1 /* key.h: authentication token and access key management 2 * 3 * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells ([email protected]) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 * 11 * 12 * See Documentation/keys.txt for information on keys/keyrings. 13 */ 14 15 #ifndef _LINUX_KEY_H 16 #define _LINUX_KEY_H 17 18 #include <linux/types.h> 19 #include <linux/list.h> 20 #include <linux/rbtree.h> 21 #include <linux/rcupdate.h> 22 #include <asm/atomic.h> 23 24 #ifdef __KERNEL__ 25 26 /* key handle serial number */ 27 typedef int32_t key_serial_t; 28 29 /* key handle permissions mask */ 30 typedef uint32_t key_perm_t; 31 32 struct key; 33 34 #ifdef CONFIG_KEYS 35 36 #undef KEY_DEBUGGING 37 38 #define KEY_POS_VIEW 0x01000000 /* possessor can view a key's attributes */ 39 #define KEY_POS_READ 0x02000000 /* possessor can read key payload / view keyring */ 40 #define KEY_POS_WRITE 0x04000000 /* possessor can update key payload / add link to keyring */ 41 #define KEY_POS_SEARCH 0x08000000 /* possessor can find a key in search / search a keyring */ 42 #define KEY_POS_LINK 0x10000000 /* possessor can create a link to a key/keyring */ 43 #define KEY_POS_ALL 0x1f000000 44 45 #define KEY_USR_VIEW 0x00010000 /* user permissions... */ 46 #define KEY_USR_READ 0x00020000 47 #define KEY_USR_WRITE 0x00040000 48 #define KEY_USR_SEARCH 0x00080000 49 #define KEY_USR_LINK 0x00100000 50 #define KEY_USR_ALL 0x001f0000 51 52 #define KEY_GRP_VIEW 0x00000100 /* group permissions... */ 53 #define KEY_GRP_READ 0x00000200 54 #define KEY_GRP_WRITE 0x00000400 55 #define KEY_GRP_SEARCH 0x00000800 56 #define KEY_GRP_LINK 0x00001000 57 #define KEY_GRP_ALL 0x00001f00 58 59 #define KEY_OTH_VIEW 0x00000001 /* third party permissions... */ 60 #define KEY_OTH_READ 0x00000002 61 #define KEY_OTH_WRITE 0x00000004 62 #define KEY_OTH_SEARCH 0x00000008 63 #define KEY_OTH_LINK 0x00000010 64 #define KEY_OTH_ALL 0x0000001f 65 66 struct seq_file; 67 struct user_struct; 68 struct signal_struct; 69 70 struct key_type; 71 struct key_owner; 72 struct keyring_list; 73 struct keyring_name; 74 75 /*****************************************************************************/ 76 /* 77 * key reference with possession attribute handling 78 * 79 * NOTE! key_ref_t is a typedef'd pointer to a type that is not actually 80 * defined. This is because we abuse the bottom bit of the reference to carry a 81 * flag to indicate whether the calling process possesses that key in one of 82 * its keyrings. 83 * 84 * the key_ref_t has been made a separate type so that the compiler can reject 85 * attempts to dereference it without proper conversion. 86 * 87 * the three functions are used to assemble and disassemble references 88 */ 89 typedef struct __key_reference_with_attributes *key_ref_t; 90 91 static inline key_ref_t make_key_ref(const struct key *key, 92 unsigned long possession) 93 { 94 return (key_ref_t) ((unsigned long) key | possession); 95 } 96 97 static inline struct key *key_ref_to_ptr(const key_ref_t key_ref) 98 { 99 return (struct key *) ((unsigned long) key_ref & ~1UL); 100 } 101 102 static inline unsigned long is_key_possessed(const key_ref_t key_ref) 103 { 104 return (unsigned long) key_ref & 1UL; 105 } 106 107 /*****************************************************************************/ 108 /* 109 * authentication token / access credential / keyring 110 * - types of key include: 111 * - keyrings 112 * - disk encryption IDs 113 * - Kerberos TGTs and tickets 114 */ 115 struct key { 116 atomic_t usage; /* number of references */ 117 key_serial_t serial; /* key serial number */ 118 struct rb_node serial_node; 119 struct key_type *type; /* type of key */ 120 struct rw_semaphore sem; /* change vs change sem */ 121 struct key_user *user; /* owner of this key */ 122 time_t expiry; /* time at which