Commit 6c329784 authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'notifications-20200601' of...

Merge tag 'notifications-20200601' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs

Pull notification queue from David Howells:
 "This adds a general notification queue concept and adds an event
  source for keys/keyrings, such as linking and unlinking keys and
  changing their attributes.

  Thanks to Debarshi Ray, we do have a pull request to use this to fix a
  problem with gnome-online-accounts - as mentioned last time:

     https://gitlab.gnome.org/GNOME/gnome-online-accounts/merge_requests/47

  Without this, g-o-a has to constantly poll a keyring-based kerberos
  cache to find out if kinit has changed anything.

  [ There are other notification pending: mount/sb fsinfo notifications
    for libmount that Karel Zak and Ian Kent have been working on, and
    Christian Brauner would like to use them in lxc, but let's see how
    this one works first ]

  LSM hooks are included:

   - A set of hooks are provided that allow an LSM to rule on whether or
     not a watch may be set. Each of these hooks takes a different
     "watched object" parameter, so they're not really shareable. The
     LSM should use current's credentials. [Wanted by SELinux & Smack]

   - A hook is provided to allow an LSM to rule on whether or not a
     particular message may be posted to a particular queue. This is
     given the credentials from the event generator (which may be the
     system) and the watch setter. [Wanted by Smack]

  I've provided SELinux and Smack with implementations of some of these
  hooks.

  WHY
  ===

  Key/keyring notifications are desirable because if you have your
  kerberos tickets in a file/directory, your Gnome desktop will monitor
  that using something like fanotify and tell you if your credentials
  cache changes.

  However, we also have the ability to cache your kerberos tickets in
  the session, user or persistent keyring so that it isn't left around
  on disk across a reboot or logout. Keyrings, however, cannot currently
  be monitored asynchronously, so the desktop has to poll for it - not
  so good on a laptop. This facility will allow the desktop to avoid the
  need to poll.

  DESIGN DECISIONS
  ================

   - The notification queue is built on top of a standard pipe. Messages
     are effectively spliced in. The pipe is opened with a special flag:

        pipe2(fds, O_NOTIFICATION_PIPE);

     The special flag has the same value as O_EXCL (which doesn't seem
     like it will ever be applicable in this context)[?]. It is given up
     front to make it a lot easier to prohibit splice&co from accessing
     the pipe.

     [?] Should this be done some other way?  I'd rather not use up a new
         O_* flag if I can avoid it - should I add a pipe3() system call
         instead?

     The pipe is then configured::

        ioctl(fds[1], IOC_WATCH_QUEUE_SET_SIZE, queue_depth);
        ioctl(fds[1], IOC_WATCH_QUEUE_SET_FILTER, &filter);

     Messages are then read out of the pipe using read().

   - It should be possible to allow write() to insert data into the
     notification pipes too, but this is currently disabled as the
     kernel has to be able to insert messages into the pipe *without*
     holding pipe->mutex and the code to make this work needs careful
     auditing.

   - sendfile(), splice() and vmsplice() are disabled on notification
     pipes because of the pipe->mutex issue and also because they
     sometimes want to revert what they just did - but one or more
     notification messages might've been interleaved in the ring.

   - The kernel inserts messages with the wait queue spinlock held. This
     means that pipe_read() and pipe_write() have to take the spinlock
     to update the queue pointers.

   - Records in the buffer are binary, typed and have a length so that
     they can be of varying size.

     This allows multiple heterogeneous sources to share a common
     buffer; there are 16 million types available, of which I've used
     just a few, so there is scope for others to be used. Tags may be
     specified when a watchpoint is created to help distinguish the
     sources.

   - Records are filterable as types have up to 256 subtypes that can be
     individually filtered. Other filtration is also available.

   - Notification pipes don't interfere with each other; each may be
     bound to a different set of watches. Any particular notification
     will be copied to all the queues that are currently watching for it
     - and only those that are watching for it.

   - When recording a notification, the kernel will not sleep, but will
     rather mark a queue as having lost a message if there's
     insufficient space. read() will fabricate a loss notification
     message at an appropriate point later.

   - The notification pipe is created and then watchpoints are attached
     to it, using one of:

        keyctl_watch_key(KEY_SPEC_SESSION_KEYRING, fds[1], 0x01);
        watch_mount(AT_FDCWD, "/", 0, fd, 0x02);
        watch_sb(AT_FDCWD, "/mnt", 0, fd, 0x03);

     where in both cases, fd indicates the queue and the number after is
     a tag between 0 and 255.

   - Watches are removed if either the notification pipe is destroyed or
     the watched object is destroyed. In the latter case, a message will
     be generated indicating the enforced watch removal.

  Things I want to avoid:

   - Introducing features that make the core VFS dependent on the
     network stack or networking namespaces (ie. usage of netlink).

   - Dumping all this stuff into dmesg and having a daemon that sits
     there parsing the output and distributing it as this then puts the
     responsibility for security into userspace and makes handling
     namespaces tricky. Further, dmesg might not exist or might be
     inaccessible inside a container.

   - Letting users see events they shouldn't be able to see.

  TESTING AND MANPAGES
  ====================

   - The keyutils tree has a pipe-watch branch that has keyctl commands
     for making use of notifications. Proposed manual pages can also be
     found on this branch, though a couple of them really need to go to
     the main manpages repository instead.

     If the kernel supports the watching of keys, then running "make
     test" on that branch will cause the testing infrastructure to spawn
     a monitoring process on the side that monitors a notifications pipe
     for all the key/keyring changes induced by the tests and they'll
     all be checked off to make sure they happened.

        https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/log/?h=pipe-watch

   - A test program is provided (samples/watch_queue/watch_test) that
     can be used to monitor for keyrings, mount and superblock events.
     Information on the notifications is simply logged to stdout"

