Merge branch 'master' into export-slabh
[kernel.git] / kernel / cred.c
1 /* Task credentials management - see Documentation/credentials.txt
2  *
3  * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public Licence
8  * as published by the Free Software Foundation; either version
9  * 2 of the Licence, or (at your option) any later version.
10  */
11 #include <linux/module.h>
12 #include <linux/cred.h>
13 #include <linux/slab.h>
14 #include <linux/sched.h>
15 #include <linux/key.h>
16 #include <linux/keyctl.h>
17 #include <linux/init_task.h>
18 #include <linux/security.h>
19 #include <linux/cn_proc.h>
20 #include "cred-internals.h"
21
22 #if 0
23 #define kdebug(FMT, ...) \
24         printk("[%-5.5s%5u] "FMT"\n", current->comm, current->pid ,##__VA_ARGS__)
25 #else
26 static inline __attribute__((format(printf, 1, 2)))
27 void no_printk(const char *fmt, ...)
28 {
29 }
30 #define kdebug(FMT, ...) \
31         no_printk("[%-5.5s%5u] "FMT"\n", current->comm, current->pid ,##__VA_ARGS__)
32 #endif
33
34 static struct kmem_cache *cred_jar;
35
36 /*
37  * The common credentials for the initial task's thread group
38  */
39 #ifdef CONFIG_KEYS
40 static struct thread_group_cred init_tgcred = {
41         .usage  = ATOMIC_INIT(2),
42         .tgid   = 0,
43         .lock   = SPIN_LOCK_UNLOCKED,
44 };
45 #endif
46
47 /*
48  * The initial credentials for the initial task
49  */
50 struct cred init_cred = {
51         .usage                  = ATOMIC_INIT(4),
52 #ifdef CONFIG_DEBUG_CREDENTIALS
53         .subscribers            = ATOMIC_INIT(2),
54         .magic                  = CRED_MAGIC,
55 #endif
56         .securebits             = SECUREBITS_DEFAULT,
57         .cap_inheritable        = CAP_INIT_INH_SET,
58         .cap_permitted          = CAP_FULL_SET,
59         .cap_effective          = CAP_INIT_EFF_SET,
60         .cap_bset               = CAP_INIT_BSET,
61         .user                   = INIT_USER,
62         .group_info             = &init_groups,
63 #ifdef CONFIG_KEYS
64         .tgcred                 = &init_tgcred,
65 #endif
66 };
67
68 static inline void set_cred_subscribers(struct cred *cred, int n)
69 {
70 #ifdef CONFIG_DEBUG_CREDENTIALS
71         atomic_set(&cred->subscribers, n);
72 #endif
73 }
74
75 static inline int read_cred_subscribers(const struct cred *cred)
76 {
77 #ifdef CONFIG_DEBUG_CREDENTIALS
78         return atomic_read(&cred->subscribers);
79 #else
80         return 0;
81 #endif
82 }
83
84 static inline void alter_cred_subscribers(const struct cred *_cred, int n)
85 {
86 #ifdef CONFIG_DEBUG_CREDENTIALS
87         struct cred *cred = (struct cred *) _cred;
88
89         atomic_add(n, &cred->subscribers);
90 #endif
91 }
92
93 /*
94  * Dispose of the shared task group credentials
95  */
96 #ifdef CONFIG_KEYS
97 static void release_tgcred_rcu(struct rcu_head *rcu)
98 {
99         struct thread_group_cred *tgcred =
100                 container_of(rcu, struct thread_group_cred, rcu);
101
102         BUG_ON(atomic_read(&tgcred->usage) != 0);
103
104         key_put(tgcred->session_keyring);
105         key_put(tgcred->process_keyring);
106         kfree(tgcred);
107 }
108 #endif
109
110 /*
111  * Release a set of thread group credentials.
