/* Task credentials management * * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved. * Written by David Howells (dhowells@redhat.com) * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public Licence * as published by the Free Software Foundation; either version * 2 of the Licence, or (at your option) any later version. */ #include #include #include #include #include #include #include /* * The common credentials for the initial task's thread group */ #ifdef CONFIG_KEYS static struct thread_group_cred init_tgcred = { .usage = ATOMIC_INIT(2), .tgid = 0, .lock = SPIN_LOCK_UNLOCKED, }; #endif /* * The initial credentials for the initial task */ struct cred init_cred = { .usage = ATOMIC_INIT(3), .securebits = SECUREBITS_DEFAULT, .cap_inheritable = CAP_INIT_INH_SET, .cap_permitted = CAP_FULL_SET, .cap_effective = CAP_INIT_EFF_SET, .cap_bset = CAP_INIT_BSET, .user = INIT_USER, .group_info = &init_groups, #ifdef CONFIG_KEYS .tgcred = &init_tgcred, #endif }; /* * Dispose of the shared task group credentials */ #ifdef CONFIG_KEYS static void release_tgcred_rcu(struct rcu_head *rcu) { struct thread_group_cred *tgcred = container_of(rcu, struct thread_group_cred, rcu); BUG_ON(atomic_read(&tgcred->usage) != 0); key_put(tgcred->session_keyring); key_put(tgcred->process_keyring); kfree(tgcred); } #endif /* * Release a set of thread group credentials. */ static void release_tgcred(struct cred *cred) { #ifdef CONFIG_KEYS struct thread_group_cred *tgcred = cred->tgcred; if (atomic_dec_and_test(&tgcred->usage)) call_rcu(&tgcred->rcu, release_tgcred_rcu); #endif } /* * The RCU callback to actually dispose of a set of credentials */ static void put_cred_rcu(struct rcu_head *rcu) { struct cred *cred = container_of(rcu, struct cred, rcu); BUG_ON(atomic_read(&cred->usage) != 0); key_put(cred->thread_keyring); key_put(cred->request_key_auth); release_tgcred(cred); put_group_info(cred->group_info); free_uid(cred->user); security_cred_free(cred); kfree(cred); } /** * __put_cred - Destroy a set of credentials * @sec: The record to release * * Destroy a set of credentials on which no references remain. */ void __put_cred(struct cred *cred) { call_rcu(&cred->rcu, put_cred_rcu); } EXPORT_SYMBOL(__put_cred); /* * Copy credentials for the new process created by fork() */ int copy_creds(struct task_struct *p, unsigned long clone_flags) { struct cred *pcred; int ret; pcred = kmemdup(p->cred, sizeof(*p->cred), GFP_KERNEL); if (!pcred) return -ENOMEM; #ifdef CONFIG_KEYS if (clone_flags & CLONE_THREAD) { atomic_inc(&pcred->tgcred->usage); } else { pcred->tgcred = kmalloc(sizeof(struct cred), GFP_KERNEL); if (!pcred->tgcred) { kfree(pcred); return -ENOMEM; } atomic_set(&pcred->tgcred->usage, 1); spin_lock_init(&pcred->tgcred->lock); pcred->tgcred->process_keyring = NULL; pcred->tgcred->session_keyring = key_get(p->cred->tgcred->session_keyring); } #endif #ifdef CONFIG_SECURITY pcred->security = NULL; #endif ret = security_cred_alloc(pcred); if (ret < 0) { release_tgcred(pcred); kfree(pcred); return ret; } atomic_set(&pcred->usage, 1); get_group_info(pcred->group_info); get_uid(pcred->user); key_get(pcred->thread_keyring); key_get(pcred->request_key_auth); atomic_inc(&pcred->user->processes); /* RCU assignment is unneeded here as no-one can have accessed this * pointer yet, barring us */ p->cred = pcred; return 0; }