 * the dumpability change must become visible before
471 * the credential change; otherwise, a __ptrace_may_access()
472 * racing with this change may be able to attach to a task it
473 * shouldn't be able to attach to (as if the task had dropped
474 * privileges without becoming nondumpable).
475 * Pairs with a read barrier in __ptrace_may_access().
476 */
477 smp_wmb();
478 }
479
480 /* alter the thread keyring */
481 if (!uid_eq(new->fsuid, old->fsuid))
482 key_fsuid_changed(new);
483 if (!gid_eq(new->fsgid, old->fsgid))
484 key_fsgid_changed(new);
485
486 /* do it
487 * RLIMIT_NPROC limits on user->processes have already been checked
488 * in set_user().
489 */
490 alter_cred_subscribers(new, 2);
491 if (new->user != old->user)
492 atomic_inc(&new->user->processes);
493 rcu_assign_pointer(task->real_cred, new);
494 rcu_assign_pointer(task->cred, new);
495 trace_android_vh_commit_creds(task, new);
496 if (new->user != old->user)
497 atomic_dec(&old->user->processes);
498 alter_cred_subscribers(old, -2);
499
500 /* send notifications */
501 if (!uid_eq(new->uid, old->uid) ||
502 !uid_eq(new->euid, old->euid) ||
503 !uid_eq(new->suid, old->suid) ||
504 !uid_eq(new->fsuid, old->fsuid))
505 proc_id_connector(task, PROC_EVENT_UID);
506
507 if (!gid_eq(new->gid, old->gid) ||
508 !gid_eq(new->egid, old->egid) ||
509 !gid_eq(new->sgid, old->sgid) ||
510 !gid_eq(new->fsgid, old->fsgid))
511 proc_id_connector(task, PROC_EVENT_GID);
512
513 /* release the old obj and subj refs both */
514 put_cred(old);
515 put_cred(old);
516 return 0;
517 }
518 EXPORT_SYMBOL(commit_creds);
519
520 /**
521 * abort_creds - Discard a set of credentials and unlock the current task
522 * @new: The credentials that were going to be applied
523 *
524 * Discard a set of credentials that were under construction and unlock the
525 * current task.
526 */
abort_creds(struct cred * new)527 void abort_creds(struct cred *new)
528 {
529 kdebug("abort_creds(%p{%d,%d})", new,
530 atomic_read(&new->usage),
531 read_cred_subscribers(new));
532
533 #ifdef CONFIG_DEBUG_CREDENTIALS
534 BUG_ON(read_cred_subscribers(new) != 0);
535 #endif
536 BUG_ON(atomic_read(&new->usage) < 1);
537 put_cred(new);
538 }
539 EXPORT_SYMBOL(abort_creds);
540
541 /**
542 * override_creds - Override the current process's subjective credentials
543 * @new: The credentials to be assigned
544 *
545 * Install a set of temporary override subjective credentials on the current
546 * process, returning the old set for later reversion.
547 */
override_creds(const struct cred * new)548 const struct cred *override_creds(const struct cred *new)
549 {
550 const struct cred *old = current->cred;
551
552 kdebug("override_creds(%p{%d,%d})", new,
553 atomic_read(&new->usage),
554 read_cred_subscribers(new));
555
556 validate_creds(old);
557 validate_creds(new);
558
559 /*
560 * NOTE! This uses 'get_new_cred()' rather than 'get_cred()'.
561 *
562 * That means that we do not clear the 'non_rcu' flag, since
563 * we are only installing the cred into the thread-synchronous
564 * '->cred' pointer, not the '->real_cred' pointer that is
565 * visible to other threads under RCU.
566 *
567 * Also note that we did validate_creds() manually, not depending
568 * on the validation in 'get_cred()'.
