• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1  /* SPDX-License-Identifier: GPL-2.0-or-later */
2  /* Credentials management - see Documentation/security/credentials.rst
3   *
4   * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
5   * Written by David Howells (dhowells@redhat.com)
6   */
7  
8  #ifndef _LINUX_CRED_H
9  #define _LINUX_CRED_H
10  
11  #include <linux/capability.h>
12  #include <linux/init.h>
13  #include <linux/key.h>
14  #include <linux/atomic.h>
15  #include <linux/uidgid.h>
16  #include <linux/sched.h>
17  #include <linux/sched/user.h>
18  
19  struct cred;
20  struct inode;
21  
22  /*
23   * COW Supplementary groups list
24   */
25  struct group_info {
26  	atomic_t	usage;
27  	int		ngroups;
28  	kgid_t		gid[];
29  } __randomize_layout;
30  
31  /**
32   * get_group_info - Get a reference to a group info structure
33   * @group_info: The group info to reference
34   *
35   * This gets a reference to a set of supplementary groups.
36   *
37   * If the caller is accessing a task's credentials, they must hold the RCU read
38   * lock when reading.
39   */
get_group_info(struct group_info * gi)40  static inline struct group_info *get_group_info(struct group_info *gi)
41  {
42  	atomic_inc(&gi->usage);
43  	return gi;
44  }
45  
46  /**
47   * put_group_info - Release a reference to a group info structure
48   * @group_info: The group info to release
49   */
50  #define put_group_info(group_info)			\
51  do {							\
52  	if (atomic_dec_and_test(&(group_info)->usage))	\
53  		groups_free(group_info);		\
54  } while (0)
55  
56  #ifdef CONFIG_MULTIUSER
57  extern struct group_info *groups_alloc(int);
58  extern void groups_free(struct group_info *);
59  
60  extern int in_group_p(kgid_t);
61  extern int in_egroup_p(kgid_t);
62  extern int groups_search(const struct group_info *, kgid_t);
63  
64  extern int set_current_groups(struct group_info *);
65  extern void set_groups(struct cred *, struct group_info *);
66  extern bool may_setgroups(void);
67  extern void groups_sort(struct group_info *);
68  #else
groups_free(struct group_info * group_info)69  static inline void groups_free(struct group_info *group_info)
70  {
71  }
72  
in_group_p(kgid_t grp)73  static inline int in_group_p(kgid_t grp)
74  {
75          return 1;
76  }
in_egroup_p(kgid_t grp)77  static inline int in_egroup_p(kgid_t grp)
78  {
79          return 1;
80  }
groups_search(const struct group_info * group_info,kgid_t grp)81  static inline int groups_search(const struct group_info *group_info, kgid_t grp)
82  {
83  	return 1;
84  }
85  #endif
86  
87  /*
88   * The security context of a task
89   *
90   * The parts of the context break down into two categories:
91   *
92   *  (1) The objective context of a task.  These parts are used when some other
93   *	task is attempting to affect this one.
94   *
95   *  (2) The subjective context.  These details are used when the task is acting
96   *	upon another object, be that a file, a task, a key or whatever.
97   *
98   * Note that some members of this structure belong to both categories - the
99   * LSM security pointer for instance.
100   *
101   * A task has two security pointers.  task->real_cred points to the objective
102   * context that defines that task's actual details.  The objective part of this
103   * context is used whenever that task is acted upon.
104   *
105   * task->cred points to the subjective context that defines the details of how
106   * that task is going to act upon another object.  This may be overridden
107   * temporarily to point to another security context, but normally points to the
108   * same context as task->real_cred.
