e134d200d5
creds_are_invalid() reads both cred->usage and cred->subscribers and then compares them to make sure the number of processes subscribed to a cred struct never exceeds the refcount of that cred struct. The problem is that this can cause a race with both copy_creds() and exit_creds() as the two counters, whilst they are of atomic_t type, are only atomic with respect to themselves, and not atomic with respect to each other. This means that if creds_are_invalid() can read the values on one CPU whilst they're being modified on another CPU, and so can observe an evolving state in which the subscribers count now is greater than the usage count a moment before. Switching the order in which the counts are read cannot help, so the thing to do is to remove that particular check. I had considered rechecking the values to see if they're in flux if the test fails, but I can't guarantee they won't appear the same, even if they've changed several times in the meantime. Note that this can only happen if CONFIG_DEBUG_CREDENTIALS is enabled. The problem is only likely to occur with multithreaded programs, and can be tested by the tst-eintr1 program from glibc's "make check". The symptoms look like: CRED: Invalid credentials CRED: At include/linux/cred.h:240 CRED: Specified credentials: ffff88003dda5878 [real][eff] CRED: ->magic=43736564, put_addr=(null) CRED: ->usage=766, subscr=766 CRED: ->*uid = { 0,0,0,0 } CRED: ->*gid = { 0,0,0,0 } CRED: ->security is ffff88003d72f538 CRED: ->security {359, 359} ------------[ cut here ]------------ kernel BUG at kernel/cred.c:850! ... RIP: 0010:[<ffffffff81049889>] [<ffffffff81049889>] __invalid_creds+0x4e/0x52 ... Call Trace: [<ffffffff8104a37b>] copy_creds+0x6b/0x23f Note the ->usage=766 and subscr=766. The values appear the same because they've been re-read since the check was made. Reported-by: Roland McGrath <roland@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
897 lines
22 KiB
C
897 lines
22 KiB
C
/* Task credentials management - see Documentation/credentials.txt
|
|
*
|
|
* Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public Licence
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the Licence, or (at your option) any later version.
|
|
*/
|
|
#include <linux/module.h>
|
|
#include <linux/cred.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/key.h>
|
|
#include <linux/keyctl.h>
|
|
#include <linux/init_task.h>
|
|
#include <linux/security.h>
|
|
#include <linux/cn_proc.h>
|
|
#include "cred-internals.h"
|
|
|
|
#if 0
|
|
#define kdebug(FMT, ...) \
|
|
printk("[%-5.5s%5u] "FMT"\n", current->comm, current->pid ,##__VA_ARGS__)
|
|
#else
|
|
static inline __attribute__((format(printf, 1, 2)))
|
|
void no_printk(const char *fmt, ...)
|
|
{
|
|
}
|
|
#define kdebug(FMT, ...) \
|
|
no_printk("[%-5.5s%5u] "FMT"\n", current->comm, current->pid ,##__VA_ARGS__)
|
|
#endif
|
|
|
|
static struct kmem_cache *cred_jar;
|
|
|
|
/*
|
|
* The common credentials for the initial task's thread group
|
|
*/
|
|
#ifdef CONFIG_KEYS
|
|
static struct thread_group_cred init_tgcred = {
|
|
.usage = ATOMIC_INIT(2),
|
|
.tgid = 0,
|
|
.lock = SPIN_LOCK_UNLOCKED,
|
|
};
|
|
#endif
|
|
|
|
/*
|
|
* The initial credentials for the initial task
|
|
*/
|
|
struct cred init_cred = {
|
|
.usage = ATOMIC_INIT(4),
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
.subscribers = ATOMIC_INIT(2),
|
|
.magic = CRED_MAGIC,
|
|
#endif
|
|
.securebits = SECUREBITS_DEFAULT,
|
|
.cap_inheritable = CAP_INIT_INH_SET,
|
|
.cap_permitted = CAP_FULL_SET,
|
|
.cap_effective = CAP_INIT_EFF_SET,
|
|
.cap_bset = CAP_INIT_BSET,
|
|
.user = INIT_USER,
|
|
.group_info = &init_groups,
|
|
#ifdef CONFIG_KEYS
|
|
.tgcred = &init_tgcred,
|
|
#endif
|
|
};
|
|
|
|
static inline void set_cred_subscribers(struct cred *cred, int n)
|
|
{
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
atomic_set(&cred->subscribers, n);
|
|
#endif
|
|
}
|
|
|
|
static inline int read_cred_subscribers(const struct cred *cred)
|
|
{
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
return atomic_read(&cred->subscribers);
|
|
#else
|
|
return 0;
|
|
#endif
|
|
}
|
|
|
|
static inline void alter_cred_subscribers(const struct cred *_cred, int n)
|
|
{
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
struct cred *cred = (struct cred *) _cred;
|
|
|
|
atomic_add(n, &cred->subscribers);
|
|
#endif
|
|
}
|
|
|
|
/*
|
|
* Dispose of the shared task group credentials
|
|
*/
|
|
#ifdef CONFIG_KEYS
|
|
static void release_tgcred_rcu(struct rcu_head *rcu)
|
|
{
|
|
struct thread_group_cred *tgcred =
|
|
container_of(rcu, struct thread_group_cred, rcu);
|
|
|
|
BUG_ON(atomic_read(&tgcred->usage) != 0);
|
|
|
|
key_put(tgcred->session_keyring);
|
|
key_put(tgcred->process_keyring);
|
|
kfree(tgcred);
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* Release a set of thread group credentials.