112  */
113 static void release_tgcred(struct cred *cred)
114 {
115 #ifdef CONFIG_KEYS
116         struct thread_group_cred *tgcred = cred->tgcred;
117
118         if (atomic_dec_and_test(&tgcred->usage))
119                 call_rcu(&tgcred->rcu, release_tgcred_rcu);
120 #endif
121 }
122
123 /*
124  * The RCU callback to actually dispose of a set of credentials
125  */
126 static void put_cred_rcu(struct rcu_head *rcu)
127 {
128         struct cred *cred = container_of(rcu, struct cred, rcu);
129
130         kdebug("put_cred_rcu(%p)", cred);
131
132 #ifdef CONFIG_DEBUG_CREDENTIALS
133         if (cred->magic != CRED_MAGIC_DEAD ||
134             atomic_read(&cred->usage) != 0 ||
135             read_cred_subscribers(cred) != 0)
136                 panic("CRED: put_cred_rcu() sees %p with"
137                       " mag %x, put %p, usage %d, subscr %d\n",
138                       cred, cred->magic, cred->put_addr,
139                       atomic_read(&cred->usage),
140                       read_cred_subscribers(cred));
141 #else
142         if (atomic_read(&cred->usage) != 0)
143                 panic("CRED: put_cred_rcu() sees %p with usage %d\n",
144                       cred, atomic_read(&cred->usage));
145 #endif
146
147         security_cred_free(cred);
148         key_put(cred->thread_keyring);
149         key_put(cred->request_key_auth);
150         release_tgcred(cred);
151         if (cred->group_info)
152                 put_group_info(cred->group_info);
153         free_uid(cred->user);
154         kmem_cache_free(cred_jar, cred);
155 }
156
157 /**
158  * __put_cred - Destroy a set of credentials
159  * @cred: The record to release
160  *
161  * Destroy a set of credentials on which no references remain.
162  */
163 void __put_cred(struct cred *cred)
164 {
165         kdebug("__put_cred(%p{%d,%d})", cred,
166                atomic_read(&cred->usage),
167                read_cred_subscribers(cred));
168
169         BUG_ON(atomic_read(&cred->usage) != 0);
170 #ifdef CONFIG_DEBUG_CREDENTIALS
171         BUG_ON(read_cred_subscribers(cred) != 0);
172         cred->magic = CRED_MAGIC_DEAD;
173         cred->put_addr = __builtin_return_address(0);
174 #endif
175         BUG_ON(cred == current->cred);
176         BUG_ON(cred == current->real_cred);
177
178         call_rcu(&cred->rcu, put_cred_rcu);
179 }
180 EXPORT_SYMBOL(__put_cred);
181
182 /*
183  * Clean up a task's credentials when it exits
184  */
185 void exit_creds(struct task_struct *tsk)
186 {
187         struct cred *cred;
188
189         kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
190                atomic_read(&tsk->cred->usage),
191                read_cred_subscribers(tsk->cred));
192
193         cred = (struct cred *) tsk->real_cred;
194         tsk->real_cred = NULL;
195         validate_creds(cred);
196         alter_cred_subscribers(cred, -1);
197         put_cred(cred);
198
199         cred = (struct cred *) tsk->cred;
200         tsk->cred = NULL;
201         validate_creds(cred);
202         alter_cred_subscribers(cred, -1);
203         put_cred(cred);
204
205         cred = (struct cred *) tsk->replacement_session_keyring;
206         if (cred) {
207                 tsk->replacement_session_keyring = NULL;
208                 validate_creds(cred);
209                 put_cred(cred);
210         }
211 }
212
213 /*
214  * Allocate blank credentials, such that the credentials can be filled in at a
215  * later date without risk of ENOMEM.
216  */
217 struct cred *cred_alloc_blank(void)
218 {
219         struct cred *new;
220
221         new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
222         if (!new)
223                 return NULL;
224
225 #ifdef CONFIG_KEYS
226         new->tgcred = kzalloc(sizeof(*new->tgcred), GFP_KERNEL);
227         if (!new->tgcred) {
228                 kmem_cache_free(cred_jar, new);
229                 return NULL;
230         }
231         atomic_set(&new->tgcred->usage, 1);
232 #endif
233
234         atomic_set(&new->usage, 1);
235
236         if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
237                 goto error;
238
239 #ifdef CONFIG_DEBUG_CREDENTIALS
240         new->magic = CRED_MAGIC;
241 #endif
242         return new;
243
244 error:
245         abort_creds(new);
246         return NULL;
247 }
248
249 /**
250  * prepare_creds - Prepare a new set of credentials for modification
251  *
252  * Prepare a new set of task credentials for modification.  A task's creds
253  * shouldn't generally be modified directly, therefore this function is used to
254  * prepare a new copy, which the caller then modifies and then commits by
255  * calling commit_creds().
