Smack: create a sysfs mount point for smackfs
[~shefty/rdma-dev.git] / security / keys / process_keys.c
1 /* Manage a process's keyrings
2  *
3  * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/sched.h>
15 #include <linux/keyctl.h>
16 #include <linux/fs.h>
17 #include <linux/err.h>
18 #include <linux/mutex.h>
19 #include <linux/security.h>
20 #include <linux/user_namespace.h>
21 #include <asm/uaccess.h>
22 #include "internal.h"
23
24 /* Session keyring create vs join semaphore */
25 static DEFINE_MUTEX(key_session_mutex);
26
27 /* User keyring creation semaphore */
28 static DEFINE_MUTEX(key_user_keyring_mutex);
29
30 /* The root user's tracking struct */
31 struct key_user root_key_user = {
32         .usage          = ATOMIC_INIT(3),
33         .cons_lock      = __MUTEX_INITIALIZER(root_key_user.cons_lock),
34         .lock           = __SPIN_LOCK_UNLOCKED(root_key_user.lock),
35         .nkeys          = ATOMIC_INIT(2),
36         .nikeys         = ATOMIC_INIT(2),
37         .uid            = 0,
38         .user_ns        = &init_user_ns,
39 };
40
41 /*
42  * Install the user and user session keyrings for the current process's UID.
43  */
44 int install_user_keyrings(void)
45 {
46         struct user_struct *user;
47         const struct cred *cred;
48         struct key *uid_keyring, *session_keyring;
49         key_perm_t user_keyring_perm;
50         char buf[20];
51         int ret;
52
53         user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL;
54         cred = current_cred();
55         user = cred->user;
56
57         kenter("%p{%u}", user, user->uid);
58
59         if (user->uid_keyring) {
60                 kleave(" = 0 [exist]");
61                 return 0;
62         }
63
64         mutex_lock(&key_user_keyring_mutex);
65         ret = 0;
66
67         if (!user->uid_keyring) {
68                 /* get the UID-specific keyring
69                  * - there may be one in existence already as it may have been
70                  *   pinned by a session, but the user_struct pointing to it
71                  *   may have been destroyed by setuid */
72                 sprintf(buf, "_uid.%u", user->uid);
73
74                 uid_keyring = find_keyring_by_name(buf, true);
75                 if (IS_ERR(uid_keyring)) {
76                         uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
77                                                     cred, user_keyring_perm,
78                                                     KEY_ALLOC_IN_QUOTA, NULL);
79                         if (IS_ERR(uid_keyring)) {
80                                 ret = PTR_ERR(uid_keyring);
81                                 goto error;
82                         }
83                 }
84
85                 /* get a default session keyring (which might also exist
86                  * already) */
87                 sprintf(buf, "_uid_ses.%u", user->uid);
88
89                 session_keyring = find_keyring_by_name(buf, true);
90                 if (IS_ERR(session_keyring)) {
91                         session_keyring =
92                                 keyring_alloc(buf, user->uid, (gid_t) -1,
93                                               cred, user_keyring_perm,
94                                               KEY_ALLOC_IN_QUOTA, NULL);
95                         if (IS_ERR(session_keyring)) {
96                                 ret = PTR_ERR(session_keyring);
97                                 goto error_release;
98                         }
99
100                         /* we install a link from the user session keyring to
101                          * the user keyring */
102                         ret = key_link(session_keyring, uid_keyring);
103                         if (ret < 0)
104                                 goto error_release_both;
105                 }
106
107                 /* install the keyrings */
108                 user->uid_keyring = uid_keyring;
109                 user->session_keyring = session_keyring;
110         }
111
112         mutex_unlock(&key_user_keyring_mutex);
113         kleave(" = 0");
114         return 0;
115
116 error_release_both:
117         key_put(session_keyring);
118 error_release:
119         key_put(uid_keyring);
120 error:
121         mutex_unlock(&key_user_keyring_mutex);
122         kleave(" = %d", ret);
123         return ret;
124 }
125
126 /*
127  * Install a fresh thread keyring directly to new credentials.  This keyring is
128  * allowed to overrun the quota.
129  */
130 int install_thread_keyring_to_cred(struct cred *new)
131 {
132         struct key *keyring;
133
134         keyring = keyring_alloc("_tid", new->uid, new->gid, new,
135                                 KEY_POS_ALL | KEY_USR_VIEW,
136                                 KEY_ALLOC_QUOTA_OVERRUN, NULL);
137         if (IS_ERR(keyring))
138                 return PTR_ERR(keyring);
139
140         new->thread_keyring = keyring;
141         return 0;
142 }
143
144 /*
145  * Install a fresh thread keyring, discarding the old one.