|
|
*/
|
|
static void release_tgcred(struct cred *cred)
|
|
{
|
|
#ifdef CONFIG_KEYS
|
|
struct thread_group_cred *tgcred = cred->tgcred;
|
|
|
|
if (atomic_dec_and_test(&tgcred->usage))
|
|
call_rcu(&tgcred->rcu, release_tgcred_rcu);
|
|
#endif
|
|
}
|
|
|
|
/*
|
|
* The RCU callback to actually dispose of a set of credentials
|
|
*/
|
|
static void put_cred_rcu(struct rcu_head *rcu)
|
|
{
|
|
struct cred *cred = container_of(rcu, struct cred, rcu);
|
|
|
|
kdebug("put_cred_rcu(%p)", cred);
|
|
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
if (cred->magic != CRED_MAGIC_DEAD ||
|
|
atomic_read(&cred->usage) != 0 ||
|
|
read_cred_subscribers(cred) != 0)
|
|
panic("CRED: put_cred_rcu() sees %p with"
|
|
" mag %x, put %p, usage %d, subscr %d\n",
|
|
cred, cred->magic, cred->put_addr,
|
|
atomic_read(&cred->usage),
|
|
read_cred_subscribers(cred));
|
|
#else
|
|
if (atomic_read(&cred->usage) != 0)
|
|
panic("CRED: put_cred_rcu() sees %p with usage %d\n",
|
|
cred, atomic_read(&cred->usage));
|
|
#endif
|
|
|
|
security_cred_free(cred);
|
|
key_put(cred->thread_keyring);
|
|
key_put(cred->request_key_auth);
|
|
release_tgcred(cred);
|
|
if (cred->group_info)
|
|
put_group_info(cred->group_info);
|
|
free_uid(cred->user);
|
|
kmem_cache_free(cred_jar, cred);
|
|
}
|
|
|
|
/**
|
|
* __put_cred - Destroy a set of credentials
|
|
* @cred: The record to release
|
|
*
|
|
* Destroy a set of credentials on which no references remain.
|
|
*/
|
|
void __put_cred(struct cred *cred)
|
|
{
|
|
kdebug("__put_cred(%p{%d,%d})", cred,
|
|
atomic_read(&cred->usage),
|
|
read_cred_subscribers(cred));
|
|
|
|
BUG_ON(atomic_read(&cred->usage) != 0);
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
BUG_ON(read_cred_subscribers(cred) != 0);
|
|
cred->magic = CRED_MAGIC_DEAD;
|
|
cred->put_addr = __builtin_return_address(0);
|
|
#endif
|
|
BUG_ON(cred == current->cred);
|
|
BUG_ON(cred == current->real_cred);
|
|
|
|
call_rcu(&cred->rcu, put_cred_rcu);
|
|
}
|
|
EXPORT_SYMBOL(__put_cred);
|
|
|
|
/*
|
|
* Clean up a task's credentials when it exits
|
|
*/
|
|
void exit_creds(struct task_struct *tsk)
|
|
{
|
|
struct cred *cred;
|
|
|
|
kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
|
|
atomic_read(&tsk->cred->usage),
|
|
read_cred_subscribers(tsk->cred));
|
|
|
|
cred = (struct cred *) tsk->real_cred;
|
|
tsk->real_cred = NULL;
|
|
validate_creds(cred);
|
|
alter_cred_subscribers(cred, -1);
|
|
put_cred(cred);
|
|
|
|
cred = (struct cred *) tsk->cred;
|
|
tsk->cred = NULL;
|
|
validate_creds(cred);
|
|
alter_cred_subscribers(cred, -1);
|
|
put_cred(cred);
|
|
|
|
cred = (struct cred *) tsk->replacement_session_keyring;
|
|
if (cred) {
|
|
tsk->replacement_session_keyring = NULL;
|
|
validate_creds(cred);
|
|
put_cred(cred);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Allocate blank credentials, such that the credentials can be filled in at a
|
|
* later date without risk of ENOMEM.
