projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blob
? search:


33384662fc82e2c4982bbc3df9b0861051132333
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / security / keys / process_keys.c
1 /* Manage a process's keyrings
2 *
3 * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 */
11
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/sched.h>
15 #include <linux/keyctl.h>
16 #include <linux/fs.h>
17 #include <linux/err.h>
18 #include <linux/mutex.h>
19 #include <linux/security.h>
20 #include <linux/user_namespace.h>
21 #include <asm/uaccess.h>
22 #include "internal.h"
23
24 /* Session keyring create vs join semaphore */
25 static DEFINE_MUTEX(key_session_mutex);
26
27 /* User keyring creation semaphore */
28 static DEFINE_MUTEX(key_user_keyring_mutex);
29
30 /* The root user's tracking struct */
31 struct key_user root_key_user = {
32 .usage = ATOMIC_INIT(3),
33 .cons_lock = __MUTEX_INITIALIZER(root_key_user.cons_lock),
34 .lock = __SPIN_LOCK_UNLOCKED(root_key_user.lock),
35 .nkeys = ATOMIC_INIT(2),
36 .nikeys = ATOMIC_INIT(2),
37 .uid = GLOBAL_ROOT_UID,
38 };
39
40 /*
41 * Install the user and user session keyrings for the current process's UID.
42 */
43 int install_user_keyrings(void)
44 {
45 struct user_struct *user;
46 const struct cred *cred;
47 struct key *uid_keyring, *session_keyring;
48 key_perm_t user_keyring_perm;
49 char buf[20];
50 int ret;
51 uid_t uid;
52
53 user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL;
54 cred = current_cred();
55 user = cred->user;
56 uid = from_kuid(cred->user_ns, user->uid);
57
58 kenter("%p{%u}", user, uid);
59
60 if (user->uid_keyring && user->session_keyring) {
61 kleave(" = 0 [exist]");
62 return 0;
63 }
64
65 mutex_lock(&key_user_keyring_mutex);
66 ret = 0;
67
68 if (!user->uid_keyring) {
69 /* get the UID-specific keyring
70 * - there may be one in existence already as it may have been
71 * pinned by a session, but the user_struct pointing to it
72 * may have been destroyed by setuid */
73 sprintf(buf, "_uid.%u", uid);
74
75 uid_keyring = find_keyring_by_name(buf, true);
76 if (IS_ERR(uid_keyring)) {
77 uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
78 cred, user_keyring_perm,
79 KEY_ALLOC_IN_QUOTA, NULL);
80 if (IS_ERR(uid_keyring)) {
81 ret = PTR_ERR(uid_keyring);
82 goto error;
83 }
84 }
85
86 /* get a default session keyring (which might also exist
87 * already) */
88 sprintf(buf, "_uid_ses.%u", uid);
89
90 session_keyring = find_keyring_by_name(buf, true);
91 if (IS_ERR(session_keyring)) {
92 session_keyring =
93 keyring_alloc(buf, user->uid, INVALID_GID,
94 cred, user_keyring_perm,
95 KEY_ALLOC_IN_QUOTA, NULL);
96 if (IS_ERR(session_keyring)) {
97 ret = PTR_ERR(session_keyring);
98 goto error_release;
99 }
100
101 /* we install a link from the user session keyring to
102 * the user keyring */
103 ret = key_link(session_keyring, uid_keyring);
104 if (ret < 0)
105 goto error_release_both;
106 }
107
108 /* install the keyrings */
109 user->uid_keyring = uid_keyring;
110 user->session_keyring = session_keyring;
111 }
112
113 mutex_unlock(&key_user_keyring_mutex);
114 kleave(" = 0");
115 return 0;
116
117 error_release_both:
118 key_put(session_keyring);
119 error_release:
120 key_put(uid_keyring);
121 error:
122 mutex_unlock(&key_user_keyring_mutex);
123 kleave(" = %d", ret);
124 return ret;
125 }
126
127 /*
128 * Install a thread keyring to the given credentials struct if it didn't have
129 * one already. This is allowed to overrun the quota.
130 *
131 * Return: 0 if a thread keyring is now present; -errno on failure.
