1  /* SPDX-License-Identifier: GPL-2.0-or-later */
2  /* Credentials management - see Documentation/security/credentials.rst
3   *
4   * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
5   * Written by David Howells (dhowells@redhat.com)
6   */
7  
8  #ifndef _LINUX_CRED_H
9  #define _LINUX_CRED_H
10  
11  #include <linux/capability.h>
12  #include <linux/init.h>
13  #include <linux/key.h>
14  #include <linux/atomic.h>
15  #include <linux/refcount.h>
16  #include <linux/uidgid.h>
17  #include <linux/sched.h>
18  #include <linux/sched/user.h>
19  
20  struct cred;
21  struct inode;
22  
23  /*
24   * COW Supplementary groups list
25   */
26  struct group_info {
27  	refcount_t	usage;
28  	int		ngroups;
29  	kgid_t		gid[];
30  } __randomize_layout;
31  
32  /**
33   * get_group_info - Get a reference to a group info structure
34   * @group_info: The group info to reference
35   *
36   * This gets a reference to a set of supplementary groups.
37   *
38   * If the caller is accessing a task's credentials, they must hold the RCU read
39   * lock when reading.
40   */
get_group_info(struct group_info * gi)41  static inline struct group_info *get_group_info(struct group_info *gi)
42  {
43  	refcount_inc(&gi->usage);
44  	return gi;
45  }
46  
47  /**
48   * put_group_info - Release a reference to a group info structure
49   * @group_info: The group info to release
50   */
51  #define put_group_info(group_info)			\
52  do {							\
53  	if (refcount_dec_and_test(&(group_info)->usage))	\
54  		groups_free(group_info);		\
55  } while (0)
56  
57  #ifdef CONFIG_MULTIUSER
58  extern struct group_info *groups_alloc(int);
59  extern void groups_free(struct group_info *);
60  
61  extern int in_group_p(kgid_t);
62  extern int in_egroup_p(kgid_t);
63  extern int groups_search(const struct group_info *, kgid_t);
64  
65  extern int set_current_groups(struct group_info *);
66  extern void set_groups(struct cred *, struct group_info *);
67  extern bool may_setgroups(void);
68  extern void groups_sort(struct group_info *);
69  #else
groups_free(struct group_info * group_info)70  static inline void groups_free(struct group_info *group_info)
71  {
72  }
73  
in_group_p(kgid_t grp)74  static inline int in_group_p(kgid_t grp)
75  {
76          return 1;
77  }
in_egroup_p(kgid_t grp)78  static inline int in_egroup_p(kgid_t grp)
79  {
80          return 1;
81  }
groups_search(const struct group_info * group_info,kgid_t grp)82  static inline int groups_search(const struct group_info *group_info, kgid_t grp)
83  {
84  	return 1;
85  }
86  #endif
87  
88  /*
89   * The security context of a task
90   *
91   * The parts of the context break down into two categories:
92   *
93   *  (1) The objective context of a task.  These parts are used when some other
94   *	task is attempting to affect this one.
95   *
96   *  (2) The subjective context.  These details are used when the task is acting
97   *	upon another object, be that a file, a task, a key or whatever.
98   *
99   * Note that some members of this structure belong to both categories - the
100   * LSM security pointer for instance.
101   *
102   * A task has two security pointers.  task->real_cred points to the objective
103   * context that defines that task's actual details.  The objective part of this
104   * context is used whenever that task is acted upon.
105   *
106   * task->cred points to the subjective context that defines the details of how
107   * that task is going to act upon another object.  This may be overridden
108   * temporarily to point to another security context, but normally points to the
109   * same context as task->real_cred.