569 */
570 get_new_cred((struct cred *)new);
571 alter_cred_subscribers(new, 1);
572 rcu_assign_pointer(current->cred, new);
573 trace_android_vh_override_creds(current, new);
574 alter_cred_subscribers(old, -1);
575
576 kdebug("override_creds() = %p{%d,%d}", old,
577 atomic_read(&old->usage),
578 read_cred_subscribers(old));
579 return old;
580 }
581 EXPORT_SYMBOL(override_creds);
582
583 /**
584 * revert_creds - Revert a temporary subjective credentials override
585 * @old: The credentials to be restored
586 *
587 * Revert a temporary set of override subjective credentials to an old set,
588 * discarding the override set.
589 */
revert_creds(const struct cred * old)590 void revert_creds(const struct cred *old)
591 {
592 const struct cred *override = current->cred;
593
594 kdebug("revert_creds(%p{%d,%d})", old,
595 atomic_read(&old->usage),
596 read_cred_subscribers(old));
597
598 validate_creds(old);
599 validate_creds(override);
600 alter_cred_subscribers(old, 1);
601 rcu_assign_pointer(current->cred, old);
602 trace_android_vh_revert_creds(current, old);
603 alter_cred_subscribers(override, -1);
604 put_cred(override);
605 }
606 EXPORT_SYMBOL(revert_creds);
607
608 /**
609 * cred_fscmp - Compare two credentials with respect to filesystem access.
610 * @a: The first credential
611 * @b: The second credential
612 *
613 * cred_cmp() will return zero if both credentials have the same
614 * fsuid, fsgid, and supplementary groups. That is, if they will both
615 * provide the same access to files based on mode/uid/gid.
616 * If the credentials are different, then either -1 or 1 will
617 * be returned depending on whether @a comes before or after @b
618 * respectively in an arbitrary, but stable, ordering of credentials.
619 *
620 * Return: -1, 0, or 1 depending on comparison
621 */
cred_fscmp(const struct cred * a,const struct cred * b)622 int cred_fscmp(const struct cred *a, const struct cred *b)
623 {
624 struct group_info *ga, *gb;
625 int g;
626
627 if (a == b)
628 return 0;
629 if (uid_lt(a->fsuid, b->fsuid))
630 return -1;
631 if (uid_gt(a->fsuid, b->fsuid))
632 return 1;
633
634 if (gid_lt(a->fsgid, b->fsgid))
635 return -1;
636 if (gid_gt(a->fsgid, b->fsgid))
637 return 1;
638
639 ga = a->group_info;
640 gb = b->group_info;
641 if (ga == gb)
642 return 0;
643 if (ga == NULL)
644 return -1;
645 if (gb == NULL)
646 return 1;
647 if (ga->ngroups < gb->ngroups)
648 return -1;
649 if (ga->ngroups > gb->ngroups)
650 return 1;
651
652 for (g = 0; g < ga->ngroups; g++) {
653 if (gid_lt(ga->gid[g], gb->gid[g]))
654 return -1;
655 if (gid_gt(ga->gid[g], gb->gid[g]))
656 return 1;
657 }
658 return 0;
659 }
660 EXPORT_SYMBOL(cred_fscmp);
661
662 /*
663 * initialise the credentials stuff
664 */
cred_init(void)665 void __init cred_init(void)
666 {
667 /* allocate a slab in which we can store credentials */
668 cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred), 0,
669 SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT, NULL);
670 }
671
672 /**
673 * prepare_kernel_cred - Prepare a set of credentials for a kernel service
674 * @daemon: A userspace daemon to be used as a reference
675 *
676 * Prepare a set of credentials for a kernel service. This can then be used to
677 * override a task's own credentials so that work can be done on behalf of that
678 * task that requires a different subjective context.
679 *
680 * @daemon is used to provide a base for the security record, but can be NULL.
681 * If @daemon is supplied, then the security data will be derived from that;
682 * otherwise they'll be set to 0 and no groups, full capabilities and no keys.
683 *
684 * The caller may change these controls afterwards if desired.
685 *
686 * Returns the new credentials or NULL if out of memory.