146  */
147 static int install_thread_keyring(void)
148 {
149         struct cred *new;
150         int ret;
151
152         new = prepare_creds();
153         if (!new)
154                 return -ENOMEM;
155
156         BUG_ON(new->thread_keyring);
157
158         ret = install_thread_keyring_to_cred(new);
159         if (ret < 0) {
160                 abort_creds(new);
161                 return ret;
162         }
163
164         return commit_creds(new);
165 }
166
167 /*
168  * Install a process keyring directly to a credentials struct.
169  *
170  * Returns -EEXIST if there was already a process keyring, 0 if one installed,
171  * and other value on any other error
172  */
173 int install_process_keyring_to_cred(struct cred *new)
174 {
175         struct key *keyring;
176
177         if (new->process_keyring)
178                 return -EEXIST;
179
180         keyring = keyring_alloc("_pid", new->uid, new->gid, new,
181                                 KEY_POS_ALL | KEY_USR_VIEW,
182                                 KEY_ALLOC_QUOTA_OVERRUN, NULL);
183         if (IS_ERR(keyring))
184                 return PTR_ERR(keyring);
185
186         new->process_keyring = keyring;
187         return 0;
188 }
189
190 /*
191  * Make sure a process keyring is installed for the current process.  The
192  * existing process keyring is not replaced.
193  *
194  * Returns 0 if there is a process keyring by the end of this function, some
195  * error otherwise.
196  */
197 static int install_process_keyring(void)
198 {
199         struct cred *new;
200         int ret;
201
202         new = prepare_creds();
203         if (!new)
204                 return -ENOMEM;
205
206         ret = install_process_keyring_to_cred(new);
207         if (ret < 0) {
208                 abort_creds(new);
209                 return ret != -EEXIST ? ret : 0;
210         }
211
212         return commit_creds(new);
213 }
214
215 /*
216  * Install a session keyring directly to a credentials struct.
217  */
218 int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
219 {
220         unsigned long flags;
221         struct key *old;
222
223         might_sleep();
224
225         /* create an empty session keyring */
226         if (!keyring) {
227                 flags = KEY_ALLOC_QUOTA_OVERRUN;
228                 if (cred->session_keyring)
229                         flags = KEY_ALLOC_IN_QUOTA;
230
231                 keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred,
232                                         KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
233                                         flags, NULL);
234                 if (IS_ERR(keyring))
235                         return PTR_ERR(keyring);
236         } else {
237                 atomic_inc(&keyring->usage);
238         }
239
240         /* install the keyring */
241         old = cred->session_keyring;
242         rcu_assign_pointer(cred->session_keyring, keyring);
243
244         if (old)
245                 key_put(old);
246
247         return 0;
248 }
249
250 /*
251  * Install a session keyring, discarding the old one.  If a keyring is not
252  * supplied, an empty one is invented.
253  */
254 static int install_session_keyring(struct key *keyring)
255 {
256         struct cred *new;
257         int ret;
258
259         new = prepare_creds();
260         if (!new)
261                 return -ENOMEM;
262
263         ret = install_session_keyring_to_cred(new, keyring);
264         if (ret < 0) {
265                 abort_creds(new);
266                 return ret;
267         }
268
269         return commit_creds(new);
270 }
271
272 /*
273  * Handle the fsuid changing.
274  */
275 void key_fsuid_changed(struct task_struct *tsk)
276 {
277         /* update the ownership of the thread keyring */
278         BUG_ON(!tsk->cred);
279         if (tsk->cred->thread_keyring) {
280                 down_write(&tsk->cred->thread_keyring->sem);
281                 tsk->cred->thread_keyring->uid = tsk->cred->fsuid;
282                 up_write(&tsk->cred->thread_keyring->sem);
283         }
284 }
285
286 /*
287  * Handle the fsgid changing.
288  */
289 void key_fsgid_changed(struct task_struct *tsk)
290 {
291         /* update the ownership of the thread keyring */
292         BUG_ON(!tsk->cred);
293         if (tsk->cred->thread_keyring) {
294                 down_write(&tsk->cred->thread_keyring->sem);
295                 tsk->cred->thread_keyring->gid = tsk->cred->fsgid;
296                 up_write(&tsk->cred->thread_keyring->sem);
297         }
298 }
299
300 /*
301  * Search the process keyrings attached to the supplied cred for the first
302  * matching key.