132 */
133 int install_thread_keyring_to_cred(struct cred *new)
134 {
135 struct key *keyring;
136
137 if (new->thread_keyring)
138 return 0;
139
140 keyring = keyring_alloc("_tid", new->uid, new->gid, new,
141 KEY_POS_ALL | KEY_USR_VIEW,
142 KEY_ALLOC_QUOTA_OVERRUN, NULL);
143 if (IS_ERR(keyring))
144 return PTR_ERR(keyring);
145
146 new->thread_keyring = keyring;
147 return 0;
148 }
149
150 /*
151 * Install a thread keyring to the current task if it didn't have one already.
152 *
153 * Return: 0 if a thread keyring is now present; -errno on failure.
154 */
155 static int install_thread_keyring(void)
156 {
157 struct cred *new;
158 int ret;
159
160 new = prepare_creds();
161 if (!new)
162 return -ENOMEM;
163
164 ret = install_thread_keyring_to_cred(new);
165 if (ret < 0) {
166 abort_creds(new);
167 return ret;
168 }
169
170 return commit_creds(new);
171 }
172
173 /*
174 * Install a process keyring to the given credentials struct if it didn't have
175 * one already. This is allowed to overrun the quota.
176 *
177 * Return: 0 if a process keyring is now present; -errno on failure.
178 */
179 int install_process_keyring_to_cred(struct cred *new)
180 {
181 struct key *keyring;
182
183 if (new->process_keyring)
184 return 0;
185
186 keyring = keyring_alloc("_pid", new->uid, new->gid, new,
187 KEY_POS_ALL | KEY_USR_VIEW,
188 KEY_ALLOC_QUOTA_OVERRUN, NULL);
189 if (IS_ERR(keyring))
190 return PTR_ERR(keyring);
191
192 new->process_keyring = keyring;
193 return 0;
194 }
195
196 /*
197 * Install a process keyring to the current task if it didn't have one already.
198 *
199 * Return: 0 if a process keyring is now present; -errno on failure.
200 */
201 static int install_process_keyring(void)
202 {
203 struct cred *new;
204 int ret;
205
206 new = prepare_creds();
207 if (!new)
208 return -ENOMEM;
209
210 ret = install_process_keyring_to_cred(new);
211 if (ret < 0) {
212 abort_creds(new);
213 return ret;
214 }
215
216 return commit_creds(new);
217 }
218
219 /*
220 * Install the given keyring as the session keyring of the given credentials
221 * struct, replacing the existing one if any. If the given keyring is NULL,
222 * then install a new anonymous session keyring.
223 *
224 * Return: 0 on success; -errno on failure.
225 */
226 int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
227 {
228 unsigned long flags;
229 struct key *old;
230
231 might_sleep();
232
233 /* create an empty session keyring */
234 if (!keyring) {
235 flags = KEY_ALLOC_QUOTA_OVERRUN;
236 if (cred->session_keyring)
237 flags = KEY_ALLOC_IN_QUOTA;
238
239 keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred,
240 KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
241 flags, NULL);
242 if (IS_ERR(keyring))
243 return PTR_ERR(keyring);
244 } else {
245 atomic_inc(&keyring->usage);
246 }
247
248 /* install the keyring */
249 old = cred->session_keyring;
250 rcu_assign_pointer(cred->session_keyring, keyring);
251
252 if (old)
253 key_put(old);
254
255 return 0;
256 }
257
258 /*
259 * Install the given keyring as the session keyring of the current task,
260 * replacing the existing one if any. If the given keyring is NULL, then
261 * install a new anonymous session keyring.
262 *
263 * Return: 0 on success; -errno on failure.
264 */
265 static int install_session_keyring(struct key *keyring)
266 {
267 struct cred *new;
268 int ret;
269
270 new = prepare_creds();
271 if (!new)
272 return -ENOMEM;
273
274 ret = install_session_keyring_to_cred(new, keyring);
275 if (ret < 0) {
276 abort_creds(new);
277 return ret;
278 }
279
280 return commit_creds(new);
281 }
282
283 /*
284 * Handle the fsuid changing.
285 */
286 void key_fsuid_changed(struct task_struct *tsk)
287 {
288 /* update the ownership of the thread keyring */
289 BUG_ON(!tsk->cred);
290 if (tsk->cred->thread_keyring) {
291 down_write(&tsk->cred->thread_keyring->sem);
292 tsk->cred->thread_keyring->uid = tsk->cred->fsuid;
293 up_write(&tsk->cred->thread_keyring->sem);
294 }
295 }
296
297 /*
298 * Handle the fsgid changing.