687 */
prepare_kernel_cred(struct task_struct * daemon)688 struct cred *prepare_kernel_cred(struct task_struct *daemon)
689 {
690 const struct cred *old;
691 struct cred *new;
692
693 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
694 if (!new)
695 return NULL;
696
697 kdebug("prepare_kernel_cred() alloc %p", new);
698
699 if (daemon)
700 old = get_task_cred(daemon);
701 else
702 old = get_cred(&init_cred);
703
704 validate_creds(old);
705
706 *new = *old;
707 new->non_rcu = 0;
708 atomic_set(&new->usage, 1);
709 set_cred_subscribers(new, 0);
710 get_uid(new->user);
711 get_user_ns(new->user_ns);
712 get_group_info(new->group_info);
713
714 #ifdef CONFIG_KEYS
715 new->session_keyring = NULL;
716 new->process_keyring = NULL;
717 new->thread_keyring = NULL;
718 new->request_key_auth = NULL;
719 new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
720 #endif
721
722 #ifdef CONFIG_SECURITY
723 new->security = NULL;
724 #endif
725 if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
726 goto error;
727
728 put_cred(old);
729 validate_creds(new);
730 return new;
731
732 error:
733 put_cred(new);
734 put_cred(old);
735 return NULL;
736 }
737 EXPORT_SYMBOL(prepare_kernel_cred);
738
739 /**
740 * set_security_override - Set the security ID in a set of credentials
741 * @new: The credentials to alter
742 * @secid: The LSM security ID to set
743 *
744 * Set the LSM security ID in a set of credentials so that the subjective
745 * security is overridden when an alternative set of credentials is used.
746 */
set_security_override(struct cred * new,u32 secid)747 int set_security_override(struct cred *new, u32 secid)
748 {
749 return security_kernel_act_as(new, secid);
750 }
751 EXPORT_SYMBOL(set_security_override);
752
753 /**
754 * set_security_override_from_ctx - Set the security ID in a set of credentials
755 * @new: The credentials to alter
756 * @secctx: The LSM security context to generate the security ID from.
757 *
758 * Set the LSM security ID in a set of credentials so that the subjective
759 * security is overridden when an alternative set of credentials is used. The
760 * security ID is specified in string form as a security context to be
761 * interpreted by the LSM.
762 */
set_security_override_from_ctx(struct cred * new,const char * secctx)763 int set_security_override_from_ctx(struct cred *new, const char *secctx)
764 {
765 u32 secid;
766 int ret;
767
768 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
769 if (ret < 0)
770 return ret;
771
772 return set_security_override(new, secid);
773 }
774 EXPORT_SYMBOL(set_security_override_from_ctx);
775
776 /**
777 * set_create_files_as - Set the LSM file create context in a set of credentials
778 * @new: The credentials to alter
779 * @inode: The inode to take the context from
780 *
781 * Change the LSM file creation context in a set of credentials to be the same
782 * as the object context of the specified inode, so that the new inodes have
783 * the same MAC context as that inode.