303  *
304  * The search criteria are the type and the match function.  The description is
305  * given to the match function as a parameter, but doesn't otherwise influence
306  * the search.  Typically the match function will compare the description
307  * parameter to the key's description.
308  *
309  * This can only search keyrings that grant Search permission to the supplied
310  * credentials.  Keyrings linked to searched keyrings will also be searched if
311  * they grant Search permission too.  Keys can only be found if they grant
312  * Search permission to the credentials.
313  *
314  * Returns a pointer to the key with the key usage count incremented if
315  * successful, -EAGAIN if we didn't find any matching key or -ENOKEY if we only
316  * matched negative keys.
317  *
318  * In the case of a successful return, the possession attribute is set on the
319  * returned key reference.
320  */
321 key_ref_t search_my_process_keyrings(struct key_type *type,
322                                      const void *description,
323                                      key_match_func_t match,
324                                      bool no_state_check,
325                                      const struct cred *cred)
326 {
327         key_ref_t key_ref, ret, err;
328
329         /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
330          * searchable, but we failed to find a key or we found a negative key;
331          * otherwise we want to return a sample error (probably -EACCES) if
332          * none of the keyrings were searchable
333          *
334          * in terms of priority: success > -ENOKEY > -EAGAIN > other error
335          */
336         key_ref = NULL;
337         ret = NULL;
338         err = ERR_PTR(-EAGAIN);
339
340         /* search the thread keyring first */
341         if (cred->thread_keyring) {
342                 key_ref = keyring_search_aux(
343                         make_key_ref(cred->thread_keyring, 1),
344                         cred, type, description, match, no_state_check);
345                 if (!IS_ERR(key_ref))
346                         goto found;
347
348                 switch (PTR_ERR(key_ref)) {
349                 case -EAGAIN: /* no key */
350                 case -ENOKEY: /* negative key */
351                         ret = key_ref;
352                         break;
353                 default:
354                         err = key_ref;
355                         break;
356                 }
357         }
358
359         /* search the process keyring second */
360         if (cred->process_keyring) {
361                 key_ref = keyring_search_aux(
362                         make_key_ref(cred->process_keyring, 1),
363                         cred, type, description, match, no_state_check);
364                 if (!IS_ERR(key_ref))
365                         goto found;
366
367                 switch (PTR_ERR(key_ref)) {
368                 case -EAGAIN: /* no key */
369                         if (ret)
370                                 break;
371                 case -ENOKEY: /* negative key */
372                         ret = key_ref;
373                         break;
374                 default:
375                         err = key_ref;
376                         break;
377                 }
378         }
379
380         /* search the session keyring */
381         if (cred->session_keyring) {
382                 rcu_read_lock();
383                 key_ref = keyring_search_aux(
384                         make_key_ref(rcu_dereference(cred->session_keyring), 1),
385                         cred, type, description, match, no_state_check);
386                 rcu_read_unlock();
387
388                 if (!IS_ERR(key_ref))
389                         goto found;
390
391                 switch (PTR_ERR(key_ref)) {
392                 case -EAGAIN: /* no key */
393                         if (ret)
394                                 break;
395                 case -ENOKEY: /* negative key */
396                         ret = key_ref;
397                         break;
398                 default:
399                         err = key_ref;
400                         break;
401                 }
402         }
403         /* or search the user-session keyring */
404         else if (cred->user->session_keyring) {
405                 key_ref = keyring_search_aux(
406                         make_key_ref(cred->user->session_keyring, 1),
407                         cred, type, description, match, no_state_check);
408                 if (!IS_ERR(key_ref))
409                         goto found;
410
411                 switch (PTR_ERR(key_ref)) {
412                 case -EAGAIN: /* no key */
413                         if (ret)
414                                 break;
415                 case -ENOKEY: /* negative key */
416                         ret = key_ref;
417                         break;
418                 default:
419                         err = key_ref;
420                         break;
421                 }
422         }
423
424         /* no key - decide on the error we're going to go for */
425         key_ref = ret ? ret : err;
426
427 found:
428         return key_ref;
429 }
430
431 /*
432  * Search the process keyrings attached to the supplied cred for the first
433  * matching key in the manner of search_my_process_keyrings(), but also search
434  * the keys attached to the assumed authorisation key using its credentials if
435  * one is available.
436  *
437  * Return same as search_my_process_keyrings().