110   */
111  struct cred {
112  	atomic_long_t	usage;
113  	kuid_t		uid;		/* real UID of the task */
114  	kgid_t		gid;		/* real GID of the task */
115  	kuid_t		suid;		/* saved UID of the task */
116  	kgid_t		sgid;		/* saved GID of the task */
117  	kuid_t		euid;		/* effective UID of the task */
118  	kgid_t		egid;		/* effective GID of the task */
119  	kuid_t		fsuid;		/* UID for VFS ops */
120  	kgid_t		fsgid;		/* GID for VFS ops */
121  	unsigned	securebits;	/* SUID-less security management */
122  	kernel_cap_t	cap_inheritable; /* caps our children can inherit */
123  	kernel_cap_t	cap_permitted;	/* caps we're permitted */
124  	kernel_cap_t	cap_effective;	/* caps we can actually use */
125  	kernel_cap_t	cap_bset;	/* capability bounding set */
126  	kernel_cap_t	cap_ambient;	/* Ambient capability set */
127  #ifdef CONFIG_KEYS
128  	unsigned char	jit_keyring;	/* default keyring to attach requested
129  					 * keys to */
130  	struct key	*session_keyring; /* keyring inherited over fork */
131  	struct key	*process_keyring; /* keyring private to this process */
132  	struct key	*thread_keyring; /* keyring private to this thread */
133  	struct key	*request_key_auth; /* assumed request_key authority */
134  #endif
135  #ifdef CONFIG_SECURITY
136  	void		*security;	/* LSM security */
137  #endif
138  	struct user_struct *user;	/* real user ID subscription */
139  	struct user_namespace *user_ns; /* user_ns the caps and keyrings are relative to. */
140  	struct ucounts *ucounts;
141  	struct group_info *group_info;	/* supplementary groups for euid/fsgid */
142  	/* RCU deletion */
143  	union {
144  		int non_rcu;			/* Can we skip RCU deletion? */
145  		struct rcu_head	rcu;		/* RCU deletion hook */
146  	};
147  } __randomize_layout;
148  
149  extern void __put_cred(struct cred *);
150  extern void exit_creds(struct task_struct *);
151  extern int copy_creds(struct task_struct *, unsigned long);
152  extern const struct cred *get_task_cred(struct task_struct *);
153  extern struct cred *cred_alloc_blank(void);
154  extern struct cred *prepare_creds(void);
155  extern struct cred *prepare_exec_creds(void);
156  extern int commit_creds(struct cred *);
157  extern void abort_creds(struct cred *);
158  extern const struct cred *override_creds(const struct cred *);
159  extern void revert_creds(const struct cred *);
160  extern struct cred *prepare_kernel_cred(struct task_struct *);
161  extern int set_security_override(struct cred *, u32);
162  extern int set_security_override_from_ctx(struct cred *, const char *);
163  extern int set_create_files_as(struct cred *, struct inode *);
164  extern int cred_fscmp(const struct cred *, const struct cred *);
165  extern void __init cred_init(void);
166  extern int set_cred_ucounts(struct cred *);
167  
cap_ambient_invariant_ok(const struct cred * cred)168  static inline bool cap_ambient_invariant_ok(const struct cred *cred)
169  {
170  	return cap_issubset(cred->cap_ambient,
171  			    cap_intersect(cred->cap_permitted,
172  					  cred->cap_inheritable));
173  }
174  
175  /**
176   * get_new_cred_many - Get references on a new set of credentials
177   * @cred: The new credentials to reference
178   * @nr: Number of references to acquire
179   *
180   * Get references on the specified set of new credentials.  The caller must
181   * release all acquired references.
182   */
get_new_cred_many(struct cred * cred,int nr)183  static inline struct cred *get_new_cred_many(struct cred *cred, int nr)
184  {
185  	atomic_long_add(nr, &cred->usage);
186  	return cred;
187  }
188  
189  /**
190   * get_new_cred - Get a reference on a new set of credentials
191   * @cred: The new credentials to reference
192   *
193   * Get a reference on the specified set of new credentials.  The caller must
194   * release the reference.