109   */
110  struct cred {
111  	atomic_t	usage;
112  #ifdef CONFIG_DEBUG_CREDENTIALS
113  	atomic_t	subscribers;	/* number of processes subscribed */
114  	void		*put_addr;
115  	unsigned	magic;
116  #define CRED_MAGIC	0x43736564
117  #define CRED_MAGIC_DEAD	0x44656144
118  #endif
119  	kuid_t		uid;		/* real UID of the task */
120  	kgid_t		gid;		/* real GID of the task */
121  	kuid_t		suid;		/* saved UID of the task */
122  	kgid_t		sgid;		/* saved GID of the task */
123  	kuid_t		euid;		/* effective UID of the task */
124  	kgid_t		egid;		/* effective GID of the task */
125  	kuid_t		fsuid;		/* UID for VFS ops */
126  	kgid_t		fsgid;		/* GID for VFS ops */
127  	unsigned	securebits;	/* SUID-less security management */
128  	kernel_cap_t	cap_inheritable; /* caps our children can inherit */
129  	kernel_cap_t	cap_permitted;	/* caps we're permitted */
130  	kernel_cap_t	cap_effective;	/* caps we can actually use */
131  	kernel_cap_t	cap_bset;	/* capability bounding set */
132  	kernel_cap_t	cap_ambient;	/* Ambient capability set */
133  #ifdef CONFIG_KEYS
134  	unsigned char	jit_keyring;	/* default keyring to attach requested
135  					 * keys to */
136  	struct key	*session_keyring; /* keyring inherited over fork */
137  	struct key	*process_keyring; /* keyring private to this process */
138  	struct key	*thread_keyring; /* keyring private to this thread */
139  	struct key	*request_key_auth; /* assumed request_key authority */
140  #endif
141  #ifdef CONFIG_SECURITY
142  	void		*security;	/* LSM security */
143  #endif
144  	struct user_struct *user;	/* real user ID subscription */
145  	struct user_namespace *user_ns; /* user_ns the caps and keyrings are relative to. */
146  	struct ucounts *ucounts;
147  	struct group_info *group_info;	/* supplementary groups for euid/fsgid */
148  	/* RCU deletion */
149  	union {
150  		int non_rcu;			/* Can we skip RCU deletion? */
151  		struct rcu_head	rcu;		/* RCU deletion hook */
152  	};
153  } __randomize_layout;
154  
155  extern void __put_cred(struct cred *);
156  extern void exit_creds(struct task_struct *);
157  extern int copy_creds(struct task_struct *, unsigned long);
158  extern const struct cred *get_task_cred(struct task_struct *);
159  extern struct cred *cred_alloc_blank(void);
160  extern struct cred *prepare_creds(void);
161  extern struct cred *prepare_exec_creds(void);
162  extern int commit_creds(struct cred *);
163  extern void abort_creds(struct cred *);
164  extern const struct cred *override_creds(const struct cred *);
165  extern void revert_creds(const struct cred *);
166  extern struct cred *prepare_kernel_cred(struct task_struct *);
167  extern int change_create_files_as(struct cred *, struct inode *);
168  extern int set_security_override(struct cred *, u32);
169  extern int set_security_override_from_ctx(struct cred *, const char *);
170  extern int set_create_files_as(struct cred *, struct inode *);
171  extern int cred_fscmp(const struct cred *, const struct cred *);
172  extern void __init cred_init(void);
173  extern int set_cred_ucounts(struct cred *);
174  
175  /*
176   * check for validity of credentials
177   */
178  #ifdef CONFIG_DEBUG_CREDENTIALS
179  extern void __invalid_creds(const struct cred *, const char *, unsigned);
180  extern void __validate_process_creds(struct task_struct *,
181  				     const char *, unsigned);
182  
183  extern bool creds_are_invalid(const struct cred *cred);
184  
__validate_creds(const struct cred * cred,const char * file,unsigned line)185  static inline void __validate_creds(const struct cred *cred,
186  				    const char *file, unsigned line)
187  {
188  	if (unlikely(creds_are_invalid(cred)))
189  		__invalid_creds(cred, file, line);
190  }
191  
192  #define validate_creds(cred)				\
193  do {							\
194  	__validate_creds((cred), __FILE__, __LINE__);	\
195  } while(0)
196  
197  #define validate_process_creds()				\
198  do {								\
199  	__validate_process_creds(current, __FILE__, __LINE__);	\
200  } while(0)
201  
202  extern void validate_creds_for_do_exit(struct task_struct *);
203  #else
validate_creds(const struct cred * cred)204  static inline void validate_creds(const struct cred *cred)
205  {
206  }
validate_creds_for_do_exit(struct task_struct * tsk)207  static inline void validate_creds_for_do_exit(struct task_struct *tsk)
208  {
209  }
validate_process_creds(void)210  static inline void validate_process_creds(void)
211  {
212  }
213  #endif
214  
cap_ambient_invariant_ok(const struct cred * cred)215  static inline bool cap_ambient_invariant_ok(const struct cred *cred)
216  {
217  	return cap_issubset(cred->cap_ambient,
218  			    cap_intersect(cred->cap_permitted,
219  					  cred->cap_inheritable));
220  }
221  
222  /**
223   * get_new_cred - Get a reference on a new set of credentials
224   * @cred: The new credentials to reference
225   *
226   * Get a reference on the specified set of new credentials.  The caller must
227   * release the reference.