|
|
*/
|
|
struct cred *cred_alloc_blank(void)
|
|
{
|
|
struct cred *new;
|
|
|
|
new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
|
|
if (!new)
|
|
return NULL;
|
|
|
|
#ifdef CONFIG_KEYS
|
|
new->tgcred = kzalloc(sizeof(*new->tgcred), GFP_KERNEL);
|
|
if (!new->tgcred) {
|
|
kmem_cache_free(cred_jar, new);
|
|
return NULL;
|
|
}
|
|
atomic_set(&new->tgcred->usage, 1);
|
|
#endif
|
|
|
|
atomic_set(&new->usage, 1);
|
|
|
|
if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
|
|
goto error;
|
|
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
new->magic = CRED_MAGIC;
|
|
#endif
|
|
return new;
|
|
|
|
error:
|
|
abort_creds(new);
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
* prepare_creds - Prepare a new set of credentials for modification
|
|
*
|
|
* Prepare a new set of task credentials for modification. A task's creds
|
|
* shouldn't generally be modified directly, therefore this function is used to
|
|
* prepare a new copy, which the caller then modifies and then commits by
|
|
* calling commit_creds().
|
|
*
|
|
* Preparation involves making a copy of the objective creds for modification.
|
|
*
|
|
* Returns a pointer to the new creds-to-be if successful, NULL otherwise.
|
|
*
|
|
* Call commit_creds() or abort_creds() to clean up.
|
|
*/
|
|
struct cred *prepare_creds(void)
|
|
{
|
|
struct task_struct *task = current;
|
|
const struct cred *old;
|
|
struct cred *new;
|
|
|
|
validate_process_creds();
|
|
|
|
new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
|
|
if (!new)
|
|
return NULL;
|
|
|
|
kdebug("prepare_creds() alloc %p", new);
|
|
|
|
old = task->cred;
|
|
memcpy(new, old, sizeof(struct cred));
|
|
|
|
atomic_set(&new->usage, 1);
|
|
set_cred_subscribers(new, 0);
|
|
get_group_info(new->group_info);
|
|
get_uid(new->user);
|
|
|
|
#ifdef CONFIG_KEYS
|
|
key_get(new->thread_keyring);
|
|
key_get(new->request_key_auth);
|
|
atomic_inc(&new->tgcred->usage);
|
|
#endif
|
|
|
|
#ifdef CONFIG_SECURITY
|
|
new->security = NULL;
|
|
#endif
|
|
|
|
if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
|
|
goto error;
|
|
validate_creds(new);
|
|
return new;
|
|
|
|
error:
|
|
abort_creds(new);
|
|
return NULL;
|
|
}
|
|
EXPORT_SYMBOL(prepare_creds);
|
|
|
|
/*
|
|
* Prepare credentials for current to perform an execve()
|
|
* - The caller must hold current->cred_guard_mutex
|
|
*/
|
|
struct cred *prepare_exec_creds(void)
|
|
{