438  */
439 key_ref_t search_process_keyrings(struct key_type *type,
440                                   const void *description,
441                                   key_match_func_t match,
442                                   const struct cred *cred)
443 {
444         struct request_key_auth *rka;
445         key_ref_t key_ref, ret = ERR_PTR(-EACCES), err;
446
447         might_sleep();
448
449         key_ref = search_my_process_keyrings(type, description, match,
450                                              false, cred);
451         if (!IS_ERR(key_ref))
452                 goto found;
453         err = key_ref;
454
455         /* if this process has an instantiation authorisation key, then we also
456          * search the keyrings of the process mentioned there
457          * - we don't permit access to request_key auth keys via this method
458          */
459         if (cred->request_key_auth &&
460             cred == current_cred() &&
461             type != &key_type_request_key_auth
462             ) {
463                 /* defend against the auth key being revoked */
464                 down_read(&cred->request_key_auth->sem);
465
466                 if (key_validate(cred->request_key_auth) == 0) {
467                         rka = cred->request_key_auth->payload.data;
468
469                         key_ref = search_process_keyrings(type, description,
470                                                           match, rka->cred);
471
472                         up_read(&cred->request_key_auth->sem);
473
474                         if (!IS_ERR(key_ref))
475                                 goto found;
476
477                         ret = key_ref;
478                 } else {
479                         up_read(&cred->request_key_auth->sem);
480                 }
481         }
482
483         /* no key - decide on the error we're going to go for */
484         if (err == ERR_PTR(-ENOKEY) || ret == ERR_PTR(-ENOKEY))
485                 key_ref = ERR_PTR(-ENOKEY);
486         else if (err == ERR_PTR(-EACCES))
487                 key_ref = ret;
488         else
489                 key_ref = err;
490
491 found:
492         return key_ref;
493 }
494
495 /*
496  * See if the key we're looking at is the target key.
497  */
498 int lookup_user_key_possessed(const struct key *key, const void *target)
499 {
500         return key == target;
501 }
502
503 /*
504  * Look up a key ID given us by userspace with a given permissions mask to get
505  * the key it refers to.
506  *
507  * Flags can be passed to request that special keyrings be created if referred
508  * to directly, to permit partially constructed keys to be found and to skip
509  * validity and permission checks on the found key.
510  *
511  * Returns a pointer to the key with an incremented usage count if successful;
512  * -EINVAL if the key ID is invalid; -ENOKEY if the key ID does not correspond
513  * to a key or the best found key was a negative key; -EKEYREVOKED or
514  * -EKEYEXPIRED if the best found key was revoked or expired; -EACCES if the
515  * found key doesn't grant the requested permit or the LSM denied access to it;
516  * or -ENOMEM if a special keyring couldn't be created.
517  *
518  * In the case of a successful return, the possession attribute is set on the
519  * returned key reference.
520  */
521 key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
522                           key_perm_t perm)
523 {
524         struct request_key_auth *rka;
525         const struct cred *cred;
526         struct key *key;
527         key_ref_t key_ref, skey_ref;
528         int ret;
529
530 try_again:
531         cred = get_current_cred();
532         key_ref = ERR_PTR(-ENOKEY);
533
534         switch (id) {
535         case KEY_SPEC_THREAD_KEYRING:
536                 if (!cred->thread_keyring) {
537                         if (!(lflags & KEY_LOOKUP_CREATE))
538                                 goto error;
539
540                         ret = install_thread_keyring();
541                         if (ret < 0) {
542                                 key_ref = ERR_PTR(ret);
543                                 goto error;
544                         }
545                         goto reget_creds;
546                 }
547
548                 key = cred->thread_keyring;
549                 atomic_inc(&key->usage);
550                 key_ref = make_key_ref(key, 1);
551                 break;
552
553         case KEY_SPEC_PROCESS_KEYRING:
554                 if (!cred->process_keyring) {
555                         if (!(lflags & KEY_LOOKUP_CREATE))
556                                 goto error;
557
558                         ret = install_process_keyring();
559                         if (ret < 0) {
560                                 key_ref = ERR_PTR(ret);
561                                 goto error;
562                         }
563                         goto reget_creds;
564                 }
565
566                 key = cred->process_keyring;
567                 atomic_inc(&key->usage);
568                 key_ref = make_key_ref(key, 1);
569                 break;
570
571         case KEY_SPEC_SESSION_KEYRING:
572                 if (!cred->session_keyring) {
573                         /* always install a session keyring upon access if one
574                          * doesn't exist yet */
575                         ret = install_user_keyrings();
576                         if (ret < 0)
577                                 goto error;
578                         if (lflags & KEY_LOOKUP_CREATE)
579                                 ret = join_session_keyring(NULL);
580                         else
581                                 ret = install_session_keyring(
582                                         cred->user->session_keyring);
