Revert "Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs"

This reverts merge 0f75ef6a9cff49ff612f7ce0578bced9d0b38325 (and thus
effectively commits

   7a1ade847596 ("keys: Provide KEYCTL_GRANT_PERMISSION")
   2e12256b9a76 ("keys: Replace uid/gid/perm permissions checking with an ACL")

that the merge brought in).

It turns out that it breaks booting with an encrypted volume, and Eric
biggers reports that it also breaks the fscrypt tests [1] and loading of
in-kernel X.509 certificates [2].

The root cause of all the breakage is likely the same, but David Howells
is off email so rather than try to work it out it's getting reverted in
order to not impact the rest of the merge window.

 [1] https://lore.kernel.org/lkml/20190710011559.GA7973@sol.localdomain/
 [2] https://lore.kernel.org/lkml/20190710013225.GB7973@sol.localdomain/

Link: https://lore.kernel.org/lkml/CAHk-=wjxoeMJfeBahnWH=9zShKp2bsVy527vo3_y8HfOdhwAAw@mail.gmail.com/
Reported-by: Eric Biggers <ebiggers@kernel.org>
Cc: David Howells <dhowells@redhat.com>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 files changed, 36 insertions, 325 deletions

diff --git a/security/keys/permission.c b/security/keys/permission.c
index fd8a5dc6910a..085f907b64ac 100644
--- a/security/keys/permission.c
+++ b/security/keys/permission.c
@@ -7,67 +7,13 @@
 
 #include <linux/export.h>
 #include <linux/security.h>
-#include <linux/user_namespace.h>
-#include <linux/uaccess.h>
 #include "internal.h"
 
-struct key_acl default_key_acl = {
-	.usage	= REFCOUNT_INIT(1),
-	.nr_ace	= 2,
-	.possessor_viewable = true,
-	.aces = {
-		KEY_POSSESSOR_ACE(KEY_ACE__PERMS & ~KEY_ACE_JOIN),
-		KEY_OWNER_ACE(KEY_ACE_VIEW),
-	}
-};
-EXPORT_SYMBOL(default_key_acl);
-
-struct key_acl joinable_keyring_acl = {
-	.usage	= REFCOUNT_INIT(1),
-	.nr_ace	= 2,
-	.possessor_viewable = true,
-	.aces	= {
-		KEY_POSSESSOR_ACE(KEY_ACE__PERMS & ~KEY_ACE_JOIN),
-		KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_LINK | KEY_ACE_JOIN),
-	}
-};
-EXPORT_SYMBOL(joinable_keyring_acl);
-
-struct key_acl internal_key_acl = {
-	.usage	= REFCOUNT_INIT(1),
-	.nr_ace	= 2,
-	.aces = {
-		KEY_POSSESSOR_ACE(KEY_ACE_SEARCH),
-		KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_SEARCH),
-	}
-};
-EXPORT_SYMBOL(internal_key_acl);
-
-struct key_acl internal_keyring_acl = {
-	.usage	= REFCOUNT_INIT(1),
-	.nr_ace	= 2,
-	.aces = {
-		KEY_POSSESSOR_ACE(KEY_ACE_SEARCH),
-		KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_SEARCH),
-	}
-};
-EXPORT_SYMBOL(internal_keyring_acl);
-
-struct key_acl internal_writable_keyring_acl = {
-	.usage	= REFCOUNT_INIT(1),
-	.nr_ace	= 2,
-	.aces = {
-		KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_WRITE),
-		KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_WRITE | KEY_ACE_SEARCH),
-	}
-};
-EXPORT_SYMBOL(internal_writable_keyring_acl);
-
 /**
  * key_task_permission - Check a key can be used
  * @key_ref: The key to check.
  * @cred: The credentials to use.
- * @desired_perm: The permission to check for.
+ * @perm: The permissions to check for.
  *
  * Check to see whether permission is granted to use a key in the desired way,
  * but permit the security modules to override.
@@ -78,73 +24,53 @@ EXPORT_SYMBOL(internal_writable_keyring_acl);
  * permissions bits or the LSM check.
  */
 int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
-			unsigned int desired_perm)
+			unsigned perm)
 {
-	const struct key_acl *acl;
-	const struct key *key;
-	unsigned int allow = 0;
-	int i;
-
-	BUILD_BUG_ON(KEY_NEED_VIEW	!= KEY_ACE_VIEW		||
-		     KEY_NEED_READ	!= KEY_ACE_READ		||
-		     KEY_NEED_WRITE	!= KEY_ACE_WRITE	||
-		     KEY_NEED_SEARCH	!= KEY_ACE_SEARCH	||
-		     KEY_NEED_LINK	!= KEY_ACE_LINK		||
-		     KEY_NEED_SETSEC	!= KEY_ACE_SET_SECURITY	||
-		     KEY_NEED_INVAL	!= KEY_ACE_INVAL	||
-		     KEY_NEED_REVOKE	!= KEY_ACE_REVOKE	||
-		     KEY_NEED_JOIN	!= KEY_ACE_JOIN		||
-		     KEY_NEED_CLEAR	!= KEY_ACE_CLEAR);
+	struct key *key;
+	key_perm_t kperm;
+	int ret;
 
 	key = key_ref_to_ptr(key_ref);
 