256  *
257  * Preparation involves making a copy of the objective creds for modification.
258  *
259  * Returns a pointer to the new creds-to-be if successful, NULL otherwise.
260  *
261  * Call commit_creds() or abort_creds() to clean up.
262  */
263 struct cred *prepare_creds(void)
264 {
265         struct task_struct *task = current;
266         const struct cred *old;
267         struct cred *new;
268
269         validate_process_creds();
270
271         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
272         if (!new)
273                 return NULL;
274
275         kdebug("prepare_creds() alloc %p", new);
276
277         old = task->cred;
278         memcpy(new, old, sizeof(struct cred));
279
280         atomic_set(&new->usage, 1);
281         set_cred_subscribers(new, 0);
282         get_group_info(new->group_info);
283         get_uid(new->user);
284
285 #ifdef CONFIG_KEYS
286         key_get(new->thread_keyring);
287         key_get(new->request_key_auth);
288         atomic_inc(&new->tgcred->usage);
289 #endif
290
291 #ifdef CONFIG_SECURITY
292         new->security = NULL;
293 #endif
294
295         if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
296                 goto error;
297         validate_creds(new);
298         return new;
299
300 error:
301         abort_creds(new);
302         return NULL;
303 }
304 EXPORT_SYMBOL(prepare_creds);
305
306 /*
307  * Prepare credentials for current to perform an execve()
308  * - The caller must hold current->cred_guard_mutex
309  */
310 struct cred *prepare_exec_creds(void)
311 {
312         struct thread_group_cred *tgcred = NULL;
313         struct cred *new;
314
315 #ifdef CONFIG_KEYS
316         tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
317         if (!tgcred)
318                 return NULL;
319 #endif
320
321         new = prepare_creds();
322         if (!new) {
323                 kfree(tgcred);
324                 return new;
325         }
326
327 #ifdef CONFIG_KEYS
328         /* newly exec'd tasks don't get a thread keyring */
329         key_put(new->thread_keyring);
330         new->thread_keyring = NULL;
331
332         /* create a new per-thread-group creds for all this set of threads to
333          * share */
334         memcpy(tgcred, new->tgcred, sizeof(struct thread_group_cred));
335
336         atomic_set(&tgcred->usage, 1);
337         spin_lock_init(&tgcred->lock);
338
339         /* inherit the session keyring; new process keyring */
340         key_get(tgcred->session_keyring);
341         tgcred->process_keyring = NULL;
342
343         release_tgcred(new);
344         new->tgcred = tgcred;
345 #endif
346
347         return new;
348 }
349
350 /*
351  * prepare new credentials for the usermode helper dispatcher
352  */
353 struct cred *prepare_usermodehelper_creds(void)
354 {
355 #ifdef CONFIG_KEYS
356         struct thread_group_cred *tgcred = NULL;
357 #endif
358         struct cred *new;
359
360 #ifdef CONFIG_KEYS
361         tgcred = kzalloc(sizeof(*new->tgcred), GFP_ATOMIC);
362         if (!tgcred)
363                 return NULL;
364 #endif
365
366         new = kmem_cache_alloc(cred_jar, GFP_ATOMIC);
367         if (!new)
368                 goto free_tgcred;
369
370         kdebug("prepare_usermodehelper_creds() alloc %p", new);
371
372         memcpy(new, &init_cred, sizeof(struct cred));
373
374         atomic_set(&new->usage, 1);
375         set_cred_subscribers(new, 0);
376         get_group_info(new->group_info);
377         get_uid(new->user);
378
379 #ifdef CONFIG_KEYS
380         new->thread_keyring = NULL;
381         new->request_key_auth = NULL;
382         new->jit_keyring = KEY_REQKEY_DEFL_DEFAULT;
383
384         atomic_set(&tgcred->usage, 1);
385         spin_lock_init(&tgcred->lock);
386         new->tgcred = tgcred;
387 #endif
388
389 #ifdef CONFIG_SECURITY
390         new->security = NULL;
391 #endif
392         if (security_prepare_creds(new, &init_cred, GFP_ATOMIC) < 0)
393                 goto error;
394         validate_creds(new);
395
396         BUG_ON(atomic_read(&new->usage) != 1);
397         return new;
398
399 error:
400         put_cred(new);
401 free_tgcred:
402 #ifdef CONFIG_KEYS
403         kfree(tgcred);
404 #endif
405         return NULL;
406 }
407
408 /*
409  * Copy credentials for the new process created by fork()
410  *
411  * We share if we can, but under some circumstances we have to generate a new
412  * set.