* tag 'notifications-20200601' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
  smack: Implement the watch_key and post_notification hooks
  selinux: Implement the watch_key security hook
  keys: Make the KEY_NEED_* perms an enum rather than a mask
  pipe: Add notification lossage handling
  pipe: Allow buffers to be marked read-whole-or-error for notifications
  Add sample notification program
  watch_queue: Add a key/keyring notification facility
  security: Add hooks to rule on setting a watch
  pipe: Add general notification queue support
  pipe: Add O_NOTIFICATION_PIPE
  security: Add a hook for the point of notification insertion
  uapi: General notification queue definitions
parents df2fbf5b a8478a60
......@@ -1030,6 +1030,63 @@ The keyctl syscall functions are:
written into the output buffer. Verification returns 0 on success.
* Watch a key or keyring for changes::
long keyctl(KEYCTL_WATCH_KEY, key_serial_t key, int queue_fd,
const struct watch_notification_filter *filter);
This will set or remove a watch for changes on the specified key or
keyring.
"key" is the ID of the key to be watched.
"queue_fd" is a file descriptor referring to an open "/dev/watch_queue"
which manages the buffer into which notifications will be delivered.
"filter" is either NULL to remove a watch or a filter specification to
indicate what events are required from the key.
See Documentation/watch_queue.rst for more information.
Note that only one watch may be emplaced for any particular { key,
queue_fd } combination.
Notification records look like::
struct key_notification {
struct watch_notification watch;
__u32 key_id;
__u32 aux;
};
In this, watch::type will be "WATCH_TYPE_KEY_NOTIFY" and subtype will be
one of::
NOTIFY_KEY_INSTANTIATED
NOTIFY_KEY_UPDATED
NOTIFY_KEY_LINKED
NOTIFY_KEY_UNLINKED
NOTIFY_KEY_CLEARED
NOTIFY_KEY_REVOKED
NOTIFY_KEY_INVALIDATED
NOTIFY_KEY_SETATTR
Where these indicate a key being instantiated/rejected, updated, a link
being made in a keyring, a link being removed from a keyring, a keyring
being cleared, a key being revoked, a key being invalidated or a key
having one of its attributes changed (user, group, perm, timeout,
restriction).
If a watched key is deleted, a basic watch_notification will be issued
with "type" set to WATCH_TYPE_META and "subtype" set to
watch_meta_removal_notification. The watchpoint ID will be set in the
"info" field.
This needs to be configured by enabling:
"Provide key/keyring change notifications" (KEY_NOTIFICATIONS)
Kernel Services
===============
......
......@@ -202,6 +202,7 @@ Code Seq# Include File Comments
'W' 00-1F linux/wanrouter.h conflict! (pre 3.9)
'W' 00-3F sound/asound.h conflict!
'W' 40-5F drivers/pci/switch/switchtec.c
'W' 60-61 linux/watch_queue.h
'X' all fs/xfs/xfs_fs.h, conflict!
fs/xfs/linux-2.6/xfs_ioctl32.h,
include/linux/falloc.h,
......
This diff is collapsed.
This diff is collapsed.
......@@ -1101,8 +1101,8 @@ long do_splice(struct file *in, loff_t __user *off_in,
!(out->f_mode & FMODE_WRITE)))
return -EBADF;
ipipe = get_pipe_info(in);
opipe = get_pipe_info(out);
ipipe = get_pipe_info(in, true);
opipe = get_pipe_info(out, true);
if (ipipe && opipe) {
if (off_in || off_out)
......@@ -1252,7 +1252,7 @@ static int pipe_to_user(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
static long vmsplice_to_user(struct file *file, struct iov_iter *iter,
unsigned int flags)
{
struct pipe_inode_info *pipe = get_pipe_info(file);
struct pipe_inode_info *pipe = get_pipe_info(file, true);
struct splice_desc sd = {
.total_len = iov_iter_count(iter),
.flags = flags,
......@@ -1287,7 +1287,7 @@ static long vmsplice_to_pipe(struct file *file, struct iov_iter *iter,
if (flags & SPLICE_F_GIFT)
buf_flag = PIPE_BUF_FLAG_GIFT;
pipe = get_pipe_info(file);
pipe = get_pipe_info(file, true);
if (!pipe)
return -EBADF;
......@@ -1733,8 +1733,8 @@ static int link_pipe(struct pipe_inode_info *ipipe,
*/
long do_tee(struct file *in, struct file *out, size_t len, unsigned int flags)
{
struct pipe_inode_info *ipipe = get_pipe_info(in);
struct pipe_inode_info *opipe = get_pipe_info(out);
struct pipe_inode_info *ipipe = get_pipe_info(in, true);
struct pipe_inode_info *opipe = get_pipe_info(out, true);
int ret = -EINVAL;
if (unlikely(!(in->f_mode & FMODE_READ) ||
......
......@@ -71,6 +71,23 @@ struct net;
#define KEY_PERM_UNDEF 0xffffffff
/*
* The permissions required on a key that we're looking up.
*/
enum key_need_perm {
KEY_NEED_UNSPECIFIED, /* Needed permission unspecified */
KEY_NEED_VIEW, /* Require permission to view attributes */
KEY_NEED_READ, /* Require permission to read content */
KEY_NEED_WRITE, /* Require permission to update / modify */
KEY_NEED_SEARCH, /* Require permission to search (keyring) or find (key) */
KEY_NEED_LINK, /* Require permission to link */
KEY_NEED_SETATTR, /* Require permission to change attributes */
KEY_NEED_UNLINK, /* Require permission to unlink key */
KEY_SYSADMIN_OVERRIDE, /* Special: override by CAP_SYS_ADMIN */
KEY_AUTHTOKEN_OVERRIDE, /* Special: override by possession of auth token */
KEY_DEFER_PERM_CHECK, /* Special: permission check is deferred */
};
struct seq_file;
struct user_struct;
struct signal_struct;
......@@ -176,6 +193,9 @@ struct key {
struct list_head graveyard_link;
struct rb_node serial_node;
};
#ifdef CONFIG_KEY_NOTIFICATIONS
struct watch_list *watchers; /* Entities watching this key for changes */
#endif
struct rw_semaphore sem; /* change vs change sem */
struct key_user *user; /* owner of this key */
void *security; /* security data for this key */
......@@ -417,20 +437,9 @@ static inline key_serial_t key_serial(const struct key *key)
extern void key_set_timeout(struct key *, unsigned);
extern key_ref_t lookup_user_key(key_serial_t id, unsigned long flags,
key_perm_t perm);
enum key_need_perm need_perm);
extern void key_free_user_ns(struct user_namespace *);
/*
* The permissions required on a key that we're looking up.
*/
#define KEY_NEED_VIEW 0x01 /* Require permission to view attributes */
#define KEY_NEED_READ 0x02 /* Require permission to read content */
#define KEY_NEED_WRITE 0x04 /* Require permission to update / modify */
#define KEY_NEED_SEARCH 0x08 /* Require permission to search (keyring) or find (key) */
#define KEY_NEED_LINK 0x10 /* Require permission to link */
#define KEY_NEED_SETATTR 0x20 /* Require permission to change attributes */
#define KEY_NEED_ALL 0x3f /* All the above permissions */
static inline short key_read_state(const struct key *key)
{
/* Barrier versus mark_key_instantiated(). */
......
......@@ -75,6 +75,7 @@ struct common_audit_data {
#define LSM_AUDIT_DATA_IBPKEY 13
#define LSM_AUDIT_DATA_IBENDPORT 14
#define LSM_AUDIT_DATA_LOCKDOWN 15
#define LSM_AUDIT_DATA_NOTIFICATION 16
union {
struct path path;
struct dentry *dentry;
......
......@@ -254,6 +254,15 @@ LSM_HOOK(int, 0, inode_setsecctx, struct dentry *dentry, void *ctx, u32 ctxlen)
LSM_HOOK(int, 0, inode_getsecctx, struct inode *inode, void **ctx,
u32 *ctxlen)
#if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
LSM_HOOK(int, 0, post_notification, const struct cred *w_cred,
const struct cred *cred, struct watch_notification *n)
#endif /* CONFIG_SECURITY && CONFIG_WATCH_QUEUE */
#if defined(CONFIG_SECURITY) && defined(CONFIG_KEY_NOTIFICATIONS)