583
584                         if (ret < 0)
585                                 goto error;
586                         goto reget_creds;
587                 } else if (cred->session_keyring ==
588                            cred->user->session_keyring &&
589                            lflags & KEY_LOOKUP_CREATE) {
590                         ret = join_session_keyring(NULL);
591                         if (ret < 0)
592                                 goto error;
593                         goto reget_creds;
594                 }
595
596                 rcu_read_lock();
597                 key = rcu_dereference(cred->session_keyring);
598                 atomic_inc(&key->usage);
599                 rcu_read_unlock();
600                 key_ref = make_key_ref(key, 1);
601                 break;
602
603         case KEY_SPEC_USER_KEYRING:
604                 if (!cred->user->uid_keyring) {
605                         ret = install_user_keyrings();
606                         if (ret < 0)
607                                 goto error;
608                 }
609
610                 key = cred->user->uid_keyring;
611                 atomic_inc(&key->usage);
612                 key_ref = make_key_ref(key, 1);
613                 break;
614
615         case KEY_SPEC_USER_SESSION_KEYRING:
616                 if (!cred->user->session_keyring) {
617                         ret = install_user_keyrings();
618                         if (ret < 0)
619                                 goto error;
620                 }
621
622                 key = cred->user->session_keyring;
623                 atomic_inc(&key->usage);
624                 key_ref = make_key_ref(key, 1);
625                 break;
626
627         case KEY_SPEC_GROUP_KEYRING:
628                 /* group keyrings are not yet supported */
629                 key_ref = ERR_PTR(-EINVAL);
630                 goto error;
631
632         case KEY_SPEC_REQKEY_AUTH_KEY:
633                 key = cred->request_key_auth;
634                 if (!key)
635                         goto error;
636
637                 atomic_inc(&key->usage);
638                 key_ref = make_key_ref(key, 1);
639                 break;
640
641         case KEY_SPEC_REQUESTOR_KEYRING:
642                 if (!cred->request_key_auth)
643                         goto error;
644
645                 down_read(&cred->request_key_auth->sem);
646                 if (test_bit(KEY_FLAG_REVOKED,
647                              &cred->request_key_auth->flags)) {
648                         key_ref = ERR_PTR(-EKEYREVOKED);
649                         key = NULL;
650                 } else {
651                         rka = cred->request_key_auth->payload.data;
652                         key = rka->dest_keyring;
653                         atomic_inc(&key->usage);
654                 }
655                 up_read(&cred->request_key_auth->sem);
656                 if (!key)
657                         goto error;
658                 key_ref = make_key_ref(key, 1);
659                 break;
660
661         default:
662                 key_ref = ERR_PTR(-EINVAL);
663                 if (id < 1)
664                         goto error;
665
666                 key = key_lookup(id);
667                 if (IS_ERR(key)) {
668                         key_ref = ERR_CAST(key);
669                         goto error;
670                 }
671
672                 key_ref = make_key_ref(key, 0);
673
674                 /* check to see if we possess the key */
675                 skey_ref = search_process_keyrings(key->type, key,
676                                                    lookup_user_key_possessed,
677                                                    cred);
678
679                 if (!IS_ERR(skey_ref)) {
680                         key_put(key);
681                         key_ref = skey_ref;
682                 }
683
684                 break;
685         }
686
687         /* unlink does not use the nominated key in any way, so can skip all
688          * the permission checks as it is only concerned with the keyring */
689         if (lflags & KEY_LOOKUP_FOR_UNLINK) {
690                 ret = 0;
691                 goto error;
692         }
693
694         if (!(lflags & KEY_LOOKUP_PARTIAL)) {
695                 ret = wait_for_key_construction(key, true);
696                 switch (ret) {
697                 case -ERESTARTSYS:
698                         goto invalid_key;
699                 default:
700                         if (perm)
701                                 goto invalid_key;
702                 case 0:
703                         break;
704                 }
705         } else if (perm) {
706                 ret = key_validate(key);
707                 if (ret < 0)
708                         goto invalid_key;
709         }
710
711         ret = -EIO;
712         if (!(lflags & KEY_LOOKUP_PARTIAL) &&
713             !test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
714                 goto invalid_key;
715
716         /* check the permissions */
717         ret = key_task_permission(key_ref, cred, perm);
718         if (ret < 0)
719                 goto invalid_key;
720
721         key->last_used_at = current_kernel_time().tv_sec;
722
723 error:
724         put_cred(cred);
725         return key_ref;
726
727 invalid_key:
728         key_ref_put(key_ref);
729         key_ref = ERR_PTR(ret);
730         goto error;
731
732         /* if we attempted to install a keyring, then it may have caused new
733          * creds to be installed */
734 reget_creds:
735         put_cred(cred);
736         goto try_again;
737 }
738
739 /*
740  * Join the named keyring as the session keyring if possible else attempt to
741  * create a new one of that name and join that.