228   */
get_new_cred(struct cred * cred)229  static inline struct cred *get_new_cred(struct cred *cred)
230  {
231  	atomic_inc(&cred->usage);
232  	return cred;
233  }
234  
235  /**
236   * get_cred - Get a reference on a set of credentials
237   * @cred: The credentials to reference
238   *
239   * Get a reference on the specified set of credentials.  The caller must
240   * release the reference.  If %NULL is passed, it is returned with no action.
241   *
242   * This is used to deal with a committed set of credentials.  Although the
243   * pointer is const, this will temporarily discard the const and increment the
244   * usage count.  The purpose of this is to attempt to catch at compile time the
245   * accidental alteration of a set of credentials that should be considered
246   * immutable.
247   */
get_cred(const struct cred * cred)248  static inline const struct cred *get_cred(const struct cred *cred)
249  {
250  	struct cred *nonconst_cred = (struct cred *) cred;
251  	if (!cred)
252  		return cred;
253  	validate_creds(cred);
254  	nonconst_cred->non_rcu = 0;
255  	return get_new_cred(nonconst_cred);
256  }
257  
get_cred_rcu(const struct cred * cred)258  static inline const struct cred *get_cred_rcu(const struct cred *cred)
259  {
260  	struct cred *nonconst_cred = (struct cred *) cred;
261  	if (!cred)
262  		return NULL;
263  	if (!atomic_inc_not_zero(&nonconst_cred->usage))
264  		return NULL;
265  	validate_creds(cred);
266  	nonconst_cred->non_rcu = 0;
267  	return cred;
268  }
269  
270  /**
271   * put_cred - Release a reference to a set of credentials
272   * @cred: The credentials to release
273   *
274   * Release a reference to a set of credentials, deleting them when the last ref
275   * is released.  If %NULL is passed, nothing is done.
276   *
277   * This takes a const pointer to a set of credentials because the credentials
278   * on task_struct are attached by const pointers to prevent accidental
279   * alteration of otherwise immutable credential sets.
280   */
put_cred(const struct cred * _cred)281  static inline void put_cred(const struct cred *_cred)
282  {
283  	struct cred *cred = (struct cred *) _cred;
284  
285  	if (cred) {
286  		validate_creds(cred);
287  		if (atomic_dec_and_test(&(cred)->usage))
288  			__put_cred(cred);
289  	}
290  }
291  
292  /**
293   * current_cred - Access the current task's subjective credentials
294   *
295   * Access the subjective credentials of the current task.  RCU-safe,
296   * since nobody else can modify it.
297   */
298  #define current_cred() \
299  	rcu_dereference_protected(current->cred, 1)
300  
301  /**
302   * current_real_cred - Access the current task's objective credentials
303   *
304   * Access the objective credentials of the current task.  RCU-safe,
305   * since nobody else can modify it.
306   */
307  #define current_real_cred() \
308  	rcu_dereference_protected(current->real_cred, 1)
309  
310  /**
311   * __task_cred - Access a task's objective credentials
312   * @task: The task to query
313   *
314   * Access the objective credentials of a task.  The caller must hold the RCU
315   * readlock.