LSM_HOOK(int, 0, watch_key, struct key *key)
#endif /* CONFIG_SECURITY && CONFIG_KEY_NOTIFICATIONS */
#ifdef CONFIG_SECURITY_NETWORK
LSM_HOOK(int, 0, unix_stream_connect, struct sock *sock, struct sock *other,
struct sock *newsk)
......
......@@ -1445,6 +1445,20 @@
* @ctx is a pointer in which to place the allocated security context.
* @ctxlen points to the place to put the length of @ctx.
*
* Security hooks for the general notification queue:
*
* @post_notification:
* Check to see if a watch notification can be posted to a particular
* queue.
* @w_cred: The credentials of the whoever set the watch.
* @cred: The event-triggerer's credentials
* @n: The notification being posted
*
* @watch_key:
* Check to see if a process is allowed to watch for event notifications
* from a key or keyring.
* @key: The key to watch.
*
* Security hooks for using the eBPF maps and programs functionalities through
* eBPF syscalls.
*
......
......@@ -9,6 +9,10 @@
#define PIPE_BUF_FLAG_GIFT 0x04 /* page is a gift */
#define PIPE_BUF_FLAG_PACKET 0x08 /* read() as a packet */
#define PIPE_BUF_FLAG_CAN_MERGE 0x10 /* can merge buffers */
#define PIPE_BUF_FLAG_WHOLE 0x20 /* read() must return entire buffer or error */
#ifdef CONFIG_WATCH_QUEUE
#define PIPE_BUF_FLAG_LOSS 0x40 /* Message loss happened after this buffer */
#endif
/**
* struct pipe_buffer - a linux kernel pipe buffer
......@@ -34,8 +38,10 @@ struct pipe_buffer {
* @wr_wait: writer wait point in case of full pipe
* @head: The point of buffer production
* @tail: The point of buffer consumption
* @note_loss: The next read() should insert a data-lost message
* @max_usage: The maximum number of slots that may be used in the ring
* @ring_size: total number of buffers (should be a power of 2)
* @nr_accounted: The amount this pipe accounts for in user->pipe_bufs
* @tmp_page: cached released page
* @readers: number of current readers of this pipe
* @writers: number of current writers of this pipe
......@@ -46,6 +52,7 @@ struct pipe_buffer {
* @fasync_writers: writer side fasync
* @bufs: the circular array of pipe buffers
* @user: the user who created this pipe
* @watch_queue: If this pipe is a watch_queue, this is the stuff for that
**/
struct pipe_inode_info {
struct mutex mutex;
......@@ -54,6 +61,10 @@ struct pipe_inode_info {
unsigned int tail;
unsigned int max_usage;
unsigned int ring_size;
#ifdef CONFIG_WATCH_QUEUE
bool note_loss;
#endif
unsigned int nr_accounted;
unsigned int readers;
unsigned int writers;
unsigned int files;
......@@ -64,6 +75,9 @@ struct pipe_inode_info {
struct fasync_struct *fasync_writers;
struct pipe_buffer *bufs;
struct user_struct *user;
#ifdef CONFIG_WATCH_QUEUE
struct watch_queue *watch_queue;
#endif
};
/*
......@@ -239,9 +253,20 @@ void generic_pipe_buf_release(struct pipe_inode_info *, struct pipe_buffer *);
extern const struct pipe_buf_operations nosteal_pipe_buf_ops;
#ifdef CONFIG_WATCH_QUEUE
unsigned long account_pipe_buffers(struct user_struct *user,
unsigned long old, unsigned long new);
bool too_many_pipe_buffers_soft(unsigned long user_bufs);
bool too_many_pipe_buffers_hard(unsigned long user_bufs);
bool pipe_is_unprivileged_user(void);
#endif
/* for F_SETPIPE_SZ and F_GETPIPE_SZ */
#ifdef CONFIG_WATCH_QUEUE
int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots);
#endif
long pipe_fcntl(struct file *, unsigned int, unsigned long arg);
struct pipe_inode_info *get_pipe_info(struct file *file);
struct pipe_inode_info *get_pipe_info(struct file *file, bool for_splice);
int create_pipe_files(struct file **, int);
unsigned int round_pipe_size(unsigned long size);
......
......@@ -56,6 +56,8 @@ struct mm_struct;
struct fs_context;
struct fs_parameter;
enum fs_value_type;
struct watch;
struct watch_notification;
/* Default (no) options for the capable function */
#define CAP_OPT_NONE 0x0
......@@ -1282,6 +1284,28 @@ static inline int security_locked_down(enum lockdown_reason what)
}
#endif /* CONFIG_SECURITY */
#if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
int security_post_notification(const struct cred *w_cred,
const struct cred *cred,
struct watch_notification *n);
#else
static inline int security_post_notification(const struct cred *w_cred,
const struct cred *cred,
struct watch_notification *n)
{
return 0;
}
#endif
#if defined(CONFIG_SECURITY) && defined(CONFIG_KEY_NOTIFICATIONS)
int security_watch_key(struct key *key);
#else
static inline int security_watch_key(struct key *key)
{
return 0;
}
#endif
#ifdef CONFIG_SECURITY_NETWORK
int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk);
......@@ -1750,8 +1774,8 @@ static inline int security_path_chroot(const struct path *path)
int security_key_alloc(struct key *key, const struct cred *cred, unsigned long flags);
void security_key_free(struct key *key);
int security_key_permission(key_ref_t key_ref,
const struct cred *cred, unsigned perm);
int security_key_permission(key_ref_t key_ref, const struct cred *cred,
enum key_need_perm need_perm);
int security_key_getsecurity(struct key *key, char **_buffer);
#else
......@@ -1769,7 +1793,7 @@ static inline void security_key_free(struct key *key)
static inline int security_key_permission(key_ref_t key_ref,
const struct cred *cred,
unsigned perm)
enum key_need_perm need_perm)
{
return 0;
}
......
// SPDX-License-Identifier: GPL-2.0
/* User-mappable watch queue
*
* Copyright (C) 2020 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*
* See Documentation/watch_queue.rst
*/
#ifndef _LINUX_WATCH_QUEUE_H
#define _LINUX_WATCH_QUEUE_H
#include <uapi/linux/watch_queue.h>
#include <linux/kref.h>
#include <linux/rcupdate.h>
#ifdef CONFIG_WATCH_QUEUE
struct cred;
struct watch_type_filter {
enum watch_notification_type type;
__u32 subtype_filter[1]; /* Bitmask of subtypes to filter on */
__u32 info_filter; /* Filter on watch_notification::info */
__u32 info_mask; /* Mask of relevant bits in info_filter */
};
struct watch_filter {
union {
struct rcu_head rcu;
unsigned long type_filter[2]; /* Bitmask of accepted types */
};
u32 nr_filters; /* Number of filters */
struct watch_type_filter filters[];
};
struct watch_queue {
struct rcu_head rcu;
struct watch_filter __rcu *filter;
struct pipe_inode_info *pipe; /* The pipe we're using as a buffer */
struct hlist_head watches; /* Contributory watches */
struct page **notes; /* Preallocated notifications */
unsigned long *notes_bitmap; /* Allocation bitmap for notes */
struct kref usage; /* Object usage count */
spinlock_t lock;
unsigned int nr_notes; /* Number of notes */
unsigned int nr_pages; /* Number of pages in notes[] */
bool defunct; /* T when queues closed */
};
/*
* Representation of a watch on an object.
*/
struct watch {
union {
struct rcu_head rcu;
u32 info_id; /* ID to be OR'd in to info field */
};
struct watch_queue __rcu *queue; /* Queue to post events to */
struct hlist_node queue_node; /* Link in queue->watches */
struct watch_list __rcu *watch_list;
struct hlist_node list_node; /* Link in watch_list->watchers */
const struct cred *cred; /* Creds of the owner of the watch */
void *private; /* Private data for the watched object */
u64 id; /* Internal identifier */
struct kref usage; /* Object usage count */
};
/*
* List of watches on an object.
