Merge tag 'for-5.13-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave...
[platform/kernel/linux-starfive.git] / kernel / cred.c
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Task credentials management - see Documentation/security/credentials.rst
3  *
4  * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 #include <linux/export.h>
8 #include <linux/cred.h>
9 #include <linux/slab.h>
10 #include <linux/sched.h>
11 #include <linux/sched/coredump.h>
12 #include <linux/key.h>
13 #include <linux/keyctl.h>
14 #include <linux/init_task.h>
15 #include <linux/security.h>
16 #include <linux/binfmts.h>
17 #include <linux/cn_proc.h>
18 #include <linux/uidgid.h>
19
20 #if 0
21 #define kdebug(FMT, ...)                                                \
22         printk("[%-5.5s%5u] " FMT "\n",                                 \
23                current->comm, current->pid, ##__VA_ARGS__)
24 #else
25 #define kdebug(FMT, ...)                                                \
26 do {                                                                    \
27         if (0)                                                          \
28                 no_printk("[%-5.5s%5u] " FMT "\n",                      \
29                           current->comm, current->pid, ##__VA_ARGS__);  \
30 } while (0)
31 #endif
32
33 static struct kmem_cache *cred_jar;
34
35 /* init to 2 - one for init_task, one to ensure it is never freed */
36 static struct group_info init_groups = { .usage = ATOMIC_INIT(2) };
37
38 /*
39  * The initial credentials for the initial task
40  */
41 struct cred init_cred = {
42         .usage                  = ATOMIC_INIT(4),
43 #ifdef CONFIG_DEBUG_CREDENTIALS
44         .subscribers            = ATOMIC_INIT(2),
45         .magic                  = CRED_MAGIC,
46 #endif
47         .uid                    = GLOBAL_ROOT_UID,
48         .gid                    = GLOBAL_ROOT_GID,
49         .suid                   = GLOBAL_ROOT_UID,
50         .sgid                   = GLOBAL_ROOT_GID,
51         .euid                   = GLOBAL_ROOT_UID,
52         .egid                   = GLOBAL_ROOT_GID,
53         .fsuid                  = GLOBAL_ROOT_UID,
54         .fsgid                  = GLOBAL_ROOT_GID,
55         .securebits             = SECUREBITS_DEFAULT,
56         .cap_inheritable        = CAP_EMPTY_SET,
57         .cap_permitted          = CAP_FULL_SET,
58         .cap_effective          = CAP_FULL_SET,
59         .cap_bset               = CAP_FULL_SET,
60         .user                   = INIT_USER,
61         .user_ns                = &init_user_ns,
62         .group_info             = &init_groups,
63 };
64
65 static inline void set_cred_subscribers(struct cred *cred, int n)
66 {
67 #ifdef CONFIG_DEBUG_CREDENTIALS
68         atomic_set(&cred->subscribers, n);
69 #endif
70 }
71
72 static inline int read_cred_subscribers(const struct cred *cred)
73 {
74 #ifdef CONFIG_DEBUG_CREDENTIALS
75         return atomic_read(&cred->subscribers);
76 #else
77         return 0;
78 #endif
79 }
80
81 static inline void alter_cred_subscribers(const struct cred *_cred, int n)
82 {
83 #ifdef CONFIG_DEBUG_CREDENTIALS
84         struct cred *cred = (struct cred *) _cred;
85
86         atomic_add(n, &cred->subscribers);
87 #endif
88 }
89
90 /*
91  * The RCU callback to actually dispose of a set of credentials
92  */
93 static void put_cred_rcu(struct rcu_head *rcu)
94 {
95         struct cred *cred = container_of(rcu, struct cred, rcu);
96
97         kdebug("put_cred_rcu(%p)", cred);
98
99 #ifdef CONFIG_DEBUG_CREDENTIALS
100         if (cred->magic != CRED_MAGIC_DEAD ||
101             atomic_read(&cred->usage) != 0 ||
102             read_cred_subscribers(cred) != 0)