|
|
struct thread_group_cred *tgcred = NULL;
|
|
struct cred *new;
|
|
|
|
#ifdef CONFIG_KEYS
|
|
tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
|
|
if (!tgcred)
|
|
return NULL;
|
|
#endif
|
|
|
|
new = prepare_creds();
|
|
if (!new) {
|
|
kfree(tgcred);
|
|
return new;
|
|
}
|
|
|
|
#ifdef CONFIG_KEYS
|
|
/* newly exec'd tasks don't get a thread keyring */
|
|
key_put(new->thread_keyring);
|
|
new->thread_keyring = NULL;
|
|
|
|
/* create a new per-thread-group creds for all this set of threads to
|
|
* share */
|
|
memcpy(tgcred, new->tgcred, sizeof(struct thread_group_cred));
|
|
|
|
atomic_set(&tgcred->usage, 1);
|
|
spin_lock_init(&tgcred->lock);
|
|
|
|
/* inherit the session keyring; new process keyring */
|
|
key_get(tgcred->session_keyring);
|
|
tgcred->process_keyring = NULL;
|
|
|
|
release_tgcred(new);
|
|
new->tgcred = tgcred;
|
|
#endif
|
|
|
|
return new;
|
|
}
|
|
|
|
/*
|
|
* prepare new credentials for the usermode helper dispatcher
|
|
*/
|
|
struct cred *prepare_usermodehelper_creds(void)
|
|
{
|
|
#ifdef CONFIG_KEYS
|
|
struct thread_group_cred *tgcred = NULL;
|
|
#endif
|
|
struct cred *new;
|
|
|
|
#ifdef CONFIG_KEYS
|
|
tgcred = kzalloc(sizeof(*new->tgcred), GFP_ATOMIC);
|
|
if (!tgcred)
|
|
return NULL;
|
|
#endif
|
|
|
|
new = kmem_cache_alloc(cred_jar, GFP_ATOMIC);
|
|
if (!new)
|
|
goto free_tgcred;
|
|
|
|
kdebug("prepare_usermodehelper_creds() alloc %p", new);
|
|
|
|
memcpy(new, &init_cred, sizeof(struct cred));
|
|
|
|
atomic_set(&new->usage, 1);
|
|
set_cred_subscribers(new, 0);
|
|
get_group_info(new->group_info);
|
|
get_uid(new->user);
|
|
|
|
#ifdef CONFIG_KEYS
|
|
new->thread_keyring = NULL;
|
|
new->request_key_auth = NULL;
|
|
new->jit_keyring = KEY_REQKEY_DEFL_DEFAULT;
|
|
|
|
atomic_set(&tgcred->usage, 1);
|
|
spin_lock_init(&tgcred->lock);
|
|
new->tgcred = tgcred;
|
|
#endif
|
|
|
|
#ifdef CONFIG_SECURITY
|
|
new->security = NULL;
|
|
#endif
|
|
if (security_prepare_creds(new, &init_cred, GFP_ATOMIC) < 0)
|
|
goto error;
|
|
validate_creds(new);
|
|
|
|
BUG_ON(atomic_read(&new->usage) != 1);
|
|
return new;
|
|
|
|
error:
|
|
put_cred(new);
|
|
return NULL;
|
|
|
|
free_tgcred:
|
|
#ifdef CONFIG_KEYS
|
|
kfree(tgcred);
|
|
#endif
|
|
return NULL;
|
|
}
|
|
|
|
/*
|
|
* Copy credentials for the new process created by fork()
|
|
*
|
|
* We share if we can, but under some circumstances we have to generate a new
|
|
* set.