key expires (or 0) */ 123 uid_t uid; 124 gid_t gid; 125 key_perm_t perm; /* access permissions */ 126 unsigned short quotalen; /* length added to quota */ 127 unsigned short datalen; /* payload data length 128 * - may not match RCU dereferenced payload 129 * - payload should contain own length 130 */ 131 132 #ifdef KEY_DEBUGGING 133 unsigned magic; 134 #define KEY_DEBUG_MAGIC 0x18273645u 135 #define KEY_DEBUG_MAGIC_X 0xf8e9dacbu 136 #endif 137 138 unsigned long flags; /* status flags (change with bitops) */ 139 #define KEY_FLAG_INSTANTIATED 0 /* set if key has been instantiated */ 140 #define KEY_FLAG_DEAD 1 /* set if key type has been deleted */ 141 #define KEY_FLAG_REVOKED 2 /* set if key had been revoked */ 142 #define KEY_FLAG_IN_QUOTA 3 /* set if key consumes quota */ 143 #define KEY_FLAG_USER_CONSTRUCT 4 /* set if key is being constructed in userspace */ 144 #define KEY_FLAG_NEGATIVE 5 /* set if key is negative */ 145 146 /* the description string 147 * - this is used to match a key against search criteria 148 * - this should be a printable string 149 * - eg: for krb5 AFS, this might be "[email protected]" 150 */ 151 char *description; 152 153 /* type specific data 154 * - this is used by the keyring type to index the name 155 */ 156 union { 157 struct list_head link; 158 } type_data; 159 160 /* key data 161 * - this is used to hold the data actually used in cryptography or 162 * whatever 163 */ 164 union { 165 unsigned long value; 166 void *data; 167 struct keyring_list *subscriptions; 168 } payload; 169 }; 170 171 /*****************************************************************************/ 172 /* 173 * kernel managed key type definition 174 */ 175 struct key_type { 176 /* name of the type */ 177 const char *name; 178 179 /* default payload length for quota precalculation (optional) 180 * - this can be used instead of calling key_payload_reserve(), that 181 * function only needs to be called if the real datalen is different 182 */ 183 size_t def_datalen; 184 185 /* instantiate a key of this type 186 * - this method should call key_payload_reserve() to determine if the 187 * user's quota will hold the payload 188 */ 189 int (*instantiate)(struct key *key, const void *data, size_t datalen); 190 191 /* duplicate a key of this type (optional) 192 * - the source key will be locked against change 193 * - the new description will be attached 194 * - the quota will have been adjusted automatically from 195 * source->quotalen 196 */ 197 int (*duplicate)(struct key *key, const struct key *source); 198 199 /* update a key of this type (optional) 200 * - this method should call key_payload_reserve() to recalculate the 201 * quota consumption 202 * - the key must be locked against read when modifying 203 */ 204 int (*update)(struct key *key, const void *data, size_t datalen); 205 206 /* match a key against a description */ 207 int (*match)(const struct key *key, const void *desc); 208 209 /* clear the data from a key (optional) */ 210 void (*destroy)(struct key *key); 211 212 /* describe a key */ 213 void (*describe)(const struct key *key, struct seq_file *p); 214 215 /* read a key's data (optional) 216 * - permission checks will be done by the caller 217 * - the key's semaphore will be readlocked by the caller 218 * - should return the amount of data that could be read, no matter how 219 * much is copied into the buffer 220 * - shouldn't do the copy if the buffer is NULL 221 */ 222 long (*read)(const struct key *key, char __user *buffer, size_t buflen); 223 224 /* internal fields */ 225 struct list_head link; /* link in types list */ 226 }; 227 228 extern struct key_type key_type_keyring; 229 230 extern int register_key_type(struct key_type *ktype); 231 extern void unregister_key_type(struct key_type *ktype); 232 233 extern struct key *key_alloc(struct