103                 panic("CRED: put_cred_rcu() sees %p with"
104                       " mag %x, put %p, usage %d, subscr %d\n",
105                       cred, cred->magic, cred->put_addr,
106                       atomic_read(&cred->usage),
107                       read_cred_subscribers(cred));
108 #else
109         if (atomic_read(&cred->usage) != 0)
110                 panic("CRED: put_cred_rcu() sees %p with usage %d\n",
111                       cred, atomic_read(&cred->usage));
112 #endif
113
114         security_cred_free(cred);
115         key_put(cred->session_keyring);
116         key_put(cred->process_keyring);
117         key_put(cred->thread_keyring);
118         key_put(cred->request_key_auth);
119         if (cred->group_info)
120                 put_group_info(cred->group_info);
121         free_uid(cred->user);
122         put_user_ns(cred->user_ns);
123         kmem_cache_free(cred_jar, cred);
124 }
125
126 /**
127  * __put_cred - Destroy a set of credentials
128  * @cred: The record to release
129  *
130  * Destroy a set of credentials on which no references remain.
131  */
132 void __put_cred(struct cred *cred)
133 {
134         kdebug("__put_cred(%p{%d,%d})", cred,
135                atomic_read(&cred->usage),
136                read_cred_subscribers(cred));
137
138         BUG_ON(atomic_read(&cred->usage) != 0);
139 #ifdef CONFIG_DEBUG_CREDENTIALS
140         BUG_ON(read_cred_subscribers(cred) != 0);
141         cred->magic = CRED_MAGIC_DEAD;
142         cred->put_addr = __builtin_return_address(0);
143 #endif
144         BUG_ON(cred == current->cred);
145         BUG_ON(cred == current->real_cred);
146
147         if (cred->non_rcu)
148                 put_cred_rcu(&cred->rcu);
149         else
150                 call_rcu(&cred->rcu, put_cred_rcu);
151 }
152 EXPORT_SYMBOL(__put_cred);
153
154 /*
155  * Clean up a task's credentials when it exits
156  */
157 void exit_creds(struct task_struct *tsk)
158 {
159         struct cred *cred;
160
161         kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
162                atomic_read(&tsk->cred->usage),
163                read_cred_subscribers(tsk->cred));
164
165         cred = (struct cred *) tsk->real_cred;
166         tsk->real_cred = NULL;
167         validate_creds(cred);
168         alter_cred_subscribers(cred, -1);
169         put_cred(cred);
170
171         cred = (struct cred *) tsk->cred;
172         tsk->cred = NULL;
173         validate_creds(cred);
174         alter_cred_subscribers(cred, -1);
175         put_cred(cred);
176
177 #ifdef CONFIG_KEYS_REQUEST_CACHE
178         key_put(tsk->cached_requested_key);
179         tsk->cached_requested_key = NULL;
180 #endif
181 }
182
183 /**
184  * get_task_cred - Get another task's objective credentials
185  * @task: The task to query
186  *
187  * Get the objective credentials of a task, pinning them so that they can't go
188  * away.  Accessing a task's credentials directly is not permitted.
189  *
190  * The caller must also make sure task doesn't get deleted, either by holding a
191  * ref on task or by holding tasklist_lock to prevent it from being unlinked.
192  */
193 const struct cred *get_task_cred(struct task_struct *task)
194 {
195         const struct cred *cred;
196
197         rcu_read_lock();
198
199         do {
200                 cred = __task_cred((task));
201                 BUG_ON(!cred);
202         } while (!get_cred_rcu(cred));
203
204         rcu_read_unlock();
205         return cred;
206 }
207 EXPORT_SYMBOL(get_task_cred);
208
209 /*
210  * Allocate blank credentials, such that the credentials can be filled in at a
211  * later date without risk of ENOMEM.