299 */
300 void key_fsgid_changed(struct task_struct *tsk)
301 {
302 /* update the ownership of the thread keyring */
303 BUG_ON(!tsk->cred);
304 if (tsk->cred->thread_keyring) {
305 down_write(&tsk->cred->thread_keyring->sem);
306 tsk->cred->thread_keyring->gid = tsk->cred->fsgid;
307 up_write(&tsk->cred->thread_keyring->sem);
308 }
309 }
310
311 /*
312 * Search the process keyrings attached to the supplied cred for the first
313 * matching key.
314 *
315 * The search criteria are the type and the match function. The description is
316 * given to the match function as a parameter, but doesn't otherwise influence
317 * the search. Typically the match function will compare the description
318 * parameter to the key's description.
319 *
320 * This can only search keyrings that grant Search permission to the supplied
321 * credentials. Keyrings linked to searched keyrings will also be searched if
322 * they grant Search permission too. Keys can only be found if they grant
323 * Search permission to the credentials.
324 *
325 * Returns a pointer to the key with the key usage count incremented if
326 * successful, -EAGAIN if we didn't find any matching key or -ENOKEY if we only
327 * matched negative keys.
328 *
329 * In the case of a successful return, the possession attribute is set on the
330 * returned key reference.
331 */
332 key_ref_t search_my_process_keyrings(struct key_type *type,
333 const void *description,
334 key_match_func_t match,
335 bool no_state_check,
336 const struct cred *cred)
337 {
338 key_ref_t key_ref, ret, err;
339
340 /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
341 * searchable, but we failed to find a key or we found a negative key;
342 * otherwise we want to return a sample error (probably -EACCES) if
343 * none of the keyrings were searchable
344 *
345 * in terms of priority: success > -ENOKEY > -EAGAIN > other error
346 */
347 key_ref = NULL;
348 ret = NULL;
349 err = ERR_PTR(-EAGAIN);
350
351 /* search the thread keyring first */
352 if (cred->thread_keyring) {
353 key_ref = keyring_search_aux(
354 make_key_ref(cred->thread_keyring, 1),
355 cred, type, description, match, no_state_check);
356 if (!IS_ERR(key_ref))
357 goto found;
358
359 switch (PTR_ERR(key_ref)) {
360 case -EAGAIN: /* no key */
361 case -ENOKEY: /* negative key */
362 ret = key_ref;
363 break;
364 default:
365 err = key_ref;
366 break;
367 }
368 }
369
370 /* search the process keyring second */
371 if (cred->process_keyring) {
372 key_ref = keyring_search_aux(
373 make_key_ref(cred->process_keyring, 1),
374 cred, type, description, match, no_state_check);
375 if (!IS_ERR(key_ref))
376 goto found;
377
378 switch (PTR_ERR(key_ref)) {
379 case -EAGAIN: /* no key */
380 if (ret)
381 break;
382 case -ENOKEY: /* negative key */
383 ret = key_ref;
384 break;
385 default:
386 err = key_ref;
387 break;
388 }
389 }
390
391 /* search the session keyring */
392 if (cred->session_keyring) {
393 rcu_read_lock();
394 key_ref = keyring_search_aux(
395 make_key_ref(rcu_dereference(cred->session_keyring), 1),
396 cred, type, description, match, no_state_check);
397 rcu_read_unlock();
398
399 if (!IS_ERR(key_ref))
400 goto found;
401
402 switch (PTR_ERR(key_ref)) {
403 case -EAGAIN: /* no key */
404 if (ret)
405 break;
406 case -ENOKEY: /* negative key */
407 ret = key_ref;
408 break;
409 default:
410 err = key_ref;
411 break;
412 }
413 }
414 /* or search the user-session keyring */
415 else if (cred->user->session_keyring) {
416 key_ref = keyring_search_aux(
417 make_key_ref(cred->user->session_keyring, 1),
418 cred, type, description, match, no_state_check);
419 if (!IS_ERR(key_ref))
420 goto found;
421
422 switch (PTR_ERR(key_ref)) {
423 case -EAGAIN: /* no key */
424 if (ret)
425 break;
426 case -ENOKEY: /* negative key */
427 ret = key_ref;
428 break;
429 default:
430 err = key_ref;
431 break;
432 }
433 }
434
435 /* no key - decide on the error we're going to go for */
436 key_ref = ret ? ret : err;
437
438 found:
439 return key_ref;
440 }
441
442 /*
443 * Search the process keyrings attached to the supplied cred for the first
444 * matching key in the manner of search_my_process_keyrings(), but also search
445 * the keys attached to the assumed authorisation key using its credentials if
446 * one is available.