316   *
317   * The result of this function should not be passed directly to get_cred();
318   * rather get_task_cred() should be used instead.
319   */
320  #define __task_cred(task)	\
321  	rcu_dereference((task)->real_cred)
322  
323  /**
324   * get_current_cred - Get the current task's subjective credentials
325   *
326   * Get the subjective credentials of the current task, pinning them so that
327   * they can't go away.  Accessing the current task's credentials directly is
328   * not permitted.
329   */
330  #define get_current_cred()				\
331  	(get_cred(current_cred()))
332  
333  /**
334   * get_current_user - Get the current task's user_struct
335   *
336   * Get the user record of the current task, pinning it so that it can't go
337   * away.
338   */
339  #define get_current_user()				\
340  ({							\
341  	struct user_struct *__u;			\
342  	const struct cred *__cred;			\
343  	__cred = current_cred();			\
344  	__u = get_uid(__cred->user);			\
345  	__u;						\
346  })
347  
348  /**
349   * get_current_groups - Get the current task's supplementary group list
350   *
351   * Get the supplementary group list of the current task, pinning it so that it
352   * can't go away.
353   */
354  #define get_current_groups()				\
355  ({							\
356  	struct group_info *__groups;			\
357  	const struct cred *__cred;			\
358  	__cred = current_cred();			\
359  	__groups = get_group_info(__cred->group_info);	\
360  	__groups;					\
361  })
362  
363  #define task_cred_xxx(task, xxx)			\
364  ({							\
365  	__typeof__(((struct cred *)NULL)->xxx) ___val;	\
366  	rcu_read_lock();				\
367  	___val = __task_cred((task))->xxx;		\
368  	rcu_read_unlock();				\
369  	___val;						\
370  })
371  
372  #define task_uid(task)		(task_cred_xxx((task), uid))
373  #define task_euid(task)		(task_cred_xxx((task), euid))
374  #define task_ucounts(task)	(task_cred_xxx((task), ucounts))
375  
376  #define current_cred_xxx(xxx)			\
377  ({						\
378  	current_cred()->xxx;			\
379  })
380  
381  #define current_uid()		(current_cred_xxx(uid))
382  #define current_gid()		(current_cred_xxx(gid))
383  #define current_euid()		(current_cred_xxx(euid))
384  #define current_egid()		(current_cred_xxx(egid))
385  #define current_suid()		(current_cred_xxx(suid))
386  #define current_sgid()		(current_cred_xxx(sgid))
387  #define current_fsuid() 	(current_cred_xxx(fsuid))
388  #define current_fsgid() 	(current_cred_xxx(fsgid))
389  #define current_cap()		(current_cred_xxx(cap_effective))
390  #define current_user()		(current_cred_xxx(user))
391  #define current_ucounts()	(current_cred_xxx(ucounts))
392  
393  extern struct user_namespace init_user_ns;
394  #ifdef CONFIG_USER_NS
395  #define current_user_ns()	(current_cred_xxx(user_ns))
396  #else
current_user_ns(void)397  static inline struct user_namespace *current_user_ns(void)
398  {
399  	return &init_user_ns;
400  }
401  #endif
402  
403  
404  #define current_uid_gid(_uid, _gid)		\
405  do {						\
406  	const struct cred *__cred;		\
407  	__cred = current_cred();		\
408  	*(_uid) = __cred->uid;			\
409  	*(_gid) = __cred->gid;			\
410  } while(0)
411  
412  #define current_euid_egid(_euid, _egid)		\
413  do {						\
414  	const struct cred *__cred;		\
415  	__cred = current_cred();		\
416  	*(_euid) = __cred->euid;		\
417  	*(_egid) = __cred->egid;		\
418  } while(0)
419  
420  #define current_fsuid_fsgid(_fsuid, _fsgid)	\
421  do {						\
422  	const struct cred *__cred;		\
423  	__cred = current_cred();		\
424  	*(_fsuid) = __cred->fsuid;		\
425  	*(_fsgid) = __cred->fsgid;		\
426  } while(0)
427  
428  #endif /* _LINUX_CRED_H */
429