|
|
*
|
|
* The new process gets the current process's subjective credentials as its
|
|
* objective and subjective credentials
|
|
*/
|
|
int copy_creds(struct task_struct *p, unsigned long clone_flags)
|
|
{
|
|
#ifdef CONFIG_KEYS
|
|
struct thread_group_cred *tgcred;
|
|
#endif
|
|
struct cred *new;
|
|
int ret;
|
|
|
|
mutex_init(&p->cred_guard_mutex);
|
|
|
|
if (
|
|
#ifdef CONFIG_KEYS
|
|
!p->cred->thread_keyring &&
|
|
#endif
|
|
clone_flags & CLONE_THREAD
|
|
) {
|
|
p->real_cred = get_cred(p->cred);
|
|
get_cred(p->cred);
|
|
alter_cred_subscribers(p->cred, 2);
|
|
kdebug("share_creds(%p{%d,%d})",
|
|
p->cred, atomic_read(&p->cred->usage),
|
|
read_cred_subscribers(p->cred));
|
|
atomic_inc(&p->cred->user->processes);
|
|
return 0;
|
|
}
|
|
|
|
new = prepare_creds();
|
|
if (!new)
|
|
return -ENOMEM;
|
|
|
|
if (clone_flags & CLONE_NEWUSER) {
|
|
ret = create_user_ns(new);
|
|
if (ret < 0)
|
|
goto error_put;
|
|
}
|
|
|
|
#ifdef CONFIG_KEYS
|
|
/* new threads get their own thread keyrings if their parent already
|
|
* had one */
|
|
if (new->thread_keyring) {
|
|
key_put(new->thread_keyring);
|
|
new->thread_keyring = NULL;
|
|
if (clone_flags & CLONE_THREAD)
|
|
install_thread_keyring_to_cred(new);
|
|
}
|
|
|
|
/* we share the process and session keyrings between all the threads in
|
|
* a process - this is slightly icky as we violate COW credentials a
|
|
* bit */
|
|
if (!(clone_flags & CLONE_THREAD)) {
|
|
tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
|
|
if (!tgcred) {
|
|
ret = -ENOMEM;
|
|
goto error_put;
|
|
}
|
|
atomic_set(&tgcred->usage, 1);
|
|
spin_lock_init(&tgcred->lock);
|
|
tgcred->process_keyring = NULL;
|
|
tgcred->session_keyring = key_get(new->tgcred->session_keyring);
|
|
|
|
release_tgcred(new);
|
|
new->tgcred = tgcred;
|
|
}
|
|
#endif
|
|
|
|
atomic_inc(&new->user->processes);
|
|
p->cred = p->real_cred = get_cred(new);
|
|
alter_cred_subscribers(new, 2);
|
|
validate_creds(new);
|
|
return 0;
|
|
|
|
error_put:
|
|
put_cred(new);
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* commit_creds - Install new credentials upon the current task
|
|
* @new: The credentials to be assigned
|
|
*
|
|
* Install a new set of credentials to the current task, using RCU to replace
|
|
* the old set. Both the objective and the subjective credentials pointers are
|
|
* updated. This function may not be called if the subjective credentials are
|
|
* in an overridden state.
|
|
*
|
|
* This function eats the caller's reference to the new credentials.
|
|
*
|
|
* Always returns 0 thus allowing this function to be tail-called at the end
|
|
* of, say, sys_setgid().
|
|
*/
|
|
int commit_creds(struct cred *new)
|
|
{
|
|
struct task_struct *task = current;
|
|
const struct cred *old = task->real_cred;
|
|
|
|
kdebug("commit_creds(%p{%d,%d})", new,
|
|
atomic_read(&new->usage),
|
|
read_cred_subscribers(new));
|
|
|
|
BUG_ON(task->cred != old);
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
BUG_ON(read_cred_subscribers(old) < 2);
|
|
validate_creds(old);
|
|
validate_creds(new);
|
|
#endif
|
|
BUG_ON(atomic_read(&new->usage) < 1);
|
|
|
|
security_commit_creds(new, old);
|
|
|
|
get_cred(new); /* we will require a ref for the subj creds too */
|
|
|
|
/* dumpability changes */
|
|
if (old->euid != new->euid ||
|
|
old->egid != new->egid ||
|
|
old->fsuid != new->fsuid ||
|
|
old->fsgid != new->fsgid ||
|
|
!cap_issubset(new->cap_permitted, old->cap_permitted)) {
|
|
if (task->mm)
|
|
set_dumpable(task->mm, suid_dumpable);
|
|
task->pdeath_signal = 0;
|
|
smp_wmb();
|
|
}
|
|
|
|
/* alter the thread keyring */
|
|
if (new->fsuid != old->fsuid)
|
|
key_fsuid_changed(task);
|
|
if (new->fsgid != old->fsgid)
|
|
key_fsgid_changed(task);
|
|
|
|
/* do it
|
|
* - What if a process setreuid()'s and this brings the
|
|
* new uid over his NPROC rlimit? We can check this now
|
|
* cheaply with the new uid cache, so if it matters
|
|
* we should be checking for it. -DaveM
|
|
*/
|
|
alter_cred_subscribers(new, 2);
|
|
if (new->user != old->user)
|
|
atomic_inc(&new->user->processes);
|
|
rcu_assign_pointer(task->real_cred, new);
|
|
rcu_assign_pointer(task->cred, new);
|
|
if (new->user != old->user)
|
|
atomic_dec(&old->user->processes);
|
|
alter_cred_subscribers(old, -2);
|
|
|
|
sched_switch_user(task);
|
|
|
|
/* send notifications */
|
|
if (new->uid != old->uid ||
|
|
new->euid != old->euid ||
|
|
new->suid != old->suid ||
|
|
new->fsuid != old->fsuid)
|
|
proc_id_connector(task, PROC_EVENT_UID);
|
|
|
|
if (new->gid != old->gid ||
|
|
new->egid != old->egid ||
|
|
new->sgid != old->sgid ||
|
|
new->fsgid != old->fsgid)
|
|
proc_id_connector(task, PROC_EVENT_GID);
|
|
|
|
/* release the old obj and subj refs both */
|
|
put_cred(old);
|
|
put_cred(old);
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL(commit_creds);
|
|
|
|
/**
|
|
* abort_creds - Discard a set of credentials and unlock the current task
|
|
* @new: The credentials that were going to be applied
|
|
*
|
|
* Discard a set of credentials that were under construction and unlock the
|
|
* current task.