413  *
414  * The new process gets the current process's subjective credentials as its
415  * objective and subjective credentials
416  */
417 int copy_creds(struct task_struct *p, unsigned long clone_flags)
418 {
419 #ifdef CONFIG_KEYS
420         struct thread_group_cred *tgcred;
421 #endif
422         struct cred *new;
423         int ret;
424
425         mutex_init(&p->cred_guard_mutex);
426
427         if (
428 #ifdef CONFIG_KEYS
429                 !p->cred->thread_keyring &&
430 #endif
431                 clone_flags & CLONE_THREAD
432             ) {
433                 p->real_cred = get_cred(p->cred);
434                 get_cred(p->cred);
435                 alter_cred_subscribers(p->cred, 2);
436                 kdebug("share_creds(%p{%d,%d})",
437                        p->cred, atomic_read(&p->cred->usage),
438                        read_cred_subscribers(p->cred));
439                 atomic_inc(&p->cred->user->processes);
440                 return 0;
441         }
442
443         new = prepare_creds();
444         if (!new)
445                 return -ENOMEM;
446
447         if (clone_flags & CLONE_NEWUSER) {
448                 ret = create_user_ns(new);
449                 if (ret < 0)
450                         goto error_put;
451         }
452
453 #ifdef CONFIG_KEYS
454         /* new threads get their own thread keyrings if their parent already
455          * had one */
456         if (new->thread_keyring) {
457                 key_put(new->thread_keyring);
458                 new->thread_keyring = NULL;
459                 if (clone_flags & CLONE_THREAD)
460                         install_thread_keyring_to_cred(new);
461         }
462
463         /* we share the process and session keyrings between all the threads in
464          * a process - this is slightly icky as we violate COW credentials a
465          * bit */
466         if (!(clone_flags & CLONE_THREAD)) {
467                 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
468                 if (!tgcred) {
469                         ret = -ENOMEM;
470                         goto error_put;
471                 }
472                 atomic_set(&tgcred->usage, 1);
473                 spin_lock_init(&tgcred->lock);
474                 tgcred->process_keyring = NULL;
475                 tgcred->session_keyring = key_get(new->tgcred->session_keyring);
476
477                 release_tgcred(new);
478                 new->tgcred = tgcred;
479         }
480 #endif
481
482         atomic_inc(&new->user->processes);
483         p->cred = p->real_cred = get_cred(new);
484         alter_cred_subscribers(new, 2);
485         validate_creds(new);
486         return 0;
487
488 error_put:
489         put_cred(new);
490         return ret;
491 }
492
493 /**
494  * commit_creds - Install new credentials upon the current task
495  * @new: The credentials to be assigned
496  *
497  * Install a new set of credentials to the current task, using RCU to replace
498  * the old set.  Both the objective and the subjective credentials pointers are
499  * updated.  This function may not be called if the subjective credentials are
500  * in an overridden state.
501  *
502  * This function eats the caller's reference to the new credentials.
503  *
504  * Always returns 0 thus allowing this function to be tail-called at the end
505  * of, say, sys_setgid().