*/
struct watch_list {
struct rcu_head rcu;
struct hlist_head watchers;
void (*release_watch)(struct watch *);
spinlock_t lock;
};
extern void __post_watch_notification(struct watch_list *,
struct watch_notification *,
const struct cred *,
u64);
extern struct watch_queue *get_watch_queue(int);
extern void put_watch_queue(struct watch_queue *);
extern void init_watch(struct watch *, struct watch_queue *);
extern int add_watch_to_object(struct watch *, struct watch_list *);
extern int remove_watch_from_object(struct watch_list *, struct watch_queue *, u64, bool);
extern long watch_queue_set_size(struct pipe_inode_info *, unsigned int);
extern long watch_queue_set_filter(struct pipe_inode_info *,
struct watch_notification_filter __user *);
extern int watch_queue_init(struct pipe_inode_info *);
extern void watch_queue_clear(struct watch_queue *);
static inline void init_watch_list(struct watch_list *wlist,
void (*release_watch)(struct watch *))
{
INIT_HLIST_HEAD(&wlist->watchers);
spin_lock_init(&wlist->lock);
wlist->release_watch = release_watch;
}
static inline void post_watch_notification(struct watch_list *wlist,
struct watch_notification *n,
const struct cred *cred,
u64 id)
{
if (unlikely(wlist))
__post_watch_notification(wlist, n, cred, id);
}
static inline void remove_watch_list(struct watch_list *wlist, u64 id)
{
if (wlist) {
remove_watch_from_object(wlist, NULL, id, true);
kfree_rcu(wlist, rcu);
}
}
/**
* watch_sizeof - Calculate the information part of the size of a watch record,
* given the structure size.
*/
#define watch_sizeof(STRUCT) (sizeof(STRUCT) << WATCH_INFO_LENGTH__SHIFT)
#endif
#endif /* _LINUX_WATCH_QUEUE_H */
......@@ -69,6 +69,7 @@
#define KEYCTL_RESTRICT_KEYRING 29 /* Restrict keys allowed to link to a keyring */
#define KEYCTL_MOVE 30 /* Move keys between keyrings */
#define KEYCTL_CAPABILITIES 31 /* Find capabilities of keyrings subsystem */
#define KEYCTL_WATCH_KEY 32 /* Watch a key or ring of keys for changes */
/* keyctl structures */
struct keyctl_dh_params {
......@@ -130,5 +131,6 @@ struct keyctl_pkey_params {
#define KEYCTL_CAPS0_MOVE 0x80 /* KEYCTL_MOVE supported */
#define KEYCTL_CAPS1_NS_KEYRING_NAME 0x01 /* Keyring names are per-user_namespace */
#define KEYCTL_CAPS1_NS_KEY_TAG 0x02 /* Key indexing can include a namespace tag */
#define KEYCTL_CAPS1_NOTIFICATIONS 0x04 /* Keys generate watchable notifications */
#endif /* _LINUX_KEYCTL_H */
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
#ifndef _UAPI_LINUX_WATCH_QUEUE_H
#define _UAPI_LINUX_WATCH_QUEUE_H
#include <linux/types.h>
#include <linux/fcntl.h>
#include <linux/ioctl.h>
#define O_NOTIFICATION_PIPE O_EXCL /* Parameter to pipe2() selecting notification pipe */
#define IOC_WATCH_QUEUE_SET_SIZE _IO('W', 0x60) /* Set the size in pages */
#define IOC_WATCH_QUEUE_SET_FILTER _IO('W', 0x61) /* Set the filter */
enum watch_notification_type {
WATCH_TYPE_META = 0, /* Special record */
WATCH_TYPE_KEY_NOTIFY = 1, /* Key change event notification */
WATCH_TYPE__NR = 2
};
enum watch_meta_notification_subtype {
WATCH_META_REMOVAL_NOTIFICATION = 0, /* Watched object was removed */
WATCH_META_LOSS_NOTIFICATION = 1, /* Data loss occurred */
};
/*
* Notification record header. This is aligned to 64-bits so that subclasses
* can contain __u64 fields.
*/
struct watch_notification {
__u32 type:24; /* enum watch_notification_type */
__u32 subtype:8; /* Type-specific subtype (filterable) */
__u32 info;
#define WATCH_INFO_LENGTH 0x0000007f /* Length of record */
#define WATCH_INFO_LENGTH__SHIFT 0
#define WATCH_INFO_ID 0x0000ff00 /* ID of watchpoint */
#define WATCH_INFO_ID__SHIFT 8
#define WATCH_INFO_TYPE_INFO 0xffff0000 /* Type-specific info */
#define WATCH_INFO_TYPE_INFO__SHIFT 16
#define WATCH_INFO_FLAG_0 0x00010000 /* Type-specific info, flag bit 0 */
#define WATCH_INFO_FLAG_1 0x00020000 /* ... */
#define WATCH_INFO_FLAG_2 0x00040000
#define WATCH_INFO_FLAG_3 0x00080000
#define WATCH_INFO_FLAG_4 0x00100000
#define WATCH_INFO_FLAG_5 0x00200000
#define WATCH_INFO_FLAG_6 0x00400000
#define WATCH_INFO_FLAG_7 0x00800000
};
/*
* Notification filtering rules (IOC_WATCH_QUEUE_SET_FILTER).
*/
struct watch_notification_type_filter {
__u32 type; /* Type to apply filter to */
__u32 info_filter; /* Filter on watch_notification::info */
__u32 info_mask; /* Mask of relevant bits in info_filter */
__u32 subtype_filter[8]; /* Bitmask of subtypes to filter on */
};
struct watch_notification_filter {
__u32 nr_filters; /* Number of filters */
__u32 __reserved; /* Must be 0 */
struct watch_notification_type_filter filters[];
};
/*
* Extended watch removal notification. This is used optionally if the type
* wants to indicate an identifier for the object being watched, if there is
* such. This can be distinguished by the length.
*
* type -> WATCH_TYPE_META
* subtype -> WATCH_META_REMOVAL_NOTIFICATION
*/
struct watch_notification_removal {
struct watch_notification watch;
__u64 id; /* Type-dependent identifier */
};
/*
* Type of key/keyring change notification.
*/
enum key_notification_subtype {
NOTIFY_KEY_INSTANTIATED = 0, /* Key was instantiated (aux is error code) */
NOTIFY_KEY_UPDATED = 1, /* Key was updated */
NOTIFY_KEY_LINKED = 2, /* Key (aux) was added to watched keyring */
NOTIFY_KEY_UNLINKED = 3, /* Key (aux) was removed from watched keyring */
NOTIFY_KEY_CLEARED = 4, /* Keyring was cleared */
NOTIFY_KEY_REVOKED = 5, /* Key was revoked */
NOTIFY_KEY_INVALIDATED = 6, /* Key was invalidated */
NOTIFY_KEY_SETATTR = 7, /* Key's attributes got changed */
};
/*
* Key/keyring notification record.
* - watch.type = WATCH_TYPE_KEY_NOTIFY
* - watch.subtype = enum key_notification_type
*/
struct key_notification {
struct watch_notification watch;
__u32 key_id; /* The key/keyring affected */
__u32 aux; /* Per-type auxiliary data */
};
#endif /* _UAPI_LINUX_WATCH_QUEUE_H */
......@@ -367,6 +367,18 @@ config POSIX_MQUEUE_SYSCTL
depends on SYSCTL
default y
config WATCH_QUEUE
bool "General notification queue"
default n
help
This is a general notification queue for the kernel to pass events to
userspace by splicing them into pipes. It can be used in conjunction
with watches for key/keyring change notifications and device
notifications.
See Documentation/watch_queue.rst
config CROSS_MEMORY_ATTACH
bool "Enable process_vm_readv/writev syscalls"
depends on MMU
......
......@@ -121,6 +121,7 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o
obj-$(CONFIG_HAS_IOMEM) += iomem.o
obj-$(CONFIG_RSEQ) += rseq.o
obj-$(CONFIG_WATCH_QUEUE) += watch_queue.o
obj-$(CONFIG_SYSCTL_KUNIT_TEST) += sysctl-test.o
......
This diff is collapsed.
......@@ -209,4 +209,11 @@ config SAMPLE_WATCHDOG
bool "watchdog sample"
depends on CC_CAN_LINK
config SAMPLE_WATCH_QUEUE
bool "Build example /dev/watch_queue notification consumer"
depends on HEADERS_INSTALL
help
Build example userspace program to use the new mount_notify(),
sb_notify() syscalls and the KEYCTL_WATCH_KEY keyctl() function.
endif # SAMPLES
......@@ -27,3 +27,4 @@ obj-y += vfio-mdev/
subdir-$(CONFIG_SAMPLE_VFS) += vfs
obj-$(CONFIG_SAMPLE_INTEL_MEI) += mei/
subdir-$(CONFIG_SAMPLE_WATCHDOG) += watchdog
subdir-$(CONFIG_SAMPLE_WATCH_QUEUE) += watch_queue
# List of programs to build
hostprogs := watch_test