447 *
448 * Return same as search_my_process_keyrings().
449 */
450 key_ref_t search_process_keyrings(struct key_type *type,
451 const void *description,
452 key_match_func_t match,
453 const struct cred *cred)
454 {
455 struct request_key_auth *rka;
456 key_ref_t key_ref, ret = ERR_PTR(-EACCES), err;
457
458 might_sleep();
459
460 key_ref = search_my_process_keyrings(type, description, match,
461 false, cred);
462 if (!IS_ERR(key_ref))
463 goto found;
464 err = key_ref;
465
466 /* if this process has an instantiation authorisation key, then we also
467 * search the keyrings of the process mentioned there
468 * - we don't permit access to request_key auth keys via this method
469 */
470 if (cred->request_key_auth &&
471 cred == current_cred() &&
472 type != &key_type_request_key_auth
473 ) {
474 /* defend against the auth key being revoked */
475 down_read(&cred->request_key_auth->sem);
476
477 if (key_validate(cred->request_key_auth) == 0) {
478 rka = cred->request_key_auth->payload.data;
479
480 key_ref = search_process_keyrings(type, description,
481 match, rka->cred);
482
483 up_read(&cred->request_key_auth->sem);
484
485 if (!IS_ERR(key_ref))
486 goto found;
487
488 ret = key_ref;
489 } else {
490 up_read(&cred->request_key_auth->sem);
491 }
492 }
493
494 /* no key - decide on the error we're going to go for */
495 if (err == ERR_PTR(-ENOKEY) || ret == ERR_PTR(-ENOKEY))
496 key_ref = ERR_PTR(-ENOKEY);
497 else if (err == ERR_PTR(-EACCES))
498 key_ref = ret;
499 else
500 key_ref = err;
501
502 found:
503 return key_ref;
504 }
505
506 /*
507 * See if the key we're looking at is the target key.
508 */
509 int lookup_user_key_possessed(const struct key *key, const void *target)
510 {
511 return key == target;
512 }
513
514 /*
515 * Look up a key ID given us by userspace with a given permissions mask to get
516 * the key it refers to.
517 *
518 * Flags can be passed to request that special keyrings be created if referred
519 * to directly, to permit partially constructed keys to be found and to skip
520 * validity and permission checks on the found key.
521 *
522 * Returns a pointer to the key with an incremented usage count if successful;
523 * -EINVAL if the key ID is invalid; -ENOKEY if the key ID does not correspond
524 * to a key or the best found key was a negative key; -EKEYREVOKED or
525 * -EKEYEXPIRED if the best found key was revoked or expired; -EACCES if the
526 * found key doesn't grant the requested permit or the LSM denied access to it;
527 * or -ENOMEM if a special keyring couldn't be created.
528 *
529 * In the case of a successful return, the possession attribute is set on the
530 * returned key reference.
531 */
532 key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
533 key_perm_t perm)
534 {
535 struct request_key_auth *rka;
536 const struct cred *cred;
537 struct key *key;
538 key_ref_t key_ref, skey_ref;
539 int ret;
540
541 try_again:
542 cred = get_current_cred();
543 key_ref = ERR_PTR(-ENOKEY);
544
545 switch (id) {
546 case KEY_SPEC_THREAD_KEYRING:
547 if (!cred->thread_keyring) {
548 if (!(lflags & KEY_LOOKUP_CREATE))
549 goto error;
550
551 ret = install_thread_keyring();
552 if (ret < 0) {
553 key_ref = ERR_PTR(ret);
554 goto error;
555 }
556 goto reget_creds;
557 }
558
559 key = cred->thread_keyring;
560 atomic_inc(&key->usage);
561 key_ref = make_key_ref(key, 1);
562 break;
563
564 case KEY_SPEC_PROCESS_KEYRING:
565 if (!cred->process_keyring) {
566 if (!(lflags & KEY_LOOKUP_CREATE))
567 goto error;
568
569 ret = install_process_keyring();
570 if (ret < 0) {
571 key_ref = ERR_PTR(ret);
572 goto error;
573 }
574 goto reget_creds;
575 }
576
577 key = cred->process_keyring;
578 atomic_inc(&key->usage);
579 key_ref = make_key_ref(key, 1);
580 break;
581
582 case KEY_SPEC_SESSION_KEYRING:
583 if (!cred->session_keyring) {
584 /* always install a session keyring upon access if one