195   */
get_new_cred(struct cred * cred)196  static inline struct cred *get_new_cred(struct cred *cred)
197  {
198  	return get_new_cred_many(cred, 1);
199  }
200  
201  /**
202   * get_cred_many - Get references on a set of credentials
203   * @cred: The credentials to reference
204   * @nr: Number of references to acquire
205   *
206   * Get references on the specified set of credentials.  The caller must release
207   * all acquired reference.  If %NULL is passed, it is returned with no action.
208   *
209   * This is used to deal with a committed set of credentials.  Although the
210   * pointer is const, this will temporarily discard the const and increment the
211   * usage count.  The purpose of this is to attempt to catch at compile time the
212   * accidental alteration of a set of credentials that should be considered
213   * immutable.
214   */
get_cred_many(const struct cred * cred,int nr)215  static inline const struct cred *get_cred_many(const struct cred *cred, int nr)
216  {
217  	struct cred *nonconst_cred = (struct cred *) cred;
218  	if (!cred)
219  		return cred;
220  	nonconst_cred->non_rcu = 0;
221  	return get_new_cred_many(nonconst_cred, nr);
222  }
223  
224  /*
225   * get_cred - Get a reference on a set of credentials
226   * @cred: The credentials to reference
227   *
228   * Get a reference on the specified set of credentials.  The caller must
229   * release the reference.  If %NULL is passed, it is returned with no action.
230   *
231   * This is used to deal with a committed set of credentials.
232   */
get_cred(const struct cred * cred)233  static inline const struct cred *get_cred(const struct cred *cred)
234  {
235  	return get_cred_many(cred, 1);
236  }
237  
get_cred_rcu(const struct cred * cred)238  static inline const struct cred *get_cred_rcu(const struct cred *cred)
239  {
240  	struct cred *nonconst_cred = (struct cred *) cred;
241  	if (!cred)
242  		return NULL;
243  	if (!atomic_long_inc_not_zero(&nonconst_cred->usage))
244  		return NULL;
245  	nonconst_cred->non_rcu = 0;
246  	return cred;
247  }
248  
249  /**
250   * put_cred - Release a reference to a set of credentials
251   * @cred: The credentials to release
252   * @nr: Number of references to release
253   *
254   * Release a reference to a set of credentials, deleting them when the last ref
255   * is released.  If %NULL is passed, nothing is done.
256   *
257   * This takes a const pointer to a set of credentials because the credentials
258   * on task_struct are attached by const pointers to prevent accidental
259   * alteration of otherwise immutable credential sets.
260   */
put_cred_many(const struct cred * _cred,int nr)261  static inline void put_cred_many(const struct cred *_cred, int nr)
262  {
263  	struct cred *cred = (struct cred *) _cred;
264  
265  	if (cred) {
266  		if (atomic_long_sub_and_test(nr, &cred->usage))
267  			__put_cred(cred);
268  	}
269  }
270  
271  /*
272   * put_cred - Release a reference to a set of credentials
273   * @cred: The credentials to release
274   *
275   * Release a reference to a set of credentials, deleting them when the last ref
276   * is released.  If %NULL is passed, nothing is done.
277   */
put_cred(const struct cred * cred)278  static inline void put_cred(const struct cred *cred)
279  {
280  	put_cred_many(cred, 1);
281  }
282  
283  /**
284   * current_cred - Access the current task's subjective credentials
285   *
286   * Access the subjective credentials of the current task.  RCU-safe,
287   * since nobody else can modify it.
288   */
289  #define current_cred() \
290  	rcu_dereference_protected(current->cred, 1)
291  
292  /**
293   * current_real_cred - Access the current task's objective credentials
294   *
295   * Access the objective credentials of the current task.  RCU-safe,
296   * since nobody else can modify it.
297   */
298  #define current_real_cred() \
299  	rcu_dereference_protected(current->real_cred, 1)
300  
301  /**
302   * __task_cred - Access a task's objective credentials
303   * @task: The task to query
304   *
305   * Access the objective credentials of a task.  The caller must hold the RCU
306   * readlock.
307   *
308   * The result of this function should not be passed directly to get_cred();
309   * rather get_task_cred() should be used instead.