506  */
507 int commit_creds(struct cred *new)
508 {
509         struct task_struct *task = current;
510         const struct cred *old = task->real_cred;
511
512         kdebug("commit_creds(%p{%d,%d})", new,
513                atomic_read(&new->usage),
514                read_cred_subscribers(new));
515
516         BUG_ON(task->cred != old);
517 #ifdef CONFIG_DEBUG_CREDENTIALS
518         BUG_ON(read_cred_subscribers(old) < 2);
519         validate_creds(old);
520         validate_creds(new);
521 #endif
522         BUG_ON(atomic_read(&new->usage) < 1);
523
524         security_commit_creds(new, old);
525
526         get_cred(new); /* we will require a ref for the subj creds too */
527
528         /* dumpability changes */
529         if (old->euid != new->euid ||
530             old->egid != new->egid ||
531             old->fsuid != new->fsuid ||
532             old->fsgid != new->fsgid ||
533             !cap_issubset(new->cap_permitted, old->cap_permitted)) {
534                 if (task->mm)
535                         set_dumpable(task->mm, suid_dumpable);
536                 task->pdeath_signal = 0;
537                 smp_wmb();
538         }
539
540         /* alter the thread keyring */
541         if (new->fsuid != old->fsuid)
542                 key_fsuid_changed(task);
543         if (new->fsgid != old->fsgid)
544                 key_fsgid_changed(task);
545
546         /* do it
547          * - What if a process setreuid()'s and this brings the
548          *   new uid over his NPROC rlimit?  We can check this now
549          *   cheaply with the new uid cache, so if it matters
550          *   we should be checking for it.  -DaveM
551          */
552         alter_cred_subscribers(new, 2);
553         if (new->user != old->user)
554                 atomic_inc(&new->user->processes);
555         rcu_assign_pointer(task->real_cred, new);
556         rcu_assign_pointer(task->cred, new);
557         if (new->user != old->user)
558                 atomic_dec(&old->user->processes);
559         alter_cred_subscribers(old, -2);
560
561         sched_switch_user(task);
562
563         /* send notifications */
564         if (new->uid   != old->uid  ||
565             new->euid  != old->euid ||
566             new->suid  != old->suid ||
567             new->fsuid != old->fsuid)
568                 proc_id_connector(task, PROC_EVENT_UID);
569
570         if (new->gid   != old->gid  ||
571             new->egid  != old->egid ||
572             new->sgid  != old->sgid ||
573             new->fsgid != old->fsgid)
574                 proc_id_connector(task, PROC_EVENT_GID);
575
576         /* release the old obj and subj refs both */
577         put_cred(old);
578         put_cred(old);
579         return 0;
580 }
581 EXPORT_SYMBOL(commit_creds);
582
583 /**
584  * abort_creds - Discard a set of credentials and unlock the current task
585  * @new: The credentials that were going to be applied
586  *
587  * Discard a set of credentials that were under construction and unlock the
588  * current task.
589  */
590 void abort_creds(struct cred *new)
591 {
592         kdebug("abort_creds(%p{%d,%d})", new,
593                atomic_read(&new->usage),
594                read_cred_subscribers(new));
595
596 #ifdef CONFIG_DEBUG_CREDENTIALS
597         BUG_ON(read_cred_subscribers(new) != 0);
598 #endif
599         BUG_ON(atomic_read(&new->usage) < 1);
600         put_cred(new);
601 }
602 EXPORT_SYMBOL(abort_creds);
603
604 /**
605  * override_creds - Override the current process's subjective credentials
606  * @new: The credentials to be assigned
607  *
608  * Install a set of temporary override subjective credentials on the current
609  * process, returning the old set for later reversion.
610  */
611 const struct cred *override_creds(const struct cred *new)
612 {
613         const struct cred *old = current->cred;
614
615         kdebug("override_creds(%p{%d,%d})", new,
616                atomic_read(&new->usage),
617                read_cred_subscribers(new));
618
619         validate_creds(old);
620         validate_creds(new);
621         get_cred(new);
622         alter_cred_subscribers(new, 1);
623         rcu_assign_pointer(current->cred, new);
624         alter_cred_subscribers(old, -1);
625
626         kdebug("override_creds() = %p{%d,%d}", old,
627                atomic_read(&old->usage),
628                read_cred_subscribers(old));
629         return old;
630 }
631 EXPORT_SYMBOL(override_creds);
632
633 /**
634  * revert_creds - Revert a temporary subjective credentials override
635  * @old: The credentials to be restored
636  *
637  * Revert a temporary set of override subjective credentials to an old set,
638  * discarding the override set.