|
|
*/
|
|
void abort_creds(struct cred *new)
|
|
{
|
|
kdebug("abort_creds(%p{%d,%d})", new,
|
|
atomic_read(&new->usage),
|
|
read_cred_subscribers(new));
|
|
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
BUG_ON(read_cred_subscribers(new) != 0);
|
|
#endif
|
|
BUG_ON(atomic_read(&new->usage) < 1);
|
|
put_cred(new);
|
|
}
|
|
EXPORT_SYMBOL(abort_creds);
|
|
|
|
/**
|
|
* override_creds - Override the current process's subjective credentials
|
|
* @new: The credentials to be assigned
|
|
*
|
|
* Install a set of temporary override subjective credentials on the current
|
|
* process, returning the old set for later reversion.
|
|
*/
|
|
const struct cred *override_creds(const struct cred *new)
|
|
{
|
|
const struct cred *old = current->cred;
|
|
|
|
kdebug("override_creds(%p{%d,%d})", new,
|
|
atomic_read(&new->usage),
|
|
read_cred_subscribers(new));
|
|
|
|
validate_creds(old);
|
|
validate_creds(new);
|
|
get_cred(new);
|
|
alter_cred_subscribers(new, 1);
|
|
rcu_assign_pointer(current->cred, new);
|
|
alter_cred_subscribers(old, -1);
|
|
|
|
kdebug("override_creds() = %p{%d,%d}", old,
|
|
atomic_read(&old->usage),
|
|
read_cred_subscribers(old));
|
|
return old;
|
|
}
|
|
EXPORT_SYMBOL(override_creds);
|
|
|
|
/**
|
|
* revert_creds - Revert a temporary subjective credentials override
|
|
* @old: The credentials to be restored
|
|
*
|
|
* Revert a temporary set of override subjective credentials to an old set,
|
|
* discarding the override set.
|
|
*/
|
|
void revert_creds(const struct cred *old)
|
|
{
|
|
const struct cred *override = current->cred;
|
|
|
|
kdebug("revert_creds(%p{%d,%d})", old,
|
|
atomic_read(&old->usage),
|
|
read_cred_subscribers(old));
|
|
|
|
validate_creds(old);
|
|
validate_creds(override);
|
|
alter_cred_subscribers(old, 1);
|
|
rcu_assign_pointer(current->cred, old);
|
|
alter_cred_subscribers(override, -1);
|
|
put_cred(override);
|
|
}
|
|
EXPORT_SYMBOL(revert_creds);
|
|
|
|
/*
|
|
* initialise the credentials stuff
|
|
*/
|
|
void __init cred_init(void)
|
|
{
|
|
/* allocate a slab in which we can store credentials */
|
|
cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred),
|
|
0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
|
|
}
|
|
|
|
/**
|
|
* prepare_kernel_cred - Prepare a set of credentials for a kernel service
|
|
* @daemon: A userspace daemon to be used as a reference
|
|
*
|
|
* Prepare a set of credentials for a kernel service. This can then be used to
|
|
* override a task's own credentials so that work can be done on behalf of that
|
|
* task that requires a different subjective context.
|
|
*
|
|
* @daemon is used to provide a base for the security record, but can be NULL.
|
|
* If @daemon is supplied, then the security data will be derived from that;
|
|
* otherwise they'll be set to 0 and no groups, full capabilities and no keys.
|
|
*
|
|
* The caller may change these controls afterwards if desired.