585 * doesn't exist yet */
586 ret = install_user_keyrings();
587 if (ret < 0)
588 goto error;
589 if (lflags & KEY_LOOKUP_CREATE)
590 ret = join_session_keyring(NULL);
591 else
592 ret = install_session_keyring(
593 cred->user->session_keyring);
594
595 if (ret < 0)
596 goto error;
597 goto reget_creds;
598 } else if (cred->session_keyring ==
599 cred->user->session_keyring &&
600 lflags & KEY_LOOKUP_CREATE) {
601 ret = join_session_keyring(NULL);
602 if (ret < 0)
603 goto error;
604 goto reget_creds;
605 }
606
607 rcu_read_lock();
608 key = rcu_dereference(cred->session_keyring);
609 atomic_inc(&key->usage);
610 rcu_read_unlock();
611 key_ref = make_key_ref(key, 1);
612 break;
613
614 case KEY_SPEC_USER_KEYRING:
615 if (!cred->user->uid_keyring) {
616 ret = install_user_keyrings();
617 if (ret < 0)
618 goto error;
619 }
620
621 key = cred->user->uid_keyring;
622 atomic_inc(&key->usage);
623 key_ref = make_key_ref(key, 1);
624 break;
625
626 case KEY_SPEC_USER_SESSION_KEYRING:
627 if (!cred->user->session_keyring) {
628 ret = install_user_keyrings();
629 if (ret < 0)
630 goto error;
631 }
632
633 key = cred->user->session_keyring;
634 atomic_inc(&key->usage);
635 key_ref = make_key_ref(key, 1);
636 break;
637
638 case KEY_SPEC_GROUP_KEYRING:
639 /* group keyrings are not yet supported */
640 key_ref = ERR_PTR(-EINVAL);
641 goto error;
642
643 case KEY_SPEC_REQKEY_AUTH_KEY:
644 key = cred->request_key_auth;
645 if (!key)
646 goto error;
647
648 atomic_inc(&key->usage);
649 key_ref = make_key_ref(key, 1);
650 break;
651
652 case KEY_SPEC_REQUESTOR_KEYRING:
653 if (!cred->request_key_auth)
654 goto error;
655
656 down_read(&cred->request_key_auth->sem);
657 if (test_bit(KEY_FLAG_REVOKED,
658 &cred->request_key_auth->flags)) {
659 key_ref = ERR_PTR(-EKEYREVOKED);
660 key = NULL;
661 } else {
662 rka = cred->request_key_auth->payload.data;
663 key = rka->dest_keyring;
664 atomic_inc(&key->usage);
665 }
666 up_read(&cred->request_key_auth->sem);
667 if (!key)
668 goto error;
669 key_ref = make_key_ref(key, 1);
670 break;
671
672 default:
673 key_ref = ERR_PTR(-EINVAL);
674 if (id < 1)
675 goto error;
676
677 key = key_lookup(id);
678 if (IS_ERR(key)) {
679 key_ref = ERR_CAST(key);
680 goto error;
681 }
682
683 key_ref = make_key_ref(key, 0);
684
685 /* check to see if we possess the key */
686 skey_ref = search_process_keyrings(key->type, key,
687 lookup_user_key_possessed,
688 cred);
689
690 if (!IS_ERR(skey_ref)) {
691 key_put(key);
692 key_ref = skey_ref;
693 }
694
695 break;
696 }
697
698 /* unlink does not use the nominated key in any way, so can skip all
699 * the permission checks as it is only concerned with the keyring */
700 if (lflags & KEY_LOOKUP_FOR_UNLINK) {
701 ret = 0;
702 goto error;
703 }
704
705 if (!(lflags & KEY_LOOKUP_PARTIAL)) {
706 ret = wait_for_key_construction(key, true);
707 switch (ret) {
708 case -ERESTARTSYS:
709 goto invalid_key;
710 default:
711 if (perm)
712 goto invalid_key;
713 case 0:
714 break;
715 }
716 } else if (perm) {
717 ret = key_validate(key);
718 if (ret < 0)
719 goto invalid_key;
720 }
721
722 ret = -EIO;
723 if (!(lflags & KEY_LOOKUP_PARTIAL) &&
724 !test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
725 goto invalid_key;
726
727 /* check the permissions */
728 ret = key_task_permission(key_ref, cred, perm);
729 if (ret < 0)
730 goto invalid_key;
731
732 key->last_used_at = current_kernel_time().tv_sec;
733
734 error:
735 put_cred(cred);
736 return key_ref;
737
738 invalid_key:
739 key_ref_put(key_ref);
740 key_ref = ERR_PTR(ret);
741 goto error;
742
743 /* if we attempted to install a keyring, then it may have caused new
744 * creds to be installed */
745 reget_creds:
746 put_cred(cred);
747 goto try_again;
748 }
749
750 /*
751 * Join the named keyring as the session keyring if possible else attempt to
752 * create a new one of that name and join that.