# Tell kbuild to always build the programs
always-y := $(hostprogs)
HOSTCFLAGS_watch_test.o += -I$(objtree)/usr/include
// SPDX-License-Identifier: GPL-2.0
/* Use /dev/watch_queue to watch for notifications.
*
* Copyright (C) 2020 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*/
#define _GNU_SOURCE
#include <stdbool.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <errno.h>
#include <sys/ioctl.h>
#include <limits.h>
#include <linux/watch_queue.h>
#include <linux/unistd.h>
#include <linux/keyctl.h>
#ifndef KEYCTL_WATCH_KEY
#define KEYCTL_WATCH_KEY -1
#endif
#ifndef __NR_keyctl
#define __NR_keyctl -1
#endif
#define BUF_SIZE 256
static long keyctl_watch_key(int key, int watch_fd, int watch_id)
{
return syscall(__NR_keyctl, KEYCTL_WATCH_KEY, key, watch_fd, watch_id);
}
static const char *key_subtypes[256] = {
[NOTIFY_KEY_INSTANTIATED] = "instantiated",
[NOTIFY_KEY_UPDATED] = "updated",
[NOTIFY_KEY_LINKED] = "linked",
[NOTIFY_KEY_UNLINKED] = "unlinked",
[NOTIFY_KEY_CLEARED] = "cleared",
[NOTIFY_KEY_REVOKED] = "revoked",
[NOTIFY_KEY_INVALIDATED] = "invalidated",
[NOTIFY_KEY_SETATTR] = "setattr",
};
static void saw_key_change(struct watch_notification *n, size_t len)
{
struct key_notification *k = (struct key_notification *)n;
if (len != sizeof(struct key_notification)) {
fprintf(stderr, "Incorrect key message length\n");
return;
}
printf("KEY %08x change=%u[%s] aux=%u\n",
k->key_id, n->subtype, key_subtypes[n->subtype], k->aux);
}
/*
* Consume and display events.
*/
static void consumer(int fd)
{
unsigned char buffer[433], *p, *end;
union {
struct watch_notification n;
unsigned char buf1[128];
} n;
ssize_t buf_len;
for (;;) {
buf_len = read(fd, buffer, sizeof(buffer));
if (buf_len == -1) {
perror("read");
exit(1);
}
if (buf_len == 0) {
printf("-- END --\n");
return;
}
if (buf_len > sizeof(buffer)) {
fprintf(stderr, "Read buffer overrun: %zd\n", buf_len);
return;
}
printf("read() = %zd\n", buf_len);
p = buffer;
end = buffer + buf_len;
while (p < end) {
size_t largest, len;
largest = end - p;
if (largest > 128)
largest = 128;
if (largest < sizeof(struct watch_notification)) {
fprintf(stderr, "Short message header: %zu\n", largest);
return;
}
memcpy(&n, p, largest);
printf("NOTIFY[%03zx]: ty=%06x sy=%02x i=%08x\n",
p - buffer, n.n.type, n.n.subtype, n.n.info);
len = n.n.info & WATCH_INFO_LENGTH;
if (len < sizeof(n.n) || len > largest) {
fprintf(stderr, "Bad message length: %zu/%zu\n", len, largest);
exit(1);
}
switch (n.n.type) {
case WATCH_TYPE_META:
switch (n.n.subtype) {
case WATCH_META_REMOVAL_NOTIFICATION:
printf("REMOVAL of watchpoint %08x\n",
(n.n.info & WATCH_INFO_ID) >>
WATCH_INFO_ID__SHIFT);
break;
case WATCH_META_LOSS_NOTIFICATION:
printf("-- LOSS --\n");
break;
default:
printf("other meta record\n");
break;
}
break;
case WATCH_TYPE_KEY_NOTIFY:
saw_key_change(&n.n, len);
break;
default:
printf("other type\n");
break;
}
p += len;
}
}
}
static struct watch_notification_filter filter = {
.nr_filters = 1,
.filters = {
[0] = {
.type = WATCH_TYPE_KEY_NOTIFY,
.subtype_filter[0] = UINT_MAX,
},
},
};
int main(int argc, char **argv)
{
int pipefd[2], fd;
if (pipe2(pipefd, O_NOTIFICATION_PIPE) == -1) {
perror("pipe2");
exit(1);
}
fd = pipefd[0];
if (ioctl(fd, IOC_WATCH_QUEUE_SET_SIZE, BUF_SIZE) == -1) {
perror("watch_queue(size)");
exit(1);
}
if (ioctl(fd, IOC_WATCH_QUEUE_SET_FILTER, &filter) == -1) {
perror("watch_queue(filter)");
exit(1);
}
if (keyctl_watch_key(KEY_SPEC_SESSION_KEYRING, fd, 0x01) == -1) {
perror("keyctl");
exit(1);
}
if (keyctl_watch_key(KEY_SPEC_USER_KEYRING, fd, 0x02) == -1) {
perror("keyctl");
exit(1);
}
consumer(fd);
exit(0);
}
......@@ -114,3 +114,12 @@ config KEY_DH_OPERATIONS
in the kernel.
If you are unsure as to whether this is required, answer N.
config KEY_NOTIFICATIONS
bool "Provide key/keyring change notifications"
depends on KEYS && WATCH_QUEUE
help
This option provides support for getting change notifications on keys
and keyrings on which the caller has View permission. This makes use
of the /dev/watch_queue misc device to handle the notification
buffer and provides KEYCTL_WATCH_KEY to enable/disable watches.
......@@ -156,6 +156,9 @@ COMPAT_SYSCALL_DEFINE5(keyctl, u32, option,
case KEYCTL_CAPABILITIES:
return keyctl_capabilities(compat_ptr(arg2), arg3);
case KEYCTL_WATCH_KEY:
return keyctl_watch_key(arg2, arg3, arg4);
default:
return -EOPNOTSUPP;
}
......
......@@ -131,6 +131,11 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
kdebug("- %u", key->serial);
key_check(key);
#ifdef CONFIG_KEY_NOTIFICATIONS
remove_watch_list(key->watchers, key->serial);
key->watchers = NULL;
#endif
/* Throw away the key data if the key is instantiated */
if (state == KEY_IS_POSITIVE && key->type->destroy)
key->type->destroy(key);
......
......@@ -15,6 +15,7 @@
#include <linux/task_work.h>
#include <linux/keyctl.h>
#include <linux/refcount.h>
#include <linux/watch_queue.h>
#include <linux/compat.h>
#include <linux/mm.h>
#include <linux/vmalloc.h>
......@@ -99,7 +100,8 @@ extern int __key_link_begin(struct key *keyring,
const struct keyring_index_key *index_key,
struct assoc_array_edit **_edit);
extern int __key_link_check_live_key(struct key *keyring, struct key *key);
extern void __key_link(struct key *key, struct assoc_array_edit **_edit);
extern void __key_link(struct key *keyring, struct key *key,
struct assoc_array_edit **_edit);
extern void __key_link_end(struct key *keyring,
const struct keyring_index_key *index_key,
struct assoc_array_edit *edit);
......@@ -165,7 +167,6 @@ extern bool lookup_user_key_possessed(const struct key *key,
const struct key_match_data *match_data);
#define KEY_LOOKUP_CREATE 0x01
#define KEY_LOOKUP_PARTIAL 0x02
#define KEY_LOOKUP_FOR_UNLINK 0x04
extern long join_session_keyring(const char *name);
extern void key_change_session_keyring(struct callback_head *twork);
......@@ -181,14 +182,32 @@ extern void key_gc_keytype(struct key_type *ktype);
extern int key_task_permission(const key_ref_t key_ref,
const struct cred *cred,
key_perm_t perm);
enum key_need_perm need_perm);
static inline void notify_key(struct key *key,
enum key_notification_subtype subtype, u32 aux)
{
#ifdef CONFIG_KEY_NOTIFICATIONS
struct key_notification n = {
.watch.type = WATCH_TYPE_KEY_NOTIFY,
.watch.subtype = subtype,
.watch.info = watch_sizeof(n),
.key_id = key_serial(key),
.aux = aux,
};
post_watch_notification(key->watchers, &n.watch, current_cred(),
n.key_id);
#endif
}
/*
* Check to see whether permission is granted to use a key in the desired way.
*/
static inline int key_permission(const key_ref_t key_ref, unsigned perm)
static inline int key_permission(const key_ref_t key_ref,
enum key_need_perm need_perm)
{
return key_task_permission(key_ref, current_cred(), perm);
return key_task_permission(key_ref, current_cred(), need_perm);
}
extern struct key_type key_type_request_key_auth;
......@@ -333,6 +352,15 @@ static inline long keyctl_pkey_e_d_s(int op,
extern long keyctl_capabilities(unsigned char __user *_buffer, size_t buflen);
#ifdef CONFIG_KEY_NOTIFICATIONS
extern long keyctl_watch_key(key_serial_t, int, int);
#else
static inline long keyctl_watch_key(key_serial_t key_id, int watch_fd, int watch_id)
{
return -EOPNOTSUPP;
}
#endif
/*
* Debugging key validation
*/
......