|
|
*
|
|
* Returns the new credentials or NULL if out of memory.
|
|
*
|
|
* Does not take, and does not return holding current->cred_replace_mutex.
|
|
*/
|
|
struct cred *prepare_kernel_cred(struct task_struct *daemon)
|
|
{
|
|
const struct cred *old;
|
|
struct cred *new;
|
|
|
|
new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
|
|
if (!new)
|
|
return NULL;
|
|
|
|
kdebug("prepare_kernel_cred() alloc %p", new);
|
|
|
|
if (daemon)
|
|
old = get_task_cred(daemon);
|
|
else
|
|
old = get_cred(&init_cred);
|
|
|
|
validate_creds(old);
|
|
|
|
*new = *old;
|
|
get_uid(new->user);
|
|
get_group_info(new->group_info);
|
|
|
|
#ifdef CONFIG_KEYS
|
|
atomic_inc(&init_tgcred.usage);
|
|
new->tgcred = &init_tgcred;
|
|
new->request_key_auth = NULL;
|
|
new->thread_keyring = NULL;
|
|
new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
|
|
#endif
|
|
|
|
#ifdef CONFIG_SECURITY
|
|
new->security = NULL;
|
|
#endif
|
|
if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
|
|
goto error;
|
|
|
|
atomic_set(&new->usage, 1);
|
|
set_cred_subscribers(new, 0);
|
|
put_cred(old);
|
|
validate_creds(new);
|
|
return new;
|
|
|
|
error:
|
|
put_cred(new);
|
|
put_cred(old);
|
|
return NULL;
|
|
}
|
|
EXPORT_SYMBOL(prepare_kernel_cred);
|
|
|
|
/**
|
|
* set_security_override - Set the security ID in a set of credentials
|
|
* @new: The credentials to alter
|
|
* @secid: The LSM security ID to set
|
|
*
|
|
* Set the LSM security ID in a set of credentials so that the subjective
|
|
* security is overridden when an alternative set of credentials is used.
|
|
*/
|
|
int set_security_override(struct cred *new, u32 secid)
|
|
{
|
|
return security_kernel_act_as(new, secid);
|
|
}
|
|
EXPORT_SYMBOL(set_security_override);
|
|
|
|
/**
|
|
* set_security_override_from_ctx - Set the security ID in a set of credentials
|
|
* @new: The credentials to alter
|
|
* @secctx: The LSM security context to generate the security ID from.
|
|
*
|
|
* Set the LSM security ID in a set of credentials so that the subjective
|
|
* security is overridden when an alternative set of credentials is used. The
|
|
* security ID is specified in string form as a security context to be
|
|
* interpreted by the LSM.
|
|
*/
|
|
int set_security_override_from_ctx(struct cred *new, const char *secctx)
|
|
{
|
|
u32 secid;
|
|
int ret;
|
|
|
|
ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
|
|
if (ret < 0)
|
|
return ret;
|
|
|
|
return set_security_override(new, secid);
|
|
}
|
|
EXPORT_SYMBOL(set_security_override_from_ctx);
|
|
|
|
/**
|
|
* set_create_files_as - Set the LSM file create context in a set of credentials
|
|
* @new: The credentials to alter
|
|
* @inode: The inode to take the context from
|
|
*
|
|
* Change the LSM file creation context in a set of credentials to be the same
|
|
* as the object context of the specified inode, so that the new inodes have
|
|
* the same MAC context as that inode.