639  */
640 void revert_creds(const struct cred *old)
641 {
642         const struct cred *override = current->cred;
643
644         kdebug("revert_creds(%p{%d,%d})", old,
645                atomic_read(&old->usage),
646                read_cred_subscribers(old));
647
648         validate_creds(old);
649         validate_creds(override);
650         alter_cred_subscribers(old, 1);
651         rcu_assign_pointer(current->cred, old);
652         alter_cred_subscribers(override, -1);
653         put_cred(override);
654 }
655 EXPORT_SYMBOL(revert_creds);
656
657 /*
658  * initialise the credentials stuff
659  */
660 void __init cred_init(void)
661 {
662         /* allocate a slab in which we can store credentials */
663         cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred),
664                                      0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
665 }
666
667 /**
668  * prepare_kernel_cred - Prepare a set of credentials for a kernel service
669  * @daemon: A userspace daemon to be used as a reference
670  *
671  * Prepare a set of credentials for a kernel service.  This can then be used to
672  * override a task's own credentials so that work can be done on behalf of that
673  * task that requires a different subjective context.
674  *
675  * @daemon is used to provide a base for the security record, but can be NULL.
676  * If @daemon is supplied, then the security data will be derived from that;
677  * otherwise they'll be set to 0 and no groups, full capabilities and no keys.
678  *
679  * The caller may change these controls afterwards if desired.
680  *
681  * Returns the new credentials or NULL if out of memory.
682  *
683  * Does not take, and does not return holding current->cred_replace_mutex.
684  */
685 struct cred *prepare_kernel_cred(struct task_struct *daemon)
686 {
687         const struct cred *old;
688         struct cred *new;
689
690         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
691         if (!new)
692                 return NULL;
693
694         kdebug("prepare_kernel_cred() alloc %p", new);
695
696         if (daemon)
697                 old = get_task_cred(daemon);
698         else
699                 old = get_cred(&init_cred);
700
701         validate_creds(old);
702
703         *new = *old;
704         get_uid(new->user);
705         get_group_info(new->group_info);
706
707 #ifdef CONFIG_KEYS
708         atomic_inc(&init_tgcred.usage);
709         new->tgcred = &init_tgcred;
710         new->request_key_auth = NULL;
711         new->thread_keyring = NULL;
712         new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
713 #endif
714
715 #ifdef CONFIG_SECURITY
716         new->security = NULL;
717 #endif
718         if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
719                 goto error;
720
721         atomic_set(&new->usage, 1);
722         set_cred_subscribers(new, 0);
723         put_cred(old);
724         validate_creds(new);
725         return new;
726
727 error:
728         put_cred(new);
729         put_cred(old);
730         return NULL;
731 }
732 EXPORT_SYMBOL(prepare_kernel_cred);
733
734 /**
735  * set_security_override - Set the security ID in a set of credentials
736  * @new: The credentials to alter
737  * @secid: The LSM security ID to set
738  *
739  * Set the LSM security ID in a set of credentials so that the subjective
740  * security is overridden when an alternative set of credentials is used.
741  */
742 int set_security_override(struct cred *new, u32 secid)
743 {
744         return security_kernel_act_as(new, secid);
745 }
746 EXPORT_SYMBOL(set_security_override);
747
748 /**
749  * set_security_override_from_ctx - Set the security ID in a set of credentials
750  * @new: The credentials to alter
751  * @secctx: The LSM security context to generate the security ID from.
752  *
753  * Set the LSM security ID in a set of credentials so that the subjective
754  * security is overridden when an alternative set of credentials is used.  The
755  * security ID is specified in string form as a security context to be
756  * interpreted by the LSM.
757  */
758 int set_security_override_from_ctx(struct cred *new, const char *secctx)
759 {
760         u32 secid;
761         int ret;
762
763         ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
764         if (ret < 0)
765                 return ret;
766
767         return set_security_override(new, secid);
768 }
769 EXPORT_SYMBOL(set_security_override_from_ctx);
770
771 /**
772  * set_create_files_as - Set the LSM file create context in a set of credentials
773  * @new: The credentials to alter
774  * @inode: The inode to take the context from
775  *
776  * Change the LSM file creation context in a set of credentials to be the same
777  * as the object context of the specified inode, so that the new inodes have
778  * the same MAC context as that inode.