......@@ -444,6 +444,7 @@ static int __key_instantiate_and_link(struct key *key,
/* mark the key as being instantiated */
atomic_inc(&key->user->nikeys);
mark_key_instantiated(key, 0);
notify_key(key, NOTIFY_KEY_INSTANTIATED, 0);
if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags))
awaken = 1;
......@@ -453,7 +454,7 @@ static int __key_instantiate_and_link(struct key *key,
if (test_bit(KEY_FLAG_KEEP, &keyring->flags))
set_bit(KEY_FLAG_KEEP, &key->flags);
__key_link(key, _edit);
__key_link(keyring, key, _edit);
}
/* disable the authorisation key */
......@@ -601,6 +602,7 @@ int key_reject_and_link(struct key *key,
/* mark the key as being negatively instantiated */
atomic_inc(&key->user->nikeys);
mark_key_instantiated(key, -error);
notify_key(key, NOTIFY_KEY_INSTANTIATED, -error);
key->expiry = ktime_get_real_seconds() + timeout;
key_schedule_gc(key->expiry + key_gc_delay);
......@@ -611,7 +613,7 @@ int key_reject_and_link(struct key *key,
/* and link it into the destination keyring */
if (keyring && link_ret == 0)
__key_link(key, &edit);
__key_link(keyring, key, &edit);
/* disable the authorisation key */
if (authkey)
......@@ -764,9 +766,11 @@ static inline key_ref_t __key_update(key_ref_t key_ref,
down_write(&key->sem);
ret = key->type->update(key, prep);
if (ret == 0)
if (ret == 0) {
/* Updating a negative key positively instantiates it */
mark_key_instantiated(key, 0);
notify_key(key, NOTIFY_KEY_UPDATED, 0);
}
up_write(&key->sem);
......@@ -1023,9 +1027,11 @@ int key_update(key_ref_t key_ref, const void *payload, size_t plen)
down_write(&key->sem);
ret = key->type->update(key, &prep);
if (ret == 0)
if (ret == 0) {
/* Updating a negative key positively instantiates it */
mark_key_instantiated(key, 0);
notify_key(key, NOTIFY_KEY_UPDATED, 0);
}
up_write(&key->sem);
......@@ -1057,15 +1063,17 @@ void key_revoke(struct key *key)
* instantiated
*/
down_write_nested(&key->sem, 1);
if (!test_and_set_bit(KEY_FLAG_REVOKED, &key->flags) &&
key->type->revoke)
key->type->revoke(key);
/* set the death time to no more than the expiry time */
time = ktime_get_real_seconds();
if (key->revoked_at == 0 || key->revoked_at > time) {
key->revoked_at = time;
key_schedule_gc(key->revoked_at + key_gc_delay);
if (!test_and_set_bit(KEY_FLAG_REVOKED, &key->flags)) {
notify_key(key, NOTIFY_KEY_REVOKED, 0);
if (key->type->revoke)
key->type->revoke(key);
/* set the death time to no more than the expiry time */
time = ktime_get_real_seconds();
if (key->revoked_at == 0 || key->revoked_at > time) {
key->revoked_at = time;
key_schedule_gc(key->revoked_at + key_gc_delay);
}
}
up_write(&key->sem);
......@@ -1087,8 +1095,10 @@ void key_invalidate(struct key *key)
if (!test_bit(KEY_FLAG_INVALIDATED, &key->flags)) {
down_write_nested(&key->sem, 1);
if (!test_and_set_bit(KEY_FLAG_INVALIDATED, &key->flags))
if (!test_and_set_bit(KEY_FLAG_INVALIDATED, &key->flags)) {
notify_key(key, NOTIFY_KEY_INVALIDATED, 0);
key_schedule_gc_links();
}
up_write(&key->sem);
}
}
......
......@@ -37,7 +37,9 @@ static const unsigned char keyrings_capabilities[2] = {
KEYCTL_CAPS0_MOVE
),
[1] = (KEYCTL_CAPS1_NS_KEYRING_NAME |
KEYCTL_CAPS1_NS_KEY_TAG),
KEYCTL_CAPS1_NS_KEY_TAG |
(IS_ENABLED(CONFIG_KEY_NOTIFICATIONS) ? KEYCTL_CAPS1_NOTIFICATIONS : 0)
),
};
static int key_get_type_from_user(char *type,
......@@ -429,7 +431,7 @@ long keyctl_invalidate_key(key_serial_t id)
/* Root is permitted to invalidate certain special keys */
if (capable(CAP_SYS_ADMIN)) {
key_ref = lookup_user_key(id, 0, 0);
key_ref = lookup_user_key(id, 0, KEY_SYSADMIN_OVERRIDE);
if (IS_ERR(key_ref))
goto error;
if (test_bit(KEY_FLAG_ROOT_CAN_INVAL,
......@@ -474,7 +476,8 @@ long keyctl_keyring_clear(key_serial_t ringid)
/* Root is permitted to invalidate certain special keyrings */
if (capable(CAP_SYS_ADMIN)) {
keyring_ref = lookup_user_key(ringid, 0, 0);
keyring_ref = lookup_user_key(ringid, 0,
KEY_SYSADMIN_OVERRIDE);
if (IS_ERR(keyring_ref))
goto error;
if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR,
......@@ -558,7 +561,7 @@ long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
goto error;
}
key_ref = lookup_user_key(id, KEY_LOOKUP_FOR_UNLINK, 0);
key_ref = lookup_user_key(id, KEY_LOOKUP_PARTIAL, KEY_NEED_UNLINK);
if (IS_ERR(key_ref)) {
ret = PTR_ERR(key_ref);
goto error2;
......@@ -658,7 +661,7 @@ long keyctl_describe_key(key_serial_t keyid,
key_put(instkey);
key_ref = lookup_user_key(keyid,
KEY_LOOKUP_PARTIAL,
0);
KEY_AUTHTOKEN_OVERRIDE);
if (!IS_ERR(key_ref))
goto okay;
}
......@@ -828,7 +831,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
size_t key_data_len;
/* find the key first */
key_ref = lookup_user_key(keyid, 0, 0);
key_ref = lookup_user_key(keyid, 0, KEY_DEFER_PERM_CHECK);
if (IS_ERR(key_ref)) {
ret = -ENOKEY;
goto out;
......@@ -1036,6 +1039,7 @@ long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group)
if (group != (gid_t) -1)
key->gid = gid;
notify_key(key, NOTIFY_KEY_SETATTR, 0);
ret = 0;
error_put:
......@@ -1086,6 +1090,7 @@ long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
/* if we're not the sysadmin, we can only change a key that we own */
if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid())) {
key->perm = perm;
notify_key(key, NOTIFY_KEY_SETATTR, 0);
ret = 0;
}
......@@ -1461,7 +1466,7 @@ long keyctl_set_timeout(key_serial_t id, unsigned timeout)
key_put(instkey);
key_ref = lookup_user_key(id,
KEY_LOOKUP_PARTIAL,
0);
KEY_AUTHTOKEN_OVERRIDE);
if (!IS_ERR(key_ref))
goto okay;
}
......@@ -1474,10 +1479,12 @@ long keyctl_set_timeout(key_serial_t id, unsigned timeout)
okay:
key = key_ref_to_ptr(key_ref);
ret = 0;
if (test_bit(KEY_FLAG_KEEP, &key->flags))
if (test_bit(KEY_FLAG_KEEP, &key->flags)) {
ret = -EPERM;
else
} else {
key_set_timeout(key, timeout);
notify_key(key, NOTIFY_KEY_SETATTR, 0);
}
key_put(key);
error:
......@@ -1567,7 +1574,8 @@ long keyctl_get_security(key_serial_t keyid,
return PTR_ERR(instkey);
key_put(instkey);
key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 0);
key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL,
KEY_AUTHTOKEN_OVERRIDE);
if (IS_ERR(key_ref))
return PTR_ERR(key_ref);
}
......@@ -1751,6 +1759,90 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
return ret;
}
#ifdef CONFIG_KEY_NOTIFICATIONS
/*
* Watch for changes to a key.
*
* The caller must have View permission to watch a key or keyring.
*/
long keyctl_watch_key(key_serial_t id, int watch_queue_fd, int watch_id)
{
struct watch_queue *wqueue;
struct watch_list *wlist = NULL;
struct watch *watch = NULL;
struct key *key;
key_ref_t key_ref;
long ret;
if (watch_id < -1 || watch_id > 0xff)
return -EINVAL;
key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_VIEW);
if (IS_ERR(key_ref))
return PTR_ERR(key_ref);
key = key_ref_to_ptr(key_ref);
wqueue = get_watch_queue(watch_queue_fd);
if (IS_ERR(wqueue)) {
ret = PTR_ERR(wqueue);
goto err_key;
}
if (watch_id >= 0) {
ret = -ENOMEM;
if (!key->watchers) {
wlist = kzalloc(sizeof(*wlist), GFP_KERNEL);
if (!wlist)
goto err_wqueue;
init_watch_list(wlist, NULL);
}
watch = kzalloc(sizeof(*watch), GFP_KERNEL);
if (!watch)
goto err_wlist;
init_watch(watch, wqueue);
watch->id = key->serial;
watch->info_id = (u32)watch_id << WATCH_INFO_ID__SHIFT;
ret = security_watch_key(key);
if (ret < 0)
