Function report

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:security\keys\process_keys.c Create Date:2022-07-28 18:22:42
Last Modify:2020-03-12 14:18:49 Copyright©Brick
home page Tree
Annotation kernel can get tool activityDownload SCCTChinese

Name:Look up a key ID given us by userspace with a given permissions mask to get* the key it refers to.* Flags can be passed to request that special keyrings be created if referred* to directly, to permit partially constructed keys to be found and to skip

Proto:key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, key_perm_t perm)

Type:key_ref_t

Parameter:

TypeParameterName
key_serial_tid
unsigned longlflags
key_perm_tperm
614  struct keyring_search_context ctx = {cmp = See if the key we're looking at is the target key., Type of lookup for this search. = Direct lookup by description. , flags = (Skip state checks | Search child keyrings also ), }
625  try_again :
626  cred = get_current_cred - Get the current task's subjective credentials* Get the subjective credentials of the current task, pinning them so that* they can't go away. Accessing the current task's credentials directly is* not permitted.()
627  key_ref = ERR_PTR( - ENOKEY)
630  Case id == - key ID for thread-specific keyring
632  If Not (lflags & KEY_LOOKUP_CREATE) Then Go to error
636  If ret < 0 Then
637  key_ref = ERR_PTR(ret)
638  Go to error
640  Go to reget_creds
643  key = keyring private to this thread
644  __key_get(key)
645  key_ref = make_key_ref(key, 1)
646  Break
648  Case id == - key ID for process-specific keyring
650  If Not (lflags & KEY_LOOKUP_CREATE) Then Go to error
654  If ret < 0 Then
655  key_ref = ERR_PTR(ret)
656  Go to error
658  Go to reget_creds
661  key = keyring private to this process
662  __key_get(key)
663  key_ref = make_key_ref(key, 1)
664  Break
666  Case id == - key ID for session-specific keyring
671  If ret < 0 Then Go to error
679  If ret < 0 Then Go to error
681  Go to reget_creds
686  If ret < 0 Then Go to error
688  Go to reget_creds
691  key = keyring inherited over fork
692  __key_get(key)
693  key_ref = make_key_ref(key, 1)
694  Break
696  Case id == - key ID for UID-specific keyring
697  ret = Look up the user and user session keyrings for the current process's UID,* creating them if they don't exist.
698  If ret < 0 Then Go to error
700  key_ref = make_key_ref(key, 1)
701  Break
703  Case id == - key ID for UID-session keyring
704  ret = Look up the user and user session keyrings for the current process's UID,* creating them if they don't exist.
705  If ret < 0 Then Go to error
707  key_ref = make_key_ref(key, 1)
708  Break
710  Case id == - key ID for GID-specific keyring
712  key_ref = ERR_PTR( - EINVAL)
713  Go to error
715  Case id == - key ID for assumed request_key auth key
716  key = assumed request_key authority
717  If Not key Then Go to error
720  __key_get(key)
721  key_ref = make_key_ref(key, 1)
722  Break
724  Case id == - key ID for request_key() dest keyring
725  If Not assumed request_key authority Then Go to error
728  lock for reading
732  key = NULL
733  Else
734  rka = data[0]
735  key = dest_keyring
736  __key_get(key)
738  lease a read lock
739  If Not key Then Go to error
741  key_ref = make_key_ref(key, 1)
742  Break
744  Default
745  key_ref = ERR_PTR( - EINVAL)
746  If id < 1 Then Go to error
749  key = Find a key by its serial number.
750  If IS_ERR(key) Then
752  Go to error
755  key_ref = make_key_ref(key, 0)
758  index_key = index_key
759  Raw match data = key
760  kdebug("check possessed")
761  _read_lock() - mark the beginning of an RCU read-side critical section* When synchronize_rcu() is invoked on one CPU while other CPUs* are within RCU read-side critical sections, then the* synchronize_rcu() is guaranteed to block until after all the other
762  skey_ref = Search the process keyrings attached to the supplied cred for the first* matching key in the manner of search_my_process_keyrings(), but also search* the keys attached to the assumed authorisation key using its credentials if* one is available.
763  _read_unlock() - marks the end of an RCU read-side critical section.* In most situations, rcu_read_unlock() is immune from deadlock.* However, in kernels built with CONFIG_RCU_BOOST, rcu_read_unlock()
764  kdebug("possessed=%p", skey_ref)
766  If Not IS_ERR(skey_ref) Then
768  key_ref = skey_ref
771  Break
776  If lflags & KEY_LOOKUP_FOR_UNLINK Then
777  ret = 0
778  Go to error
781  If Not (lflags & KEY_LOOKUP_PARTIAL) Then
782  ret = wait_for_key_construction - Wait for construction of a key to complete*@key: The key being waited for
785  Go to invalid_key
786  Default
787  If perm Then Go to invalid_key
789  Case ret == 0
790  Break
792  Else if perm Then
793  ret = key_validate - Validate a key.*@key: The key to be validated.* Check that a key is valid, returning 0 if the key is okay, -ENOKEY if the* key is invalidated, -EKEYREVOKED if the key's type has been removed or if
794  If ret < 0 Then Go to invalid_key
798  ret = -EIO
799  If Not (lflags & KEY_LOOKUP_PARTIAL) && key_read_state(key) == KEY_IS_UNINSTANTIATED Then Go to invalid_key
804  ret = key_task_permission - Check a key can be used*@key_ref: The key to check.*@cred: The credentials to use.*@perm: The permissions to check for.* Check to see whether permission is granted to use a key in the desired way,
805  If ret < 0 Then Go to invalid_key