|
|
*/
|
|
int set_create_files_as(struct cred *new, struct inode *inode)
|
|
{
|
|
new->fsuid = inode->i_uid;
|
|
new->fsgid = inode->i_gid;
|
|
return security_kernel_create_files_as(new, inode);
|
|
}
|
|
EXPORT_SYMBOL(set_create_files_as);
|
|
|
|
#ifdef CONFIG_DEBUG_CREDENTIALS
|
|
|
|
bool creds_are_invalid(const struct cred *cred)
|
|
{
|
|
if (cred->magic != CRED_MAGIC)
|
|
return true;
|
|
#ifdef CONFIG_SECURITY_SELINUX
|
|
if (selinux_is_enabled()) {
|
|
if ((unsigned long) cred->security < PAGE_SIZE)
|
|
return true;
|
|
if ((*(u32 *)cred->security & 0xffffff00) ==
|
|
(POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
|
|
return true;
|
|
}
|
|
#endif
|
|
return false;
|
|
}
|
|
EXPORT_SYMBOL(creds_are_invalid);
|
|
|
|
/*
|
|
* dump invalid credentials
|
|
*/
|
|
static void dump_invalid_creds(const struct cred *cred, const char *label,
|
|
const struct task_struct *tsk)
|
|
{
|
|
printk(KERN_ERR "CRED: %s credentials: %p %s%s%s\n",
|
|
label, cred,
|
|
cred == &init_cred ? "[init]" : "",
|
|
cred == tsk->real_cred ? "[real]" : "",
|
|
cred == tsk->cred ? "[eff]" : "");
|
|
printk(KERN_ERR "CRED: ->magic=%x, put_addr=%p\n",
|
|
cred->magic, cred->put_addr);
|
|
printk(KERN_ERR "CRED: ->usage=%d, subscr=%d\n",
|
|
atomic_read(&cred->usage),
|
|
read_cred_subscribers(cred));
|
|
printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
|
|
cred->uid, cred->euid, cred->suid, cred->fsuid);
|
|
printk(KERN_ERR "CRED: ->*gid = { %d,%d,%d,%d }\n",
|
|
cred->gid, cred->egid, cred->sgid, cred->fsgid);
|
|
#ifdef CONFIG_SECURITY
|
|
printk(KERN_ERR "CRED: ->security is %p\n", cred->security);
|
|
if ((unsigned long) cred->security >= PAGE_SIZE &&
|
|
(((unsigned long) cred->security & 0xffffff00) !=
|
|
(POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)))
|
|
printk(KERN_ERR "CRED: ->security {%x, %x}\n",
|
|
((u32*)cred->security)[0],
|
|
((u32*)cred->security)[1]);
|
|
#endif
|
|
}
|
|
|
|
/*
|
|
* report use of invalid credentials
|
|
*/
|
|
void __invalid_creds(const struct cred *cred, const char *file, unsigned line)
|
|
{
|
|
printk(KERN_ERR "CRED: Invalid credentials\n");
|
|
printk(KERN_ERR "CRED: At %s:%u\n", file, line);
|
|
dump_invalid_creds(cred, "Specified", current);
|
|
BUG();
|
|
}
|
|
EXPORT_SYMBOL(__invalid_creds);
|
|
|
|
/*
|
|
* check the credentials on a process
|
|
*/
|
|
void __validate_process_creds(struct task_struct *tsk,
|
|
const char *file, unsigned line)
|
|
{
|
|
if (tsk->cred == tsk->real_cred) {
|
|
if (unlikely(read_cred_subscribers(tsk->cred) < 2 ||
|
|
creds_are_invalid(tsk->cred)))
|
|
goto invalid_creds;
|
|
} else {
|
|
if (unlikely(read_cred_subscribers(tsk->real_cred) < 1 ||
|
|
read_cred_subscribers(tsk->cred) < 1 ||
|
|
creds_are_invalid(tsk->real_cred) ||
|
|
creds_are_invalid(tsk->cred)))
|
|
goto invalid_creds;
|
|
}
|
|
return;
|
|
|
|
invalid_creds:
|
|
printk(KERN_ERR "CRED: Invalid process credentials\n");
|
|
printk(KERN_ERR "CRED: At %s:%u\n", file, line);
|
|
|
|
dump_invalid_creds(tsk->real_cred, "Real", tsk);
|
|
if (tsk->cred != tsk->real_cred)
|
|
dump_invalid_creds(tsk->cred, "Effective", tsk);
|
|
else
|
|
printk(KERN_ERR "CRED: Effective creds == Real creds\n");
|
|
BUG();
|
|
}
|
|
EXPORT_SYMBOL(__validate_process_creds);
|
|
|
|
/*
|
|
* check creds for do_exit()
|
|
*/
|
|
void validate_creds_for_do_exit(struct task_struct *tsk)
|
|
{
|
|
kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})",
|
|
tsk->real_cred, tsk->cred,
|
|
atomic_read(&tsk->cred->usage),
|
|
read_cred_subscribers(tsk->cred));
|
|
|
|
__validate_process_creds(tsk, __FILE__, __LINE__);
|
|
}
|
|
|
|
#endif /* CONFIG_DEBUG_CREDENTIALS */
|