goto err_watch;
down_write(&key->sem);
if (!key->watchers) {
key->watchers = wlist;
wlist = NULL;
}
ret = add_watch_to_object(watch, key->watchers);
up_write(&key->sem);
if (ret == 0)
watch = NULL;
} else {
ret = -EBADSLT;
if (key->watchers) {
down_write(&key->sem);
ret = remove_watch_from_object(key->watchers,
wqueue, key_serial(key),
false);
up_write(&key->sem);
}
}
err_watch:
kfree(watch);
err_wlist:
kfree(wlist);
err_wqueue:
put_watch_queue(wqueue);
err_key:
key_put(key);
return ret;
}
#endif /* CONFIG_KEY_NOTIFICATIONS */
/*
* Get keyrings subsystem capabilities.
*/
......@@ -1920,6 +2012,9 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
case KEYCTL_CAPABILITIES:
return keyctl_capabilities((unsigned char __user *)arg2, (size_t)arg3);
case KEYCTL_WATCH_KEY:
return keyctl_watch_key((key_serial_t)arg2, (int)arg3, (int)arg4);
default:
return -EOPNOTSUPP;
}
......
......@@ -1056,12 +1056,14 @@ int keyring_restrict(key_ref_t keyring_ref, const char *type,
down_write(&keyring->sem);
down_write(&keyring_serialise_restrict_sem);
if (keyring->restrict_link)
if (keyring->restrict_link) {
ret = -EEXIST;
else if (keyring_detect_restriction_cycle(keyring, restrict_link))
} else if (keyring_detect_restriction_cycle(keyring, restrict_link)) {
ret = -EDEADLK;
else
} else {
keyring->restrict_link = restrict_link;
notify_key(keyring, NOTIFY_KEY_SETATTR, 0);
}
up_write(&keyring_serialise_restrict_sem);
up_write(&keyring->sem);
......@@ -1362,12 +1364,14 @@ int __key_link_check_live_key(struct key *keyring, struct key *key)
* holds at most one link to any given key of a particular type+description
* combination.
*/
void __key_link(struct key *key, struct assoc_array_edit **_edit)
void __key_link(struct key *keyring, struct key *key,
struct assoc_array_edit **_edit)
{
__key_get(key);
assoc_array_insert_set_object(*_edit, keyring_key_to_ptr(key));
assoc_array_apply_edit(*_edit);
*_edit = NULL;
notify_key(keyring, NOTIFY_KEY_LINKED, key_serial(key));
}
/*
......@@ -1451,7 +1455,7 @@ int key_link(struct key *keyring, struct key *key)
if (ret == 0)
ret = __key_link_check_live_key(keyring, key);
if (ret == 0)
__key_link(key, &edit);
__key_link(keyring, key, &edit);
error_end:
__key_link_end(keyring, &key->index_key, edit);
......@@ -1483,7 +1487,7 @@ static int __key_unlink_begin(struct key *keyring, struct key *key,
struct assoc_array_edit *edit;
BUG_ON(*_edit != NULL);
edit = assoc_array_delete(&keyring->keys, &keyring_assoc_array_ops,
&key->index_key);
if (IS_ERR(edit))
......@@ -1503,6 +1507,7 @@ static void __key_unlink(struct key *keyring, struct key *key,
struct assoc_array_edit **_edit)
{
assoc_array_apply_edit(*_edit);
notify_key(keyring, NOTIFY_KEY_UNLINKED, key_serial(key));
*_edit = NULL;
key_payload_reserve(keyring, keyring->datalen - KEYQUOTA_LINK_BYTES);
}
......@@ -1621,7 +1626,7 @@ int key_move(struct key *key,
goto error;
__key_unlink(from_keyring, key, &from_edit);
__key_link(key, &to_edit);
__key_link(to_keyring, key, &to_edit);
error:
__key_link_end(to_keyring, &key->index_key, to_edit);
__key_unlink_end(from_keyring, key, from_edit);
......@@ -1655,6 +1660,7 @@ int keyring_clear(struct key *keyring)
} else {
if (edit)
assoc_array_apply_edit(edit);
notify_key(keyring, NOTIFY_KEY_CLEARED, 0);
key_payload_reserve(keyring, 0);
ret = 0;
}
......
......@@ -13,7 +13,7 @@
* key_task_permission - Check a key can be used
* @key_ref: The key to check.
* @cred: The credentials to use.
* @perm: The permissions to check for.
* @need_perm: The permission required.
*
* Check to see whether permission is granted to use a key in the desired way,
* but permit the security modules to override.
......@@ -24,12 +24,30 @@
* permissions bits or the LSM check.
*/
int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
unsigned perm)
enum key_need_perm need_perm)
{
struct key *key;
key_perm_t kperm;
key_perm_t kperm, mask;
int ret;
switch (need_perm) {
default:
WARN_ON(1);
return -EACCES;
case KEY_NEED_UNLINK:
case KEY_SYSADMIN_OVERRIDE:
case KEY_AUTHTOKEN_OVERRIDE:
case KEY_DEFER_PERM_CHECK:
goto lsm;
case KEY_NEED_VIEW: mask = KEY_OTH_VIEW; break;
case KEY_NEED_READ: mask = KEY_OTH_READ; break;
case KEY_NEED_WRITE: mask = KEY_OTH_WRITE; break;
case KEY_NEED_SEARCH: mask = KEY_OTH_SEARCH; break;
case KEY_NEED_LINK: mask = KEY_OTH_LINK; break;
case KEY_NEED_SETATTR: mask = KEY_OTH_SETATTR; break;
}
key = key_ref_to_ptr(key_ref);
/* use the second 8-bits of permissions for keys the caller owns */
......@@ -64,13 +82,12 @@ int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
if (is_key_possessed(key_ref))
kperm |= key->perm >> 24;
kperm = kperm & perm & KEY_NEED_ALL;
if (kperm != perm)
if ((kperm & mask) != mask)
return -EACCES;
/* let LSM be the final arbiter */
return security_key_permission(key_ref, cred, perm);
lsm:
return security_key_permission(key_ref, cred, need_perm);
}
EXPORT_SYMBOL(key_task_permission);
......
......@@ -609,7 +609,7 @@ bool lookup_user_key_possessed(const struct key *key,
* returned key reference.
*/
key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
key_perm_t perm)
enum key_need_perm need_perm)
{
struct keyring_search_context ctx = {
.match_data.cmp = lookup_user_key_possessed,
......@@ -773,35 +773,33 @@ key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
/* unlink does not use the nominated key in any way, so can skip all
* the permission checks as it is only concerned with the keyring */
if (lflags & KEY_LOOKUP_FOR_UNLINK) {
ret = 0;
goto error;
}
if (!(lflags & KEY_LOOKUP_PARTIAL)) {
ret = wait_for_key_construction(key, true);
switch (ret) {
case -ERESTARTSYS:
goto invalid_key;
default:
if (perm)
if (need_perm != KEY_NEED_UNLINK) {
if (!(lflags & KEY_LOOKUP_PARTIAL)) {
ret = wait_for_key_construction(key, true);
switch (ret) {
case -ERESTARTSYS:
goto invalid_key;
default:
if (need_perm != KEY_AUTHTOKEN_OVERRIDE &&
need_perm != KEY_DEFER_PERM_CHECK)
goto invalid_key;
case 0:
break;
}
} else if (need_perm != KEY_DEFER_PERM_CHECK) {
ret = key_validate(key);
if (ret < 0)
goto invalid_key;
case 0:
break;
}
} else if (perm) {
ret = key_validate(key);
if (ret < 0)
ret = -EIO;
if (!(lflags & KEY_LOOKUP_PARTIAL) &&
key_read_state(key) == KEY_IS_UNINSTANTIATED)
goto invalid_key;
}
ret = -EIO;
if (!(lflags & KEY_LOOKUP_PARTIAL) &&
key_read_state(key) == KEY_IS_UNINSTANTIATED)
goto invalid_key;
/* check the permissions */
ret = key_task_permission(key_ref, ctx.cred, perm);
ret = key_task_permission(key_ref, ctx.cred, need_perm);
if (ret < 0)
goto invalid_key;
......
......@@ -418,7 +418,7 @@ static int construct_alloc_key(struct keyring_search_context *ctx,
goto key_already_present;
if (dest_keyring)
__key_link(key, &edit);
__key_link(dest_keyring, key, &edit);
mutex_unlock(&key_construction_mutex);
if (dest_keyring)
......@@ -437,7 +437,7 @@ static int construct_alloc_key(struct keyring_search_context *ctx,
if (dest_keyring) {
ret = __key_link_check_live_key(dest_keyring, key);
if (ret == 0)
__key_link(key, &edit);
__key_link(dest_keyring, key, &edit);
__key_link_end(dest_keyring, &ctx->index_key, edit);
if (ret < 0)
goto link_check_failed;
......
......@@ -2030,6 +2030,22 @@ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
}
EXPORT_SYMBOL(security_inode_getsecctx);