808  last time used for LRU keyring discard = ktime_get_real_seconds - Get the seconds portion of CLOCK_REALTIME* Returns the wall clock seconds since 1970. This replaces the* get_seconds() interface which is not y2038 safe on 32bit systems.
810  error :
811  put_cred - Release a reference to a set of credentials*@cred: The credentials to release* Release a reference to a set of credentials, deleting them when the last ref* is released
812  Return key_ref
814  invalid_key :
815  key_ref_put(key_ref)
816  key_ref = ERR_PTR(ret)
817  Go to error
821  reget_creds :
822  put_cred - Release a reference to a set of credentials*@cred: The credentials to release* Release a reference to a set of credentials, deleting them when the last ref* is released
823  Go to try_again
Caller
NameDescribe
SYSCALL_DEFINE4Search the process keyrings and keyring trees linked from those for a* matching key. Keyrings must have appropriate Search permission to be* searched.* If a key is found, it will be attached to the destination keyring if there's
keyctl_get_keyring_IDGet the ID of the specified process keyring.* The requested keyring must have search permission to be found.* If successful, the ID of the requested keyring will be returned.
keyctl_update_keyUpdate a key's data payload from the given data.* The key must grant the caller Write permission and the key type must support* updating for this to work. A negative key can be positively instantiated* with this call.* If successful, 0 will be returned
keyctl_revoke_keyRevoke a key.* The key must be grant the caller Write or Setattr permission for this to* work. The key type should give up its quota claim when revoked. The key* and any links to the key will be automatically garbage collected after a
keyctl_invalidate_keyInvalidate a key.* The key must be grant the caller Invalidate permission for this to work.* The key and any links to the key will be automatically garbage collected* immediately.* Keys with KEY_FLAG_KEEP set should not be invalidated.
keyctl_keyring_clearClear the specified keyring, creating an empty process keyring if one of the* special keyring IDs is used.* The keyring must grant the caller Write permission and not have* KEY_FLAG_KEEP set for this to work. If successful, 0 will be returned.
keyctl_keyring_linkCreate a link from a keyring to a key if there's no matching key in the* keyring, otherwise replace the link to the matching key with a link to the* new key.* The key must grant the caller Link permission and the the keyring must grant
keyctl_keyring_unlinkUnlink a key from a keyring.* The keyring must grant the caller Write permission for this to work; the key* itself need not grant the caller anything. If the last link to a key is* removed then that key will be scheduled for destruction.
keyctl_keyring_moveMove a link to a key from one keyring to another, displacing any matching* key from the destination keyring.* The key must grant the caller Link permission and both keyrings must grant* the caller Write permission
keyctl_describe_keyReturn a description of a key to userspace
keyctl_keyring_searchSearch the specified keyring and any keyrings it links to for a matching* key
keyctl_read_keyRead a key's payload
keyctl_chown_keyChange the ownership of a key* The key must grant the caller Setattr permission for this to work, though* the key need not be fully instantiated yet. For the UID to be changed, or* for the GID to be changed to a group the caller is not a member of, the
keyctl_setperm_keyChange the permission mask on a key.* The key must grant the caller Setattr permission for this to work, though* the key need not be fully instantiated yet. If the caller does not have
get_instantiation_keyringGet the destination keyring for instantiation and check that the caller has* Write permission on it.
keyctl_set_timeoutSet or clear the timeout on a key.* Either the key must grant the caller Setattr permission or else the caller* must hold an instantiation authorisation token for the key.* The timeout is either 0 to clear the timeout, or a number of seconds from
keyctl_get_securityGet a key's the LSM security label.* The key must grant the caller View permission for this to work.* If there's a buffer, then up to buflen bytes of data will be placed into it.* If successful, the amount of information available will be returned,
keyctl_session_to_parentAttempt to install the calling process's session keyring on the process's* parent process.* The keyring must exist and must grant the caller LINK permission, and the* parent process must be single-threaded and must have the same effective
keyctl_restrict_keyringApply a restriction to a given keyring.* The caller must have Setattr permission to change keyring restrictions.* The requested type name may be a NULL pointer to reject all attempts* to link to the keyring. In this case, _restriction must also be NULL.
keyctl_get_persistentGet the persistent keyring for a specific UID and link it to the nominated* keyring.
dh_data_from_key
keyctl_pkey_params_getInterpret parameters. Callers must always call the free function* on params, even if an error is returned.
SYSCALL_DEFINE5Extract the description of a new key from userspace and either add it as a* new key to the specified keyring or update a matching key in that keyring.* If the description is NULL or an empty string, the key type is asked to* generate one from the payload.