742  *
743  * If the name is NULL, an empty anonymous keyring will be installed as the
744  * session keyring.
745  *
746  * Named session keyrings are joined with a semaphore held to prevent the
747  * keyrings from going away whilst the attempt is made to going them and also
748  * to prevent a race in creating compatible session keyrings.
749  */
750 long join_session_keyring(const char *name)
751 {
752         const struct cred *old;
753         struct cred *new;
754         struct key *keyring;
755         long ret, serial;
756
757         new = prepare_creds();
758         if (!new)
759                 return -ENOMEM;
760         old = current_cred();
761
762         /* if no name is provided, install an anonymous keyring */
763         if (!name) {
764                 ret = install_session_keyring_to_cred(new, NULL);
765                 if (ret < 0)
766                         goto error;
767
768                 serial = new->session_keyring->serial;
769                 ret = commit_creds(new);
770                 if (ret == 0)
771                         ret = serial;
772                 goto okay;
773         }
774
775         /* allow the user to join or create a named keyring */
776         mutex_lock(&key_session_mutex);
777
778         /* look for an existing keyring of this name */
779         keyring = find_keyring_by_name(name, false);
780         if (PTR_ERR(keyring) == -ENOKEY) {
781                 /* not found - try and create a new one */
782                 keyring = keyring_alloc(
783                         name, old->uid, old->gid, old,
784                         KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_LINK,
785                         KEY_ALLOC_IN_QUOTA, NULL);
786                 if (IS_ERR(keyring)) {
787                         ret = PTR_ERR(keyring);
788                         goto error2;
789                 }
790         } else if (IS_ERR(keyring)) {
791                 ret = PTR_ERR(keyring);
792                 goto error2;
793         } else if (keyring == new->session_keyring) {
794                 ret = 0;
795                 goto error2;
796         }
797
798         /* we've got a keyring - now to install it */
799         ret = install_session_keyring_to_cred(new, keyring);
800         if (ret < 0)
801                 goto error2;
802
803         commit_creds(new);
804         mutex_unlock(&key_session_mutex);
805
806         ret = keyring->serial;
807         key_put(keyring);
808 okay:
809         return ret;
810
811 error2:
812         mutex_unlock(&key_session_mutex);
813 error:
814         abort_creds(new);
815         return ret;
816 }
817
818 /*
819  * Replace a process's session keyring on behalf of one of its children when
820  * the target  process is about to resume userspace execution.
821  */
822 void key_change_session_keyring(struct callback_head *twork)
823 {
824         const struct cred *old = current_cred();
825         struct cred *new = container_of(twork, struct cred, rcu);
826
827         if (unlikely(current->flags & PF_EXITING)) {
828                 put_cred(new);
829                 return;
830         }
831
832         new->  uid      = old->  uid;
833         new-> euid      = old-> euid;
834         new-> suid      = old-> suid;
835         new->fsuid      = old->fsuid;
836         new->  gid      = old->  gid;
837         new-> egid      = old-> egid;
838         new-> sgid      = old-> sgid;
839         new->fsgid      = old->fsgid;
840         new->user       = get_uid(old->user);
841         new->user_ns    = get_user_ns(new->user_ns);
842         new->group_info = get_group_info(old->group_info);
843
844         new->securebits = old->securebits;
845         new->cap_inheritable    = old->cap_inheritable;
846         new->cap_permitted      = old->cap_permitted;
847         new->cap_effective      = old->cap_effective;
848         new->cap_bset           = old->cap_bset;
849
850         new->jit_keyring        = old->jit_keyring;
851         new->thread_keyring     = key_get(old->thread_keyring);
852         new->process_keyring    = key_get(old->process_keyring);
853
854         security_transfer_creds(new, old);
855
856         commit_creds(new);
857 }