212  */
213 struct cred *cred_alloc_blank(void)
214 {
215         struct cred *new;
216
217         new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
218         if (!new)
219                 return NULL;
220
221         atomic_set(&new->usage, 1);
222 #ifdef CONFIG_DEBUG_CREDENTIALS
223         new->magic = CRED_MAGIC;
224 #endif
225
226         if (security_cred_alloc_blank(new, GFP_KERNEL_ACCOUNT) < 0)
227                 goto error;
228
229         return new;
230
231 error:
232         abort_creds(new);
233         return NULL;
234 }
235
236 /**
237  * prepare_creds - Prepare a new set of credentials for modification
238  *
239  * Prepare a new set of task credentials for modification.  A task's creds
240  * shouldn't generally be modified directly, therefore this function is used to
241  * prepare a new copy, which the caller then modifies and then commits by
242  * calling commit_creds().
243  *
244  * Preparation involves making a copy of the objective creds for modification.
245  *
246  * Returns a pointer to the new creds-to-be if successful, NULL otherwise.
247  *
248  * Call commit_creds() or abort_creds() to clean up.
249  */
250 struct cred *prepare_creds(void)
251 {
252         struct task_struct *task = current;
253         const struct cred *old;
254         struct cred *new;
255
256         validate_process_creds();
257
258         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
259         if (!new)
260                 return NULL;
261
262         kdebug("prepare_creds() alloc %p", new);
263
264         old = task->cred;
265         memcpy(new, old, sizeof(struct cred));
266
267         new->non_rcu = 0;
268         atomic_set(&new->usage, 1);
269         set_cred_subscribers(new, 0);
270         get_group_info(new->group_info);
271         get_uid(new->user);
272         get_user_ns(new->user_ns);
273
274 #ifdef CONFIG_KEYS
275         key_get(new->session_keyring);
276         key_get(new->process_keyring);
277         key_get(new->thread_keyring);
278         key_get(new->request_key_auth);
279 #endif
280
281 #ifdef CONFIG_SECURITY
282         new->security = NULL;
283 #endif
284
285         if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
286                 goto error;
287         validate_creds(new);
288         return new;
289
290 error:
291         abort_creds(new);
292         return NULL;
293 }
294 EXPORT_SYMBOL(prepare_creds);
295
296 /*
297  * Prepare credentials for current to perform an execve()
298  * - The caller must hold ->cred_guard_mutex
299  */
300 struct cred *prepare_exec_creds(void)
301 {
302         struct cred *new;
303
304         new = prepare_creds();
305         if (!new)
306                 return new;
307
308 #ifdef CONFIG_KEYS
309         /* newly exec'd tasks don't get a thread keyring */
310         key_put(new->thread_keyring);
311         new->thread_keyring = NULL;
312
313         /* inherit the session keyring; new process keyring */
314         key_put(new->process_keyring);
315         new->process_keyring = NULL;
316 #endif
317
318         new->suid = new->fsuid = new->euid;
319         new->sgid = new->fsgid = new->egid;
320
321         return new;
322 }
323
324 /*
325  * Copy credentials for the new process created by fork()
326  *
327  * We share if we can, but under some circumstances we have to generate a new
328  * set.