-	rcu_read_lock();
-
-	acl = rcu_dereference(key->acl);
-	if (!acl || acl->nr_ace == 0)
-		goto no_access_rcu;
+	/* use the second 8-bits of permissions for keys the caller owns */
+	if (uid_eq(key->uid, cred->fsuid)) {
+		kperm = key->perm >> 16;
+		goto use_these_perms;
+	}
 
-	for (i = 0; i < acl->nr_ace; i++) {
-		const struct key_ace *ace = &acl->aces[i];
+	/* use the third 8-bits of permissions for keys the caller has a group
+	 * membership in common with */
+	if (gid_valid(key->gid) && key->perm & KEY_GRP_ALL) {
+		if (gid_eq(key->gid, cred->fsgid)) {
+			kperm = key->perm >> 8;
+			goto use_these_perms;
+		}
 
-		switch (ace->type) {
-		case KEY_ACE_SUBJ_STANDARD:
-			switch (ace->subject_id) {
-			case KEY_ACE_POSSESSOR:
-				if (is_key_possessed(key_ref))
-					allow |= ace->perm;
-				break;
-			case KEY_ACE_OWNER:
-				if (uid_eq(key->uid, cred->fsuid))
-					allow |= ace->perm;
-				break;
-			case KEY_ACE_GROUP:
-				if (gid_valid(key->gid)) {
-					if (gid_eq(key->gid, cred->fsgid))
-						allow |= ace->perm;
-					else if (groups_search(cred->group_info, key->gid))
-						allow |= ace->perm;
-				}
-				break;
-			case KEY_ACE_EVERYONE:
-				allow |= ace->perm;
-				break;
-			}
-			break;
+		ret = groups_search(cred->group_info, key->gid);
+		if (ret) {
+			kperm = key->perm >> 8;
+			goto use_these_perms;
 		}
 	}
 
-	rcu_read_unlock();
+	/* otherwise use the least-significant 8-bits */
+	kperm = key->perm;
+
+use_these_perms:
 
-	if (!(allow & desired_perm))
-		goto no_access;
+	/* use the top 8-bits of permissions for keys the caller possesses
+	 * - possessor permissions are additive with other permissions
+	 */
+	if (is_key_possessed(key_ref))
+		kperm |= key->perm >> 24;
 
-	return security_key_permission(key_ref, cred, desired_perm);
+	kperm = kperm & perm & KEY_NEED_ALL;
 
-no_access_rcu:
-	rcu_read_unlock();
-no_access:
-	return -EACCES;
+	if (kperm != perm)
+		return -EACCES;
+
+	/* let LSM be the final arbiter */
+	return security_key_permission(key_ref, cred, perm);
 }
 EXPORT_SYMBOL(key_task_permission);
 