753 *
754 * If the name is NULL, an empty anonymous keyring will be installed as the
755 * session keyring.
756 *
757 * Named session keyrings are joined with a semaphore held to prevent the
758 * keyrings from going away whilst the attempt is made to going them and also
759 * to prevent a race in creating compatible session keyrings.
760 */
761 long join_session_keyring(const char *name)
762 {
763 const struct cred *old;
764 struct cred *new;
765 struct key *keyring;
766 long ret, serial;
767
768 new = prepare_creds();
769 if (!new)
770 return -ENOMEM;
771 old = current_cred();
772
773 /* if no name is provided, install an anonymous keyring */
774 if (!name) {
775 ret = install_session_keyring_to_cred(new, NULL);
776 if (ret < 0)
777 goto error;
778
779 serial = new->session_keyring->serial;
780 ret = commit_creds(new);
781 if (ret == 0)
782 ret = serial;
783 goto okay;
784 }
785
786 /* allow the user to join or create a named keyring */
787 mutex_lock(&key_session_mutex);
788
789 /* look for an existing keyring of this name */
790 keyring = find_keyring_by_name(name, false);
791 if (PTR_ERR(keyring) == -ENOKEY) {
792 /* not found - try and create a new one */
793 keyring = keyring_alloc(
794 name, old->uid, old->gid, old,
795 KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_LINK,
796 KEY_ALLOC_IN_QUOTA, NULL);
797 if (IS_ERR(keyring)) {
798 ret = PTR_ERR(keyring);
799 goto error2;
800 }
801 } else if (IS_ERR(keyring)) {
802 ret = PTR_ERR(keyring);
803 goto error2;
804 } else if (keyring == new->session_keyring) {
805 key_put(keyring);
806 ret = 0;
807 goto error2;
808 }
809
810 /* we've got a keyring - now to install it */
811 ret = install_session_keyring_to_cred(new, keyring);
812 if (ret < 0)
813 goto error2;
814
815 commit_creds(new);
816 mutex_unlock(&key_session_mutex);
817
818 ret = keyring->serial;
819 key_put(keyring);
820 okay:
821 return ret;
822
823 error2:
824 mutex_unlock(&key_session_mutex);
825 error:
826 abort_creds(new);
827 return ret;
828 }
829
830 /*
831 * Replace a process's session keyring on behalf of one of its children when
832 * the target process is about to resume userspace execution.
833 */
834 void key_change_session_keyring(struct callback_head *twork)
835 {
836 const struct cred *old = current_cred();
837 struct cred *new = container_of(twork, struct cred, rcu);
838
839 if (unlikely(current->flags & PF_EXITING)) {
840 put_cred(new);
841 return;
842 }
843
844 new-> uid = old-> uid;
845 new-> euid = old-> euid;
846 new-> suid = old-> suid;
847 new->fsuid = old->fsuid;
848 new-> gid = old-> gid;
849 new-> egid = old-> egid;
850 new-> sgid = old-> sgid;
851 new->fsgid = old->fsgid;
852 new->user = get_uid(old->user);
853 new->user_ns = get_user_ns(old->user_ns);
854 new->group_info = get_group_info(old->group_info);
855
856 new->securebits = old->securebits;
857 new->cap_inheritable = old->cap_inheritable;
858 new->cap_permitted = old->cap_permitted;
859 new->cap_effective = old->cap_effective;
860 new->cap_bset = old->cap_bset;
861
862 new->jit_keyring = old->jit_keyring;
863 new->thread_keyring = key_get(old->thread_keyring);
864 new->process_keyring = key_get(old->process_keyring);
865
866 security_transfer_creds(new, old);
867
868 commit_creds(new);
869 }
kernel source for telekom puls (alcatel/mediatek)