329  *
330  * The new process gets the current process's subjective credentials as its
331  * objective and subjective credentials
332  */
333 int copy_creds(struct task_struct *p, unsigned long clone_flags)
334 {
335         struct cred *new;
336         int ret;
337
338 #ifdef CONFIG_KEYS_REQUEST_CACHE
339         p->cached_requested_key = NULL;
340 #endif
341
342         if (
343 #ifdef CONFIG_KEYS
344                 !p->cred->thread_keyring &&
345 #endif
346                 clone_flags & CLONE_THREAD
347             ) {
348                 p->real_cred = get_cred(p->cred);
349                 get_cred(p->cred);
350                 alter_cred_subscribers(p->cred, 2);
351                 kdebug("share_creds(%p{%d,%d})",
352                        p->cred, atomic_read(&p->cred->usage),
353                        read_cred_subscribers(p->cred));
354                 atomic_inc(&p->cred->user->processes);
355                 return 0;
356         }
357
358         new = prepare_creds();
359         if (!new)
360                 return -ENOMEM;
361
362         if (clone_flags & CLONE_NEWUSER) {
363                 ret = create_user_ns(new);
364                 if (ret < 0)
365                         goto error_put;
366         }
367
368 #ifdef CONFIG_KEYS
369         /* new threads get their own thread keyrings if their parent already
370          * had one */
371         if (new->thread_keyring) {
372                 key_put(new->thread_keyring);
373                 new->thread_keyring = NULL;
374                 if (clone_flags & CLONE_THREAD)
375                         install_thread_keyring_to_cred(new);
376         }
377
378         /* The process keyring is only shared between the threads in a process;
379          * anything outside of those threads doesn't inherit.
380          */
381         if (!(clone_flags & CLONE_THREAD)) {
382                 key_put(new->process_keyring);
383                 new->process_keyring = NULL;
384         }
385 #endif
386
387         atomic_inc(&new->user->processes);
388         p->cred = p->real_cred = get_cred(new);
389         alter_cred_subscribers(new, 2);
390         validate_creds(new);
391         return 0;
392
393 error_put:
394         put_cred(new);
395         return ret;
396 }
397
398 static bool cred_cap_issubset(const struct cred *set, const struct cred *subset)
399 {
400         const struct user_namespace *set_ns = set->user_ns;
401         const struct user_namespace *subset_ns = subset->user_ns;
402
403         /* If the two credentials are in the same user namespace see if
404          * the capabilities of subset are a subset of set.
405          */
406         if (set_ns == subset_ns)
407                 return cap_issubset(subset->cap_permitted, set->cap_permitted);
408
409         /* The credentials are in a different user namespaces
410          * therefore one is a subset of the other only if a set is an
411          * ancestor of subset and set->euid is owner of subset or one
412          * of subsets ancestors.
413          */
414         for (;subset_ns != &init_user_ns; subset_ns = subset_ns->parent) {
415                 if ((set_ns == subset_ns->parent)  &&
416                     uid_eq(subset_ns->owner, set->euid))
417                         return true;
418         }
419
420         return false;
421 }
422
423 /**
424  * commit_creds - Install new credentials upon the current task
425  * @new: The credentials to be assigned
426  *
427  * Install a new set of credentials to the current task, using RCU to replace
428  * the old set.  Both the objective and the subjective credentials pointers are
429  * updated.  This function may not be called if the subjective credentials are
430  * in an overridden state.
431  *
432  * This function eats the caller's reference to the new credentials.
433  *
434  * Always returns 0 thus allowing this function to be tail-called at the end
435  * of, say, sys_setgid().
436  */
437 int commit_creds(struct cred *new)
438 {
439         struct task_struct *task = current;
440         const struct cred *old = task->real_cred;
441
442         kdebug("commit_creds(%p{%d,%d})", new,
443                atomic_read(&new->usage),
444                read_cred_subscribers(new));
445
446         BUG_ON(task->cred != old);
447 #ifdef CONFIG_DEBUG_CREDENTIALS
448         BUG_ON(read_cred_subscribers(old) < 2);
449         validate_creds(old);
450         validate_creds(new);
451 #endif
452         BUG_ON(atomic_read(&new->usage) < 1);
453
454         get_cred(new); /* we will require a ref for the subj creds too */
455
456         /* dumpability changes */
457         if (!uid_eq(old->euid, new->euid) ||
458             !gid_eq(old->egid, new->egid) ||
459             !uid_eq(old->fsuid, new->fsuid) ||
460             !gid_eq(old->fsgid, new->fsgid) ||
461             !cred_cap_issubset(old, new)) {
462                 if (task->mm)
463                         set_dumpable(task->mm, suid_dumpable);
464                 task->pdeath_signal = 0;
465                 /*
466                  * If a task drops privileges and becomes nondumpable,
467                  * the dumpability change must become visible before
468                  * the credential change; otherwise, a __ptrace_may_access()
469                  * racing with this change may be able to attach to a task it
470                  * shouldn't be able to attach to (as if the task had dropped
471                  * privileges without becoming nondumpable).