784 */
set_create_files_as(struct cred * new,struct inode * inode)785 int set_create_files_as(struct cred *new, struct inode *inode)
786 {
787 if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid))
788 return -EINVAL;
789 new->fsuid = inode->i_uid;
790 new->fsgid = inode->i_gid;
791 return security_kernel_create_files_as(new, inode);
792 }
793 EXPORT_SYMBOL(set_create_files_as);
794
795 #ifdef CONFIG_DEBUG_CREDENTIALS
796
creds_are_invalid(const struct cred * cred)797 bool creds_are_invalid(const struct cred *cred)
798 {
799 if (cred->magic != CRED_MAGIC)
800 return true;
801 return false;
802 }
803 EXPORT_SYMBOL(creds_are_invalid);
804
805 /*
806 * dump invalid credentials
807 */
dump_invalid_creds(const struct cred * cred,const char * label,const struct task_struct * tsk)808 static void dump_invalid_creds(const struct cred *cred, const char *label,
809 const struct task_struct *tsk)
810 {
811 printk(KERN_ERR "CRED: %s credentials: %p %s%s%s\n",
812 label, cred,
813 cred == &init_cred ? "[init]" : "",
814 cred == tsk->real_cred ? "[real]" : "",
815 cred == tsk->cred ? "[eff]" : "");
816 printk(KERN_ERR "CRED: ->magic=%x, put_addr=%p\n",
817 cred->magic, cred->put_addr);
818 printk(KERN_ERR "CRED: ->usage=%d, subscr=%d\n",
819 atomic_read(&cred->usage),
820 read_cred_subscribers(cred));
821 printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
822 from_kuid_munged(&init_user_ns, cred->uid),
823 from_kuid_munged(&init_user_ns, cred->euid),
824 from_kuid_munged(&init_user_ns, cred->suid),
825 from_kuid_munged(&init_user_ns, cred->fsuid));
826 printk(KERN_ERR "CRED: ->*gid = { %d,%d,%d,%d }\n",
827 from_kgid_munged(&init_user_ns, cred->gid),
828 from_kgid_munged(&init_user_ns, cred->egid),
829 from_kgid_munged(&init_user_ns, cred->sgid),
830 from_kgid_munged(&init_user_ns, cred->fsgid));
831 #ifdef CONFIG_SECURITY
832 printk(KERN_ERR "CRED: ->security is %p\n", cred->security);
833 if ((unsigned long) cred->security >= PAGE_SIZE &&
834 (((unsigned long) cred->security & 0xffffff00) !=
835 (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)))
836 printk(KERN_ERR "CRED: ->security {%x, %x}\n",
837 ((u32*)cred->security)[0],
838 ((u32*)cred->security)[1]);
839 #endif
840 }
841
842 /*
843 * report use of invalid credentials
844 */
__invalid_creds(const struct cred * cred,const char * file,unsigned line)845 void __invalid_creds(const struct cred *cred, const char *file, unsigned line)
846 {
847 printk(KERN_ERR "CRED: Invalid credentials\n");
848 printk(KERN_ERR "CRED: At %s:%u\n", file, line);
849 dump_invalid_creds(cred, "Specified", current);
850 BUG();
851 }
852 EXPORT_SYMBOL(__invalid_creds);
853
854 /*
855 * check the credentials on a process
856 */
__validate_process_creds(struct task_struct * tsk,const char * file,unsigned line)857 void __validate_process_creds(struct task_struct *tsk,
858 const char *file, unsigned line)
859 {
860 if (tsk->cred == tsk->real_cred) {
861 if (unlikely(read_cred_subscribers(tsk->cred) < 2 ||
862 creds_are_invalid(tsk->cred)))
863 goto invalid_creds;
864 } else {
865 if (unlikely(read_cred_subscribers(tsk->real_cred) < 1 ||
866 read_cred_subscribers(tsk->cred) < 1 ||
867 creds_are_invalid(tsk->real_cred) ||
868 creds_are_invalid(tsk->cred)))
869 goto invalid_creds;
870 }
871 return;
872
873 invalid_creds:
874 printk(KERN_ERR "CRED: Invalid process credentials\n");
875 printk(KERN_ERR "CRED: At %s:%u\n", file, line);
876
877 dump_invalid_creds(tsk->real_cred, "Real", tsk);
878 if (tsk->cred != tsk->real_cred)
879 dump_invalid_creds(tsk->cred, "Effective", tsk);
880 else
881 printk(KERN_ERR "CRED: Effective creds == Real creds\n");
882 BUG();
883 }
884 EXPORT_SYMBOL(__validate_process_creds);
885
886 /*
887 * check creds for do_exit()
888 */
validate_creds_for_do_exit(struct task_struct * tsk)889 void validate_creds_for_do_exit(struct task_struct *tsk)
890 {
891 kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})",
892 tsk->real_cred, tsk->cred,
893 atomic_read(&tsk->cred->usage),
894 read_cred_subscribers(tsk->cred));
895
896 __validate_process_creds(tsk, __FILE__, __LINE__);
897 }
898
899 #endif /* CONFIG_DEBUG_CREDENTIALS */
900