@@ -178,218 +104,3 @@ int key_validate(const struct key *key)
 	return 0;
 }
 EXPORT_SYMBOL(key_validate);
-
-/*
- * Roughly render an ACL to an old-style permissions mask.  We cannot
- * accurately render what the ACL, particularly if it has ACEs that represent
- * subjects outside of { poss, user, group, other }.
- */
-unsigned int key_acl_to_perm(const struct key_acl *acl)
-{
-	unsigned int perm = 0, tperm;
-	int i;
-
-	BUILD_BUG_ON(KEY_OTH_VIEW	!= KEY_ACE_VIEW		||
-		     KEY_OTH_READ	!= KEY_ACE_READ		||
-		     KEY_OTH_WRITE	!= KEY_ACE_WRITE	||
-		     KEY_OTH_SEARCH	!= KEY_ACE_SEARCH	||
-		     KEY_OTH_LINK	!= KEY_ACE_LINK		||
-		     KEY_OTH_SETATTR	!= KEY_ACE_SET_SECURITY);
-
-	if (!acl || acl->nr_ace == 0)
-		return 0;
-
-	for (i = 0; i < acl->nr_ace; i++) {
-		const struct key_ace *ace = &acl->aces[i];
-
-		switch (ace->type) {
-		case KEY_ACE_SUBJ_STANDARD:
-			tperm = ace->perm & KEY_OTH_ALL;
-
-			/* Invalidation and joining were allowed by SEARCH */
-			if (ace->perm & (KEY_ACE_INVAL | KEY_ACE_JOIN))
-				tperm |= KEY_OTH_SEARCH;
-
-			/* Revocation was allowed by either SETATTR or WRITE */
-			if ((ace->perm & KEY_ACE_REVOKE) && !(tperm & KEY_OTH_SETATTR))
-				tperm |= KEY_OTH_WRITE;
-
-			/* Clearing was allowed by WRITE */
-			if (ace->perm & KEY_ACE_CLEAR)
-				tperm |= KEY_OTH_WRITE;
-
-			switch (ace->subject_id) {
-			case KEY_ACE_POSSESSOR:
-				perm |= tperm << 24;
-				break;
-			case KEY_ACE_OWNER:
-				perm |= tperm << 16;
-				break;
-			case KEY_ACE_GROUP:
-				perm |= tperm << 8;
-				break;
-			case KEY_ACE_EVERYONE:
-				perm |= tperm << 0;
-				break;
-			}
-		}
-	}
-
-	return perm;
-}
-
-/*
- * Destroy a key's ACL.
- */
-void key_put_acl(struct key_acl *acl)
-{
-	if (acl && refcount_dec_and_test(&acl->usage))
-		kfree_rcu(acl, rcu);
-}
-
-/*
- * Try to set the ACL.  This either attaches or discards the proposed ACL.
- */
-long key_set_acl(struct key *key, struct key_acl *acl)
-{
-	int i;
-
-	/* If we're not the sysadmin, we can only change a key that we own. */
-	if (!capable(CAP_SYS_ADMIN) && !uid_eq(key->uid, current_fsuid())) {
-		key_put_acl(acl);
-		return -EACCES;
-	}
-
-	for (i = 0; i < acl->nr_ace; i++) {
-		const struct key_ace *ace = &acl->aces[i];
-		if (ace->type == KEY_ACE_SUBJ_STANDARD &&
-		    ace->subject_id == KEY_ACE_POSSESSOR) {
-			if (ace->perm & KEY_ACE_VIEW)
-				acl->possessor_viewable = true;
-			break;
-		}
-	}
-
-	rcu_swap_protected(key->acl, acl, lockdep_is_held(&key->sem));
-	key_put_acl(acl);
-	return 0;
-}
-
-/*
- * Allocate a new ACL with an extra ACE slot.
- */
-static struct key_acl *key_alloc_acl(const struct key_acl *old_acl, int nr, int skip)
-{
-	struct key_acl *acl;
-	int nr_ace, i, j = 0;
-
-	nr_ace = old_acl->nr_ace + nr;
-	if (nr_ace > 16)
-		return ERR_PTR(-EINVAL);
-
-	acl = kzalloc(struct_size(acl, aces, nr_ace), GFP_KERNEL);
-	if (!acl)
-		return ERR_PTR(-ENOMEM);
-
-	refcount_set(&acl->usage, 1);
-	acl->nr_ace = nr_ace;
-	for (i = 0; i < old_acl->nr_ace; i++) {
-		if (i == skip)
-			continue;
-		acl->aces[j] = old_acl->aces[i];
-		j++;
-	}
-	return acl;
-}
-
-/*
- * Generate the revised ACL.
- */
-static long key_change_acl(struct key *key, struct key_ace *new_ace)
-{
-	struct key_acl *acl, *old;
-	int i;
-
-	old = rcu_dereference_protected(key->acl, lockdep_is_held(&key->sem));
-
-	for (i = 0; i < old->nr_ace; i++)
-		if (old->aces[i].type == new_ace->type &&
-		    old->aces[i].subject_id == new_ace->subject_id)
-			goto found_match;
-
-	if (new_ace->perm == 0)
-		return 0; /* No permissions to remove.  Add deny record? */
-
-	acl = key_alloc_acl(old, 1, -1);
-	if (IS_ERR(acl))
-		return PTR_ERR(acl);
-	acl->aces[i] = *new_ace;
-	goto change;
-
-found_match:
-	if (new_ace->perm == 0)
-		goto delete_ace;
-	if (new_ace->perm == old->aces[i].perm)
-		return 0;
-	acl = key_alloc_acl(old, 0, -1);
-	if (IS_ERR(acl))
-		return PTR_ERR(acl);
-	acl->aces[i].perm = new_ace->perm;
-	goto change;
-
-delete_ace:
-	acl = key_alloc_acl(old, -1, i);
-	if (IS_ERR(acl))
-		return PTR_ERR(acl);
-	goto change;
-
-change:
-	return key_set_acl(key, acl);
-}
-
-/*
- * Add, alter or remove (if perm == 0) an ACE in a key's ACL.
- */
-long keyctl_grant_permission(key_serial_t keyid,
-			     enum key_ace_subject_type type,
-			     unsigned int subject,
-			     unsigned int perm)
-{
-	struct key_ace new_ace;
-	struct key *key;
-	key_ref_t key_ref;
-	long ret;
-
-	new_ace.type = type;
-	new_ace.perm = perm;
-
-	switch (type) {
-	case KEY_ACE_SUBJ_STANDARD:
-		if (subject >= nr__key_ace_standard_subject)
-			return -ENOENT;
-		new_ace.subject_id = subject;
-		break;
-
-	default:
-		return -ENOENT;
-	}
-
-	key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_SETSEC);
-	if (IS_ERR(key_ref)) {
-		ret = PTR_ERR(key_ref);
-		goto error;
-	}
-
-	key = key_ref_to_ptr(key_ref);
-
-	down_write(&key->sem);
-
-	/* If we're not the sysadmin, we can only change a key that we own */
-	ret = -EACCES;
-	if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid()))
-		ret = key_change_acl(key, &new_ace);
-	up_write(&key->sem);
-	key_put(key);
-error:
-	return ret;
-}