472                  * Pairs with a read barrier in __ptrace_may_access().
473                  */
474                 smp_wmb();
475         }
476
477         /* alter the thread keyring */
478         if (!uid_eq(new->fsuid, old->fsuid))
479                 key_fsuid_changed(new);
480         if (!gid_eq(new->fsgid, old->fsgid))
481                 key_fsgid_changed(new);
482
483         /* do it
484          * RLIMIT_NPROC limits on user->processes have already been checked
485          * in set_user().
486          */
487         alter_cred_subscribers(new, 2);
488         if (new->user != old->user)
489                 atomic_inc(&new->user->processes);
490         rcu_assign_pointer(task->real_cred, new);
491         rcu_assign_pointer(task->cred, new);
492         if (new->user != old->user)
493                 atomic_dec(&old->user->processes);
494         alter_cred_subscribers(old, -2);
495
496         /* send notifications */
497         if (!uid_eq(new->uid,   old->uid)  ||
498             !uid_eq(new->euid,  old->euid) ||
499             !uid_eq(new->suid,  old->suid) ||
500             !uid_eq(new->fsuid, old->fsuid))
501                 proc_id_connector(task, PROC_EVENT_UID);
502
503         if (!gid_eq(new->gid,   old->gid)  ||
504             !gid_eq(new->egid,  old->egid) ||
505             !gid_eq(new->sgid,  old->sgid) ||
506             !gid_eq(new->fsgid, old->fsgid))
507                 proc_id_connector(task, PROC_EVENT_GID);
508
509         /* release the old obj and subj refs both */
510         put_cred(old);
511         put_cred(old);
512         return 0;
513 }
514 EXPORT_SYMBOL(commit_creds);
515
516 /**
517  * abort_creds - Discard a set of credentials and unlock the current task
518  * @new: The credentials that were going to be applied
519  *
520  * Discard a set of credentials that were under construction and unlock the
521  * current task.
522  */
523 void abort_creds(struct cred *new)
524 {
525         kdebug("abort_creds(%p{%d,%d})", new,
526                atomic_read(&new->usage),
527                read_cred_subscribers(new));
528
529 #ifdef CONFIG_DEBUG_CREDENTIALS
530         BUG_ON(read_cred_subscribers(new) != 0);
531 #endif
532         BUG_ON(atomic_read(&new->usage) < 1);
533         put_cred(new);
534 }
535 EXPORT_SYMBOL(abort_creds);
536
537 /**
538  * override_creds - Override the current process's subjective credentials
539  * @new: The credentials to be assigned
540  *
541  * Install a set of temporary override subjective credentials on the current
542  * process, returning the old set for later reversion.
543  */
544 const struct cred *override_creds(const struct cred *new)
545 {
546         const struct cred *old = current->cred;
547
548         kdebug("override_creds(%p{%d,%d})", new,
549                atomic_read(&new->usage),
550                read_cred_subscribers(new));
551
552         validate_creds(old);
553         validate_creds(new);
554
555         /*
556          * NOTE! This uses 'get_new_cred()' rather than 'get_cred()'.
557          *
558          * That means that we do not clear the 'non_rcu' flag, since
559          * we are only installing the cred into the thread-synchronous
560          * '->cred' pointer, not the '->real_cred' pointer that is
561          * visible to other threads under RCU.
562          *
563          * Also note that we did validate_creds() manually, not depending
564          * on the validation in 'get_cred()'.