310   */
311  #define __task_cred(task)	\
312  	rcu_dereference((task)->real_cred)
313  
314  /**
315   * get_current_cred - Get the current task's subjective credentials
316   *
317   * Get the subjective credentials of the current task, pinning them so that
318   * they can't go away.  Accessing the current task's credentials directly is
319   * not permitted.
320   */
321  #define get_current_cred()				\
322  	(get_cred(current_cred()))
323  
324  /**
325   * get_current_user - Get the current task's user_struct
326   *
327   * Get the user record of the current task, pinning it so that it can't go
328   * away.
329   */
330  #define get_current_user()				\
331  ({							\
332  	struct user_struct *__u;			\
333  	const struct cred *__cred;			\
334  	__cred = current_cred();			\
335  	__u = get_uid(__cred->user);			\
336  	__u;						\
337  })
338  
339  /**
340   * get_current_groups - Get the current task's supplementary group list
341   *
342   * Get the supplementary group list of the current task, pinning it so that it
343   * can't go away.
344   */
345  #define get_current_groups()				\
346  ({							\
347  	struct group_info *__groups;			\
348  	const struct cred *__cred;			\
349  	__cred = current_cred();			\
350  	__groups = get_group_info(__cred->group_info);	\
351  	__groups;					\
352  })
353  
354  #define task_cred_xxx(task, xxx)			\
355  ({							\
356  	__typeof__(((struct cred *)NULL)->xxx) ___val;	\
357  	rcu_read_lock();				\
358  	___val = __task_cred((task))->xxx;		\
359  	rcu_read_unlock();				\
360  	___val;						\
361  })
362  
363  #define task_uid(task)		(task_cred_xxx((task), uid))
364  #define task_euid(task)		(task_cred_xxx((task), euid))
365  #define task_ucounts(task)	(task_cred_xxx((task), ucounts))
366  
367  #define current_cred_xxx(xxx)			\
368  ({						\
369  	current_cred()->xxx;			\
370  })
371  
372  #define current_uid()		(current_cred_xxx(uid))
373  #define current_gid()		(current_cred_xxx(gid))
374  #define current_euid()		(current_cred_xxx(euid))
375  #define current_egid()		(current_cred_xxx(egid))
376  #define current_suid()		(current_cred_xxx(suid))
377  #define current_sgid()		(current_cred_xxx(sgid))
378  #define current_fsuid() 	(current_cred_xxx(fsuid))
379  #define current_fsgid() 	(current_cred_xxx(fsgid))
380  #define current_cap()		(current_cred_xxx(cap_effective))
381  #define current_user()		(current_cred_xxx(user))
382  #define current_ucounts()	(current_cred_xxx(ucounts))
383  
384  extern struct user_namespace init_user_ns;
385  #ifdef CONFIG_USER_NS
386  #define current_user_ns()	(current_cred_xxx(user_ns))
387  #else
current_user_ns(void)388  static inline struct user_namespace *current_user_ns(void)
389  {
390  	return &init_user_ns;
391  }
392  #endif
393  
394  
395  #define current_uid_gid(_uid, _gid)		\
396  do {						\
397  	const struct cred *__cred;		\
398  	__cred = current_cred();		\
399  	*(_uid) = __cred->uid;			\
400  	*(_gid) = __cred->gid;			\
401  } while(0)
402  
403  #define current_euid_egid(_euid, _egid)		\
404  do {						\
405  	const struct cred *__cred;		\
406  	__cred = current_cred();		\
407  	*(_euid) = __cred->euid;		\
408  	*(_egid) = __cred->egid;		\
409  } while(0)
410  
411  #define current_fsuid_fsgid(_fsuid, _fsgid)	\
412  do {						\
413  	const struct cred *__cred;		\
414  	__cred = current_cred();		\
415  	*(_fsuid) = __cred->fsuid;		\
416  	*(_fsgid) = __cred->fsgid;		\
417  } while(0)
418  
419  #endif /* _LINUX_CRED_H */
420