key_type *type, 234 const char *desc, 235 uid_t uid, gid_t gid, key_perm_t perm, 236 int not_in_quota); 237 extern int key_payload_reserve(struct key *key, size_t datalen); 238 extern int key_instantiate_and_link(struct key *key, 239 const void *data, 240 size_t datalen, 241 struct key *keyring, 242 struct key *instkey); 243 extern int key_negate_and_link(struct key *key, 244 unsigned timeout, 245 struct key *keyring, 246 struct key *instkey); 247 extern void key_revoke(struct key *key); 248 extern void key_put(struct key *key); 249 250 static inline struct key *key_get(struct key *key) 251 { 252 if (key) 253 atomic_inc(&key->usage); 254 return key; 255 } 256 257 static inline void key_ref_put(key_ref_t key_ref) 258 { 259 key_put(key_ref_to_ptr(key_ref)); 260 } 261 262 extern struct key *request_key(struct key_type *type, 263 const char *description, 264 const char *callout_info); 265 266 extern int key_validate(struct key *key); 267 268 extern key_ref_t key_create_or_update(key_ref_t keyring, 269 const char *type, 270 const char *description, 271 const void *payload, 272 size_t plen, 273 int not_in_quota); 274 275 extern int key_update(key_ref_t key, 276 const void *payload, 277 size_t plen); 278 279 extern int key_link(struct key *keyring, 280 struct key *key); 281 282 extern int key_unlink(struct key *keyring, 283 struct key *key); 284 285 extern struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, 286 int not_in_quota, struct key *dest); 287 288 extern int keyring_clear(struct key *keyring); 289 290 extern key_ref_t keyring_search(key_ref_t keyring, 291 struct key_type *type, 292 const char *description); 293 294 extern int keyring_add_key(struct key *keyring, 295 struct key *key); 296 297 extern struct key *key_lookup(key_serial_t id); 298 299 extern void keyring_replace_payload(struct key *key, void *replacement); 300 301 #define key_serial(key) ((key) ? (key)->serial : 0) 302 303 /* 304 * the userspace interface 305 */ 306 extern struct key root_user_keyring, root_session_keyring; 307 extern int alloc_uid_keyring(struct user_struct *user); 308 extern void switch_uid_keyring(struct user_struct *new_user); 309 extern int copy_keys(unsigned long clone_flags, struct task_struct *tsk); 310 extern int copy_thread_group_keys(struct task_struct *tsk); 311 extern void exit_keys(struct task_struct *tsk); 312 extern void exit_thread_group_keys(struct signal_struct *tg); 313 extern int suid_keys(struct task_struct *tsk); 314 extern int exec_keys(struct task_struct *tsk); 315 extern void key_fsuid_changed(struct task_struct *tsk); 316 extern void key_fsgid_changed(struct task_struct *tsk); 317 extern void key_init(void); 318 319 #define __install_session_keyring(tsk, keyring) \ 320 ({ \ 321 struct key *old_session = tsk->signal->session_keyring; \ 322 tsk->signal->session_keyring = keyring; \ 323 old_session; \ 324 }) 325 326 #else /* CONFIG_KEYS */ 327 328 #define key_validate(k) 0 329 #define key_serial(k) 0 330 #define key_get(k) ({ NULL; }) 331 #define key_put(k) do { } while(0) 332 #define key_ref_put(k) do { } while(0) 333 #define make_key_ref(k) ({ NULL; }) 334 #define key_ref_to_ptr(k) ({ NULL; }) 335 #define is_key_possessed(k) 0 336 #define alloc_uid_keyring(u) 0 337 #define switch_uid_keyring(u) do { } while(0) 338 #define __install_session_keyring(t, k) ({ NULL; }) 339 #define copy_keys(f,t) 0 340 #define copy_thread_group_keys(t) 0 341 #define exit_keys(t) do { } while(0) 342 #define exit_thread_group_keys(tg) do { } while(0) 343 #define suid_keys(t) do { } while(0) 344 #define exec_keys(t) do { } while(0) 345 #define key_fsuid_changed(t) do { } while(0) 346 #define key_fsgid_changed(t) do { } while(0) 347 #define key_init() do { } while(0) 348 349 #endif /* CONFIG_KEYS */ 350 #endif /* __KERNEL__ */ 351 #endif /* _LINUX_KEY_H */ 352