565          */
566         get_new_cred((struct cred *)new);
567         alter_cred_subscribers(new, 1);
568         rcu_assign_pointer(current->cred, new);
569         alter_cred_subscribers(old, -1);
570
571         kdebug("override_creds() = %p{%d,%d}", old,
572                atomic_read(&old->usage),
573                read_cred_subscribers(old));
574         return old;
575 }
576 EXPORT_SYMBOL(override_creds);
577
578 /**
579  * revert_creds - Revert a temporary subjective credentials override
580  * @old: The credentials to be restored
581  *
582  * Revert a temporary set of override subjective credentials to an old set,
583  * discarding the override set.
584  */
585 void revert_creds(const struct cred *old)
586 {
587         const struct cred *override = current->cred;
588
589         kdebug("revert_creds(%p{%d,%d})", old,
590                atomic_read(&old->usage),
591                read_cred_subscribers(old));
592
593         validate_creds(old);
594         validate_creds(override);
595         alter_cred_subscribers(old, 1);
596         rcu_assign_pointer(current->cred, old);
597         alter_cred_subscribers(override, -1);
598         put_cred(override);
599 }
600 EXPORT_SYMBOL(revert_creds);
601
602 /**
603  * cred_fscmp - Compare two credentials with respect to filesystem access.
604  * @a: The first credential
605  * @b: The second credential
606  *
607  * cred_cmp() will return zero if both credentials have the same
608  * fsuid, fsgid, and supplementary groups.  That is, if they will both
609  * provide the same access to files based on mode/uid/gid.
610  * If the credentials are different, then either -1 or 1 will
611  * be returned depending on whether @a comes before or after @b
612  * respectively in an arbitrary, but stable, ordering of credentials.
613  *
614  * Return: -1, 0, or 1 depending on comparison
615  */
616 int cred_fscmp(const struct cred *a, const struct cred *b)
617 {
618         struct group_info *ga, *gb;
619         int g;
620
621         if (a == b)
622                 return 0;
623         if (uid_lt(a->fsuid, b->fsuid))
624                 return -1;
625         if (uid_gt(a->fsuid, b->fsuid))
626                 return 1;
627
628         if (gid_lt(a->fsgid, b->fsgid))
629                 return -1;
630         if (gid_gt(a->fsgid, b->fsgid))
631                 return 1;
632
633         ga = a->group_info;
634         gb = b->group_info;
635         if (ga == gb)
636                 return 0;
637         if (ga == NULL)
638                 return -1;
639         if (gb == NULL)
640                 return 1;
641         if (ga->ngroups < gb->ngroups)
642                 return -1;
643         if (ga->ngroups > gb->ngroups)
644                 return 1;
645
646         for (g = 0; g < ga->ngroups; g++) {
647                 if (gid_lt(ga->gid[g], gb->gid[g]))
648                         return -1;
649                 if (gid_gt(ga->gid[g], gb->gid[g]))
650                         return 1;
651         }
652         return 0;
653 }
654 EXPORT_SYMBOL(cred_fscmp);
655
656 /*
657  * initialise the credentials stuff
658  */
659 void __init cred_init(void)
660 {
661         /* allocate a slab in which we can store credentials */
662         cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred), 0,
663                         SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT, NULL);
664 }
665
666 /**
667  * prepare_kernel_cred - Prepare a set of credentials for a kernel service
668  * @daemon: A userspace daemon to be used as a reference
669  *
670  * Prepare a set of credentials for a kernel service.  This can then be used to
671  * override a task's own credentials so that work can be done on behalf of that
672  * task that requires a different subjective context.
673  *
674  * @daemon is used to provide a base for the security record, but can be NULL.
675  * If @daemon is supplied, then the security data will be derived from that;
676  * otherwise they'll be set to 0 and no groups, full capabilities and no keys.
677  *
678  * The caller may change these controls afterwards if desired.
679  *
680  * Returns the new credentials or NULL if out of memory.
681  */
682 struct cred *prepare_kernel_cred(struct task_struct *daemon)
683 {
684         const struct cred *old;
685         struct cred *new;
686
687         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
688         if (!new)
689                 return NULL;
690
691         kdebug("prepare_kernel_cred() alloc %p", new);
692
693         if (daemon)
694                 old = get_task_cred(daemon);
695         else
696                 old = get_cred(&init_cred);
697
698         validate_creds(old);
699
700         *new = *old;
701         new->non_rcu = 0;
702         atomic_set(&new->usage, 1);
703         set_cred_subscribers(new, 0);
704         get_uid(new->user);
705         get_user_ns(new->user_ns);
706         get_group_info(new->group_info);
707
708 #ifdef CONFIG_KEYS
709         new->session_keyring = NULL;
710         new->process_keyring = NULL;
711         new->thread_keyring = NULL;
712         new->request_key_auth = NULL;
713         new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
714 #endif
715
716 #ifdef CONFIG_SECURITY
717         new->security = NULL;
718 #endif
719         if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
720                 goto error;
721
722         put_cred(old);
723         validate_creds(new);
724         return new;
725
726 error:
727         put_cred(new);
728         put_cred(old);
729         return NULL;
730 }
731 EXPORT_SYMBOL(prepare_kernel_cred);
732
733 /**
734  * set_security_override - Set the security ID in a set of credentials
735  * @new: The credentials to alter
736  * @secid: The LSM security ID to set
737  *
738  * Set the LSM security ID in a set of credentials so that the subjective
739  * security is overridden when an alternative set of credentials is used.
740  */
741 int set_security_override(struct cred *new, u32 secid)
742 {
743         return security_kernel_act_as(new, secid);
744 }
745 EXPORT_SYMBOL(set_security_override);
746
747 /**
748  * set_security_override_from_ctx - Set the security ID in a set of credentials
749  * @new: The credentials to alter
750  * @secctx: The LSM security context to generate the security ID from.
751  *
752  * Set the LSM security ID in a set of credentials so that the subjective
753  * security is overridden when an alternative set of credentials is used.  The
754  * security ID is specified in string form as a security context to be
755  * interpreted by the LSM.
756  */
757 int set_security_override_from_ctx(struct cred *new, const char *secctx)
758 {
759         u32 secid;
760         int ret;
761
762         ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
763         if (ret < 0)
764                 return ret;
765
766         return set_security_override(new, secid);
767 }
768 EXPORT_SYMBOL(set_security_override_from_ctx);
769
770 /**
771  * set_create_files_as - Set the LSM file create context in a set of credentials
772  * @new: The credentials to alter
773  * @inode: The inode to take the context from
774  *
775  * Change the LSM file creation context in a set of credentials to be the same
776  * as the object context of the specified inode, so that the new inodes have
777  * the same MAC context as that inode.
778  */
779 int set_create_files_as(struct cred *new, struct inode *inode)
780 {
781         if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid))
782                 return -EINVAL;
783         new->fsuid = inode->i_uid;
784         new->fsgid = inode->i_gid;
785         return security_kernel_create_files_as(new, inode);
786 }
787 EXPORT_SYMBOL(set_create_files_as);
788
789 #ifdef CONFIG_DEBUG_CREDENTIALS
790
791 bool creds_are_invalid(const struct cred *cred)
792 {
793         if (cred->magic != CRED_MAGIC)
794                 return true;
795         return false;
796 }
797 EXPORT_SYMBOL(creds_are_invalid);
798
799 /*
800  * dump invalid credentials
801  */
802 static void dump_invalid_creds(const struct cred *cred, const char *label,
803                                const struct task_struct *tsk)
804 {
805         printk(KERN_ERR "CRED: %s credentials: %p %s%s%s\n",
806                label, cred,
807                cred == &init_cred ? "[init]" : "",
808                cred == tsk->real_cred ? "[real]" : "",
809                cred == tsk->cred ? "[eff]" : "");
810         printk(KERN_ERR "CRED: ->magic=%x, put_addr=%p\n",
811                cred->magic, cred->put_addr);
812         printk(KERN_ERR "CRED: ->usage=%d, subscr=%d\n",
813                atomic_read(&cred->usage),
814                read_cred_subscribers(cred));
815         printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
816                 from_kuid_munged(&init_user_ns, cred->uid),
817                 from_kuid_munged(&init_user_ns, cred->euid),
818                 from_kuid_munged(&init_user_ns, cred->suid),
819                 from_kuid_munged(&init_user_ns, cred->fsuid));
820         printk(KERN_ERR "CRED: ->*gid = { %d,%d,%d,%d }\n",
821                 from_kgid_munged(&init_user_ns, cred->gid),
822                 from_kgid_munged(&init_user_ns, cred->egid),
823                 from_kgid_munged(&init_user_ns, cred->sgid),
824                 from_kgid_munged(&init_user_ns, cred->fsgid));
825 #ifdef CONFIG_SECURITY
826         printk(KERN_ERR "CRED: ->security is %p\n", cred->security);
827         if ((unsigned long) cred->security >= PAGE_SIZE &&
828             (((unsigned long) cred->security & 0xffffff00) !=
829              (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)))
830                 printk(KERN_ERR "CRED: ->security {%x, %x}\n",
831                        ((u32*)cred->security)[0],
832                        ((u32*)cred->security)[1]);
833 #endif
834 }
835
836 /*
837  * report use of invalid credentials
838  */
839 void __invalid_creds(const struct cred *cred, const char *file, unsigned line)
840 {
841         printk(KERN_ERR "CRED: Invalid credentials\n");
842         printk(KERN_ERR "CRED: At %s:%u\n", file, line);
843         dump_invalid_creds(cred, "Specified", current);
844         BUG();
845 }
846 EXPORT_SYMBOL(__invalid_creds);
847
848 /*
849  * check the credentials on a process
850  */
851 void __validate_process_creds(struct task_struct *tsk,
852                               const char *file, unsigned line)
853 {
854         if (tsk->cred == tsk->real_cred) {
855                 if (unlikely(read_cred_subscribers(tsk->cred) < 2 ||
856                              creds_are_invalid(tsk->cred)))
857                         goto invalid_creds;
858         } else {
859                 if (unlikely(read_cred_subscribers(tsk->real_cred) < 1 ||
860                              read_cred_subscribers(tsk->cred) < 1 ||
861                              creds_are_invalid(tsk->real_cred) ||
862                              creds_are_invalid(tsk->cred)))
863                         goto invalid_creds;
864         }
865         return;
866
867 invalid_creds:
868         printk(KERN_ERR "CRED: Invalid process credentials\n");
869         printk(KERN_ERR "CRED: At %s:%u\n", file, line);
870
871         dump_invalid_creds(tsk->real_cred, "Real", tsk);
872         if (tsk->cred != tsk->real_cred)
873                 dump_invalid_creds(tsk->cred, "Effective", tsk);
874         else
875                 printk(KERN_ERR "CRED: Effective creds == Real creds\n");
876         BUG();
877 }
878 EXPORT_SYMBOL(__validate_process_creds);
879
880 /*
881  * check creds for do_exit()
882  */
883 void validate_creds_for_do_exit(struct task_struct *tsk)
884 {
885         kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})",
886                tsk->real_cred, tsk->cred,
887                atomic_read(&tsk->cred->usage),
888                read_cred_subscribers(tsk->cred));
889
890         __validate_process_creds(tsk, __FILE__, __LINE__);
891 }
892
893 #endif /* CONFIG_DEBUG_CREDENTIALS */