779  */
780 int set_create_files_as(struct cred *new, struct inode *inode)
781 {
782         new->fsuid = inode->i_uid;
783         new->fsgid = inode->i_gid;
784         return security_kernel_create_files_as(new, inode);
785 }
786 EXPORT_SYMBOL(set_create_files_as);
787
788 #ifdef CONFIG_DEBUG_CREDENTIALS
789
790 bool creds_are_invalid(const struct cred *cred)
791 {
792         if (cred->magic != CRED_MAGIC)
793                 return true;
794         if (atomic_read(&cred->usage) < atomic_read(&cred->subscribers))
795                 return true;
796 #ifdef CONFIG_SECURITY_SELINUX
797         if (selinux_is_enabled()) {
798                 if ((unsigned long) cred->security < PAGE_SIZE)
799                         return true;
800                 if ((*(u32 *)cred->security & 0xffffff00) ==
801                     (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
802                         return true;
803         }
804 #endif
805         return false;
806 }
807 EXPORT_SYMBOL(creds_are_invalid);
808
809 /*
810  * dump invalid credentials
811  */
812 static void dump_invalid_creds(const struct cred *cred, const char *label,
813                                const struct task_struct *tsk)
814 {
815         printk(KERN_ERR "CRED: %s credentials: %p %s%s%s\n",
816                label, cred,
817                cred == &init_cred ? "[init]" : "",
818                cred == tsk->real_cred ? "[real]" : "",
819                cred == tsk->cred ? "[eff]" : "");
820         printk(KERN_ERR "CRED: ->magic=%x, put_addr=%p\n",
821                cred->magic, cred->put_addr);
822         printk(KERN_ERR "CRED: ->usage=%d, subscr=%d\n",
823                atomic_read(&cred->usage),
824                read_cred_subscribers(cred));
825         printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
826                cred->uid, cred->euid, cred->suid, cred->fsuid);
827         printk(KERN_ERR "CRED: ->*gid = { %d,%d,%d,%d }\n",
828                cred->gid, cred->egid, cred->sgid, cred->fsgid);
829 #ifdef CONFIG_SECURITY
830         printk(KERN_ERR "CRED: ->security is %p\n", cred->security);
831         if ((unsigned long) cred->security >= PAGE_SIZE &&
832             (((unsigned long) cred->security & 0xffffff00) !=
833              (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)))
834                 printk(KERN_ERR "CRED: ->security {%x, %x}\n",
835                        ((u32*)cred->security)[0],
836                        ((u32*)cred->security)[1]);
837 #endif
838 }
839
840 /*
841  * report use of invalid credentials
842  */
843 void __invalid_creds(const struct cred *cred, const char *file, unsigned line)
844 {
845         printk(KERN_ERR "CRED: Invalid credentials\n");
846         printk(KERN_ERR "CRED: At %s:%u\n", file, line);
847         dump_invalid_creds(cred, "Specified", current);
848         BUG();
849 }
850 EXPORT_SYMBOL(__invalid_creds);
851
852 /*
853  * check the credentials on a process
854  */
855 void __validate_process_creds(struct task_struct *tsk,
856                               const char *file, unsigned line)
857 {
858         if (tsk->cred == tsk->real_cred) {
859                 if (unlikely(read_cred_subscribers(tsk->cred) < 2 ||
860                              creds_are_invalid(tsk->cred)))
861                         goto invalid_creds;
862         } else {
863                 if (unlikely(read_cred_subscribers(tsk->real_cred) < 1 ||
864                              read_cred_subscribers(tsk->cred) < 1 ||
865                              creds_are_invalid(tsk->real_cred) ||
866                              creds_are_invalid(tsk->cred)))
867                         goto invalid_creds;
868         }
869         return;
870
871 invalid_creds:
872         printk(KERN_ERR "CRED: Invalid process credentials\n");
873         printk(KERN_ERR "CRED: At %s:%u\n", file, line);
874
875         dump_invalid_creds(tsk->real_cred, "Real", tsk);
876         if (tsk->cred != tsk->real_cred)
877                 dump_invalid_creds(tsk->cred, "Effective", tsk);
878         else
879                 printk(KERN_ERR "CRED: Effective creds == Real creds\n");
880         BUG();
881 }
882 EXPORT_SYMBOL(__validate_process_creds);
883
884 /*
885  * check creds for do_exit()
886  */
887 void validate_creds_for_do_exit(struct task_struct *tsk)
888 {
889         kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})",
890                tsk->real_cred, tsk->cred,
891                atomic_read(&tsk->cred->usage),
892                read_cred_subscribers(tsk->cred));
893
894         __validate_process_creds(tsk, __FILE__, __LINE__);
895 }
896
897 #endif /* CONFIG_DEBUG_CREDENTIALS */