security/keys/permission.c

1 // SPDX-License-Identifier: GPL-2.0-or-later
13  * key_task_permission - Check a key can be used
15  * @cred: The credentials to use.
18  * Check to see whether permission is granted to use a key in the desired way,
23  * Returns 0 if successful, -EACCES if access is denied based on the
36 		return -EACCES;  in key_task_permission()
37 	case KEY_NEED_UNLINK:  in key_task_permission()
38 	case KEY_SYSADMIN_OVERRIDE:  in key_task_permission()
39 	case KEY_AUTHTOKEN_OVERRIDE:  in key_task_permission()
40 	case KEY_DEFER_PERM_CHECK:  in key_task_permission()
43 	case KEY_NEED_VIEW:	mask = KEY_OTH_VIEW;	break;  in key_task_permission()
44 	case KEY_NEED_READ:	mask = KEY_OTH_READ;	break;  in key_task_permission()
45 	case KEY_NEED_WRITE:	mask = KEY_OTH_WRITE;	break;  in key_task_permission()
46 	case KEY_NEED_SEARCH:	mask = KEY_OTH_SEARCH;	break;  in key_task_permission()
47 	case KEY_NEED_LINK:	mask = KEY_OTH_LINK;	break;  in key_task_permission()
48 	case KEY_NEED_SETATTR:	mask = KEY_OTH_SETATTR;	break;  in key_task_permission()
53 	/* use the second 8-bits of permissions for keys the caller owns */  in key_task_permission()
54 	if (uid_eq(key->uid, cred->fsuid)) {  in key_task_permission()
55 		kperm = key->perm >> 16;  in key_task_permission()
59 	/* use the third 8-bits of permissions for keys the caller has a group  in key_task_permission()
61 	if (gid_valid(key->gid) && key->perm & KEY_GRP_ALL) {  in key_task_permission()
62 		if (gid_eq(key->gid, cred->fsgid)) {  in key_task_permission()
63 			kperm = key->perm >> 8;  in key_task_permission()
67 		ret = groups_search(cred->group_info, key->gid);  in key_task_permission()
69 			kperm = key->perm >> 8;  in key_task_permission()
74 	/* otherwise use the least-significant 8-bits */  in key_task_permission()
75 	kperm = key->perm;  in key_task_permission()
79 	/* use the top 8-bits of permissions for keys the caller possesses  in key_task_permission()
80 	 * - possessor permissions are additive with other permissions  in key_task_permission()
83 		kperm |= key->perm >> 24;  in key_task_permission()
86 		return -EACCES;  in key_task_permission()
95  * key_validate - Validate a key.
98  * Check that a key is valid, returning 0 if the key is okay, -ENOKEY if the
99  * key is invalidated, -EKEYREVOKED if the key's type has been removed or if
100  * the key has been revoked or -EKEYEXPIRED if the key has expired.
104 	unsigned long flags = READ_ONCE(key->flags);  in key_validate()
105 	time64_t expiry = READ_ONCE(key->expiry);  in key_validate()
108 		return -ENOKEY;  in key_validate()
113 		return -EKEYREVOKED;  in key_validate()
118 			return -EKEYEXPIRED;  in key_validate()