#ifdef CONFIG_WATCH_QUEUE
int security_post_notification(const struct cred *w_cred,
const struct cred *cred,
struct watch_notification *n)
{
return call_int_hook(post_notification, 0, w_cred, cred, n);
}
#endif /* CONFIG_WATCH_QUEUE */
#ifdef CONFIG_KEY_NOTIFICATIONS
int security_watch_key(struct key *key)
{
return call_int_hook(watch_key, 0, key);
}
#endif
#ifdef CONFIG_SECURITY_NETWORK
int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk)
......@@ -2405,10 +2421,10 @@ void security_key_free(struct key *key)
call_void_hook(key_free, key);
}
int security_key_permission(key_ref_t key_ref,
const struct cred *cred, unsigned perm)
int security_key_permission(key_ref_t key_ref, const struct cred *cred,
enum key_need_perm need_perm)
{
return call_int_hook(key_permission, 0, key_ref, cred, perm);
return call_int_hook(key_permission, 0, key_ref, cred, need_perm);
}
int security_key_getsecurity(struct key *key, char **_buffer)
......
......@@ -6559,20 +6559,43 @@ static void selinux_key_free(struct key *k)
static int selinux_key_permission(key_ref_t key_ref,
const struct cred *cred,
unsigned perm)
enum key_need_perm need_perm)
{
struct key *key;
struct key_security_struct *ksec;
u32 sid;
u32 perm, sid;
/* if no specific permissions are requested, we skip the
permission check. No serious, additional covert channels
appear to be created. */
if (perm == 0)
switch (need_perm) {
case KEY_NEED_VIEW:
perm = KEY__VIEW;
break;
case KEY_NEED_READ:
perm = KEY__READ;
break;
case KEY_NEED_WRITE:
perm = KEY__WRITE;
break;
case KEY_NEED_SEARCH:
perm = KEY__SEARCH;
break;
case KEY_NEED_LINK:
perm = KEY__LINK;
break;
case KEY_NEED_SETATTR:
perm = KEY__SETATTR;
break;
case KEY_NEED_UNLINK:
case KEY_SYSADMIN_OVERRIDE:
case KEY_AUTHTOKEN_OVERRIDE:
case KEY_DEFER_PERM_CHECK:
return 0;
default:
WARN_ON(1);
return -EPERM;
sid = cred_sid(cred);
}
sid = cred_sid(cred);
key = key_ref_to_ptr(key_ref);
ksec = key->security;
......@@ -6594,6 +6617,17 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
*_buffer = context;
return rc;
}
#ifdef CONFIG_KEY_NOTIFICATIONS
static int selinux_watch_key(struct key *key)
{
struct key_security_struct *ksec = key->security;
u32 sid = current_sid();
return avc_has_perm(&selinux_state,
sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
}
#endif
#endif
#ifdef CONFIG_SECURITY_INFINIBAND
......@@ -7109,6 +7143,9 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(key_free, selinux_key_free),
LSM_HOOK_INIT(key_permission, selinux_key_permission),
LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
#ifdef CONFIG_KEY_NOTIFICATIONS
LSM_HOOK_INIT(watch_key, selinux_watch_key),
#endif
#endif
#ifdef CONFIG_AUDIT
......
......@@ -41,6 +41,7 @@
#include <linux/parser.h>
#include <linux/fs_context.h>
#include <linux/fs_parser.h>
#include <linux/watch_queue.h>
#include "smack.h"
#define TRANS_TRUE "TRUE"
......@@ -4213,13 +4214,14 @@ static void smack_key_free(struct key *key)
* smack_key_permission - Smack access on a key
* @key_ref: gets to the object
* @cred: the credentials to use
* @perm: requested key permissions
* @need_perm: requested key permission
*
* Return 0 if the task has read and write to the object,
* an error code otherwise
*/
static int smack_key_permission(key_ref_t key_ref,
const struct cred *cred, unsigned perm)
const struct cred *cred,
enum key_need_perm need_perm)
{
struct key *keyp;
struct smk_audit_info ad;
......@@ -4230,8 +4232,26 @@ static int smack_key_permission(key_ref_t key_ref,
/*
* Validate requested permissions
*/
if (perm & ~KEY_NEED_ALL)
switch (need_perm) {
case KEY_NEED_READ:
case KEY_NEED_SEARCH:
case KEY_NEED_VIEW:
request |= MAY_READ;
break;
case KEY_NEED_WRITE:
case KEY_NEED_LINK:
case KEY_NEED_SETATTR:
request |= MAY_WRITE;
break;
case KEY_NEED_UNSPECIFIED:
case KEY_NEED_UNLINK:
case KEY_SYSADMIN_OVERRIDE:
case KEY_AUTHTOKEN_OVERRIDE:
case KEY_DEFER_PERM_CHECK:
return 0;
default:
return -EINVAL;
}
keyp = key_ref_to_ptr(key_ref);
if (keyp == NULL)
......@@ -4248,7 +4268,7 @@ static int smack_key_permission(key_ref_t key_ref,
if (tkp == NULL)
return -EACCES;
if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred))
if (smack_privileged(CAP_MAC_OVERRIDE))
return 0;
#ifdef CONFIG_AUDIT
......@@ -4256,10 +4276,6 @@ static int smack_key_permission(key_ref_t key_ref,
ad.a.u.key_struct.key = keyp->serial;
ad.a.u.key_struct.key_desc = keyp->description;
#endif
if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW))
request |= MAY_READ;
if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))
request |= MAY_WRITE;
rc = smk_access(tkp, keyp->security, request, &ad);
rc = smk_bu_note("key access", tkp, keyp->security, request, rc);
return rc;
......@@ -4294,8 +4310,81 @@ static int smack_key_getsecurity(struct key *key, char **_buffer)
return length;
}
#ifdef CONFIG_KEY_NOTIFICATIONS
/**
* smack_watch_key - Smack access to watch a key for notifications.
* @key: The key to be watched
*
* Return 0 if the @watch->cred has permission to read from the key object and
* an error otherwise.
*/
static int smack_watch_key(struct key *key)
{
struct smk_audit_info ad;
struct smack_known *tkp = smk_of_current();
int rc;
if (key == NULL)
return -EINVAL;
/*
* If the key hasn't been initialized give it access so that
* it may do so.
*/
if (key->security == NULL)
return 0;
/*
* This should not occur
*/
if (tkp == NULL)
return -EACCES;
if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred()))
return 0;
#ifdef CONFIG_AUDIT
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);
ad.a.u.key_struct.key = key->serial;
ad.a.u.key_struct.key_desc = key->description;
#endif
rc = smk_access(tkp, key->security, MAY_READ, &ad);
rc = smk_bu_note("key watch", tkp, key->security, MAY_READ, rc);
return rc;
}
#endif /* CONFIG_KEY_NOTIFICATIONS */
#endif /* CONFIG_KEYS */
#ifdef CONFIG_WATCH_QUEUE
/**
* smack_post_notification - Smack access to post a notification to a queue
* @w_cred: The credentials of the watcher.
* @cred: The credentials of the event source (may be NULL).
* @n: The notification message to be posted.
*/
static int smack_post_notification(const struct cred *w_cred,
const struct cred *cred,
struct watch_notification *n)
{
struct smk_audit_info ad;
struct smack_known *subj, *obj;
int rc;
/* Always let maintenance notifications through. */
if (n->type == WATCH_TYPE_META)
return 0;
if (!cred)
return 0;
subj = smk_of_task(smack_cred(cred));
obj = smk_of_task(smack_cred(w_cred));
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NOTIFICATION);
rc = smk_access(subj, obj, MAY_WRITE, &ad);
rc = smk_bu_note("notification", subj, obj, MAY_WRITE, rc);
return rc;
}
#endif /* CONFIG_WATCH_QUEUE */
/*
* Smack Audit hooks
*
......@@ -4684,8 +4773,15 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(key_free, smack_key_free),
LSM_HOOK_INIT(key_permission, smack_key_permission),
LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity),
#ifdef CONFIG_KEY_NOTIFICATIONS
LSM_HOOK_INIT(watch_key, smack_watch_key),
#endif
#endif /* CONFIG_KEYS */
#ifdef CONFIG_WATCH_QUEUE
LSM_HOOK_INIT(post_notification, smack_post_notification),
#endif
/* Audit hooks */
#ifdef CONFIG_AUDIT
LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init),
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment