]> git.kernelconcepts.de Git - karo-tx-linux.git/blob - kernel/cred.c
freezer: clean up freeze_processes() failure path
[karo-tx-linux.git] / kernel / cred.c
1 /* Task credentials management - see Documentation/security/credentials.txt
2  *
3  * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public Licence
8  * as published by the Free Software Foundation; either version
9  * 2 of the Licence, or (at your option) any later version.
10  */
11 #include <linux/export.h>
12 #include <linux/cred.h>
13 #include <linux/slab.h>
14 #include <linux/sched.h>
15 #include <linux/key.h>
16 #include <linux/keyctl.h>
17 #include <linux/init_task.h>
18 #include <linux/security.h>
19 #include <linux/cn_proc.h>
20
21 #if 0
22 #define kdebug(FMT, ...) \
23         printk("[%-5.5s%5u] "FMT"\n", current->comm, current->pid ,##__VA_ARGS__)
24 #else
25 #define kdebug(FMT, ...) \
26         no_printk("[%-5.5s%5u] "FMT"\n", current->comm, current->pid ,##__VA_ARGS__)
27 #endif
28
29 static struct kmem_cache *cred_jar;
30
31 /*
32  * The common credentials for the initial task's thread group
33  */
34 #ifdef CONFIG_KEYS
35 static struct thread_group_cred init_tgcred = {
36         .usage  = ATOMIC_INIT(2),
37         .tgid   = 0,
38         .lock   = __SPIN_LOCK_UNLOCKED(init_cred.tgcred.lock),
39 };
40 #endif
41
42 /*
43  * The initial credentials for the initial task
44  */
45 struct cred init_cred = {
46         .usage                  = ATOMIC_INIT(4),
47 #ifdef CONFIG_DEBUG_CREDENTIALS
48         .subscribers            = ATOMIC_INIT(2),
49         .magic                  = CRED_MAGIC,
50 #endif
51         .securebits             = SECUREBITS_DEFAULT,
52         .cap_inheritable        = CAP_EMPTY_SET,
53         .cap_permitted          = CAP_FULL_SET,
54         .cap_effective          = CAP_FULL_SET,
55         .cap_bset               = CAP_FULL_SET,
56         .user                   = INIT_USER,
57         .user_ns                = &init_user_ns,
58         .group_info             = &init_groups,
59 #ifdef CONFIG_KEYS
60         .tgcred                 = &init_tgcred,
61 #endif
62 };
63
64 static inline void set_cred_subscribers(struct cred *cred, int n)
65 {
66 #ifdef CONFIG_DEBUG_CREDENTIALS
67         atomic_set(&cred->subscribers, n);
68 #endif
69 }
70
71 static inline int read_cred_subscribers(const struct cred *cred)
72 {
73 #ifdef CONFIG_DEBUG_CREDENTIALS
74         return atomic_read(&cred->subscribers);
75 #else
76         return 0;
77 #endif
78 }
79
80 static inline void alter_cred_subscribers(const struct cred *_cred, int n)
81 {
82 #ifdef CONFIG_DEBUG_CREDENTIALS
83         struct cred *cred = (struct cred *) _cred;
84
85         atomic_add(n, &cred->subscribers);
86 #endif
87 }
88
89 /*
90  * Dispose of the shared task group credentials
91  */
92 #ifdef CONFIG_KEYS
93 static void release_tgcred_rcu(struct rcu_head *rcu)
94 {
95         struct thread_group_cred *tgcred =
96                 container_of(rcu, struct thread_group_cred, rcu);
97
98         BUG_ON(atomic_read(&tgcred->usage) != 0);
99
100         key_put(tgcred->session_keyring);
101         key_put(tgcred->process_keyring);
102         kfree(tgcred);
103 }
104 #endif
105
106 /*
107  * Release a set of thread group credentials.
108  */
109 static void release_tgcred(struct cred *cred)
110 {
111 #ifdef CONFIG_KEYS
112         struct thread_group_cred *tgcred = cred->tgcred;
113
114         if (atomic_dec_and_test(&tgcred->usage))
115                 call_rcu(&tgcred->rcu, release_tgcred_rcu);
116 #endif
117 }
118
119 /*
120  * The RCU callback to actually dispose of a set of credentials
121  */
122 static void put_cred_rcu(struct rcu_head *rcu)
123 {
124         struct cred *cred = container_of(rcu, struct cred, rcu);
125
126         kdebug("put_cred_rcu(%p)", cred);
127
128 #ifdef CONFIG_DEBUG_CREDENTIALS
129         if (cred->magic != CRED_MAGIC_DEAD ||
130             atomic_read(&cred->usage) != 0 ||
131             read_cred_subscribers(cred) != 0)
132                 panic("CRED: put_cred_rcu() sees %p with"
133                       " mag %x, put %p, usage %d, subscr %d\n",
134                       cred, cred->magic, cred->put_addr,
135                       atomic_read(&cred->usage),
136                       read_cred_subscribers(cred));
137 #else
138         if (atomic_read(&cred->usage) != 0)
139                 panic("CRED: put_cred_rcu() sees %p with usage %d\n",
140                       cred, atomic_read(&cred->usage));
141 #endif
142
143         security_cred_free(cred);
144         key_put(cred->thread_keyring);
145         key_put(cred->request_key_auth);
146         release_tgcred(cred);
147         if (cred->group_info)
148                 put_group_info(cred->group_info);
149         free_uid(cred->user);
150         kmem_cache_free(cred_jar, cred);
151 }
152
153 /**
154  * __put_cred - Destroy a set of credentials
155  * @cred: The record to release
156  *
157  * Destroy a set of credentials on which no references remain.
158  */
159 void __put_cred(struct cred *cred)
160 {
161         kdebug("__put_cred(%p{%d,%d})", cred,
162                atomic_read(&cred->usage),
163                read_cred_subscribers(cred));
164
165         BUG_ON(atomic_read(&cred->usage) != 0);
166 #ifdef CONFIG_DEBUG_CREDENTIALS
167         BUG_ON(read_cred_subscribers(cred) != 0);
168         cred->magic = CRED_MAGIC_DEAD;
169         cred->put_addr = __builtin_return_address(0);
170 #endif
171         BUG_ON(cred == current->cred);
172         BUG_ON(cred == current->real_cred);
173
174         call_rcu(&cred->rcu, put_cred_rcu);
175 }
176 EXPORT_SYMBOL(__put_cred);
177
178 /*
179  * Clean up a task's credentials when it exits
180  */
181 void exit_creds(struct task_struct *tsk)
182 {
183         struct cred *cred;
184
185         kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
186                atomic_read(&tsk->cred->usage),
187                read_cred_subscribers(tsk->cred));
188
189         cred = (struct cred *) tsk->real_cred;
190         tsk->real_cred = NULL;
191         validate_creds(cred);
192         alter_cred_subscribers(cred, -1);
193         put_cred(cred);
194
195         cred = (struct cred *) tsk->cred;
196         tsk->cred = NULL;
197         validate_creds(cred);
198         alter_cred_subscribers(cred, -1);
199         put_cred(cred);
200
201         cred = (struct cred *) tsk->replacement_session_keyring;
202         if (cred) {
203                 tsk->replacement_session_keyring = NULL;
204                 validate_creds(cred);
205                 put_cred(cred);
206         }
207 }
208
209 /**
210  * get_task_cred - Get another task's objective credentials
211  * @task: The task to query
212  *
213  * Get the objective credentials of a task, pinning them so that they can't go
214  * away.  Accessing a task's credentials directly is not permitted.
215  *
216  * The caller must also make sure task doesn't get deleted, either by holding a
217  * ref on task or by holding tasklist_lock to prevent it from being unlinked.
218  */
219 const struct cred *get_task_cred(struct task_struct *task)
220 {
221         const struct cred *cred;
222
223         rcu_read_lock();
224
225         do {
226                 cred = __task_cred((task));
227                 BUG_ON(!cred);
228         } while (!atomic_inc_not_zero(&((struct cred *)cred)->usage));
229
230         rcu_read_unlock();
231         return cred;
232 }
233
234 /*
235  * Allocate blank credentials, such that the credentials can be filled in at a
236  * later date without risk of ENOMEM.
237  */
238 struct cred *cred_alloc_blank(void)
239 {
240         struct cred *new;
241
242         new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
243         if (!new)
244                 return NULL;
245
246 #ifdef CONFIG_KEYS
247         new->tgcred = kzalloc(sizeof(*new->tgcred), GFP_KERNEL);
248         if (!new->tgcred) {
249                 kmem_cache_free(cred_jar, new);
250                 return NULL;
251         }
252         atomic_set(&new->tgcred->usage, 1);
253 #endif
254
255         atomic_set(&new->usage, 1);
256 #ifdef CONFIG_DEBUG_CREDENTIALS
257         new->magic = CRED_MAGIC;
258 #endif
259
260         if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
261                 goto error;
262
263         return new;
264
265 error:
266         abort_creds(new);
267         return NULL;
268 }
269
270 /**
271  * prepare_creds - Prepare a new set of credentials for modification
272  *
273  * Prepare a new set of task credentials for modification.  A task's creds
274  * shouldn't generally be modified directly, therefore this function is used to
275  * prepare a new copy, which the caller then modifies and then commits by
276  * calling commit_creds().
277  *
278  * Preparation involves making a copy of the objective creds for modification.
279  *
280  * Returns a pointer to the new creds-to-be if successful, NULL otherwise.
281  *
282  * Call commit_creds() or abort_creds() to clean up.
283  */
284 struct cred *prepare_creds(void)
285 {
286         struct task_struct *task = current;
287         const struct cred *old;
288         struct cred *new;
289
290         validate_process_creds();
291
292         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
293         if (!new)
294                 return NULL;
295
296         kdebug("prepare_creds() alloc %p", new);
297
298         old = task->cred;
299         memcpy(new, old, sizeof(struct cred));
300
301         atomic_set(&new->usage, 1);
302         set_cred_subscribers(new, 0);
303         get_group_info(new->group_info);
304         get_uid(new->user);
305
306 #ifdef CONFIG_KEYS
307         key_get(new->thread_keyring);
308         key_get(new->request_key_auth);
309         atomic_inc(&new->tgcred->usage);
310 #endif
311
312 #ifdef CONFIG_SECURITY
313         new->security = NULL;
314 #endif
315
316         if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
317                 goto error;
318         validate_creds(new);
319         return new;
320
321 error:
322         abort_creds(new);
323         return NULL;
324 }
325 EXPORT_SYMBOL(prepare_creds);
326
327 /*
328  * Prepare credentials for current to perform an execve()
329  * - The caller must hold ->cred_guard_mutex
330  */
331 struct cred *prepare_exec_creds(void)
332 {
333         struct thread_group_cred *tgcred = NULL;
334         struct cred *new;
335
336 #ifdef CONFIG_KEYS
337         tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
338         if (!tgcred)
339                 return NULL;
340 #endif
341
342         new = prepare_creds();
343         if (!new) {
344                 kfree(tgcred);
345                 return new;
346         }
347
348 #ifdef CONFIG_KEYS
349         /* newly exec'd tasks don't get a thread keyring */
350         key_put(new->thread_keyring);
351         new->thread_keyring = NULL;
352
353         /* create a new per-thread-group creds for all this set of threads to
354          * share */
355         memcpy(tgcred, new->tgcred, sizeof(struct thread_group_cred));
356
357         atomic_set(&tgcred->usage, 1);
358         spin_lock_init(&tgcred->lock);
359
360         /* inherit the session keyring; new process keyring */
361         key_get(tgcred->session_keyring);
362         tgcred->process_keyring = NULL;
363
364         release_tgcred(new);
365         new->tgcred = tgcred;
366 #endif
367
368         return new;
369 }
370
371 /*
372  * Copy credentials for the new process created by fork()
373  *
374  * We share if we can, but under some circumstances we have to generate a new
375  * set.
376  *
377  * The new process gets the current process's subjective credentials as its
378  * objective and subjective credentials
379  */
380 int copy_creds(struct task_struct *p, unsigned long clone_flags)
381 {
382 #ifdef CONFIG_KEYS
383         struct thread_group_cred *tgcred;
384 #endif
385         struct cred *new;
386         int ret;
387
388         if (
389 #ifdef CONFIG_KEYS
390                 !p->cred->thread_keyring &&
391 #endif
392                 clone_flags & CLONE_THREAD
393             ) {
394                 p->real_cred = get_cred(p->cred);
395                 get_cred(p->cred);
396                 alter_cred_subscribers(p->cred, 2);
397                 kdebug("share_creds(%p{%d,%d})",
398                        p->cred, atomic_read(&p->cred->usage),
399                        read_cred_subscribers(p->cred));
400                 atomic_inc(&p->cred->user->processes);
401                 return 0;
402         }
403
404         new = prepare_creds();
405         if (!new)
406                 return -ENOMEM;
407
408         if (clone_flags & CLONE_NEWUSER) {
409                 ret = create_user_ns(new);
410                 if (ret < 0)
411                         goto error_put;
412         }
413
414         /* cache user_ns in cred.  Doesn't need a refcount because it will
415          * stay pinned by cred->user
416          */
417         new->user_ns = new->user->user_ns;
418
419 #ifdef CONFIG_KEYS
420         /* new threads get their own thread keyrings if their parent already
421          * had one */
422         if (new->thread_keyring) {
423                 key_put(new->thread_keyring);
424                 new->thread_keyring = NULL;
425                 if (clone_flags & CLONE_THREAD)
426                         install_thread_keyring_to_cred(new);
427         }
428
429         /* we share the process and session keyrings between all the threads in
430          * a process - this is slightly icky as we violate COW credentials a
431          * bit */
432         if (!(clone_flags & CLONE_THREAD)) {
433                 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
434                 if (!tgcred) {
435                         ret = -ENOMEM;
436                         goto error_put;
437                 }
438                 atomic_set(&tgcred->usage, 1);
439                 spin_lock_init(&tgcred->lock);
440                 tgcred->process_keyring = NULL;
441                 tgcred->session_keyring = key_get(new->tgcred->session_keyring);
442
443                 release_tgcred(new);
444                 new->tgcred = tgcred;
445         }
446 #endif
447
448         atomic_inc(&new->user->processes);
449         p->cred = p->real_cred = get_cred(new);
450         alter_cred_subscribers(new, 2);
451         validate_creds(new);
452         return 0;
453
454 error_put:
455         put_cred(new);
456         return ret;
457 }
458
459 /**
460  * commit_creds - Install new credentials upon the current task
461  * @new: The credentials to be assigned
462  *
463  * Install a new set of credentials to the current task, using RCU to replace
464  * the old set.  Both the objective and the subjective credentials pointers are
465  * updated.  This function may not be called if the subjective credentials are
466  * in an overridden state.
467  *
468  * This function eats the caller's reference to the new credentials.
469  *
470  * Always returns 0 thus allowing this function to be tail-called at the end
471  * of, say, sys_setgid().
472  */
473 int commit_creds(struct cred *new)
474 {
475         struct task_struct *task = current;
476         const struct cred *old = task->real_cred;
477
478         kdebug("commit_creds(%p{%d,%d})", new,
479                atomic_read(&new->usage),
480                read_cred_subscribers(new));
481
482         BUG_ON(task->cred != old);
483 #ifdef CONFIG_DEBUG_CREDENTIALS
484         BUG_ON(read_cred_subscribers(old) < 2);
485         validate_creds(old);
486         validate_creds(new);
487 #endif
488         BUG_ON(atomic_read(&new->usage) < 1);
489
490         get_cred(new); /* we will require a ref for the subj creds too */
491
492         /* dumpability changes */
493         if (old->euid != new->euid ||
494             old->egid != new->egid ||
495             old->fsuid != new->fsuid ||
496             old->fsgid != new->fsgid ||
497             !cap_issubset(new->cap_permitted, old->cap_permitted)) {
498                 if (task->mm)
499                         set_dumpable(task->mm, suid_dumpable);
500                 task->pdeath_signal = 0;
501                 smp_wmb();
502         }
503
504         /* alter the thread keyring */
505         if (new->fsuid != old->fsuid)
506                 key_fsuid_changed(task);
507         if (new->fsgid != old->fsgid)
508                 key_fsgid_changed(task);
509
510         /* do it
511          * RLIMIT_NPROC limits on user->processes have already been checked
512          * in set_user().
513          */
514         alter_cred_subscribers(new, 2);
515         if (new->user != old->user)
516                 atomic_inc(&new->user->processes);
517         rcu_assign_pointer(task->real_cred, new);
518         rcu_assign_pointer(task->cred, new);
519         if (new->user != old->user)
520                 atomic_dec(&old->user->processes);
521         alter_cred_subscribers(old, -2);
522
523         /* send notifications */
524         if (new->uid   != old->uid  ||
525             new->euid  != old->euid ||
526             new->suid  != old->suid ||
527             new->fsuid != old->fsuid)
528                 proc_id_connector(task, PROC_EVENT_UID);
529
530         if (new->gid   != old->gid  ||
531             new->egid  != old->egid ||
532             new->sgid  != old->sgid ||
533             new->fsgid != old->fsgid)
534                 proc_id_connector(task, PROC_EVENT_GID);
535
536         /* release the old obj and subj refs both */
537         put_cred(old);
538         put_cred(old);
539         return 0;
540 }
541 EXPORT_SYMBOL(commit_creds);
542
543 /**
544  * abort_creds - Discard a set of credentials and unlock the current task
545  * @new: The credentials that were going to be applied
546  *
547  * Discard a set of credentials that were under construction and unlock the
548  * current task.
549  */
550 void abort_creds(struct cred *new)
551 {
552         kdebug("abort_creds(%p{%d,%d})", new,
553                atomic_read(&new->usage),
554                read_cred_subscribers(new));
555
556 #ifdef CONFIG_DEBUG_CREDENTIALS
557         BUG_ON(read_cred_subscribers(new) != 0);
558 #endif
559         BUG_ON(atomic_read(&new->usage) < 1);
560         put_cred(new);
561 }
562 EXPORT_SYMBOL(abort_creds);
563
564 /**
565  * override_creds - Override the current process's subjective credentials
566  * @new: The credentials to be assigned
567  *
568  * Install a set of temporary override subjective credentials on the current
569  * process, returning the old set for later reversion.
570  */
571 const struct cred *override_creds(const struct cred *new)
572 {
573         const struct cred *old = current->cred;
574
575         kdebug("override_creds(%p{%d,%d})", new,
576                atomic_read(&new->usage),
577                read_cred_subscribers(new));
578
579         validate_creds(old);
580         validate_creds(new);
581         get_cred(new);
582         alter_cred_subscribers(new, 1);
583         rcu_assign_pointer(current->cred, new);
584         alter_cred_subscribers(old, -1);
585
586         kdebug("override_creds() = %p{%d,%d}", old,
587                atomic_read(&old->usage),
588                read_cred_subscribers(old));
589         return old;
590 }
591 EXPORT_SYMBOL(override_creds);
592
593 /**
594  * revert_creds - Revert a temporary subjective credentials override
595  * @old: The credentials to be restored
596  *
597  * Revert a temporary set of override subjective credentials to an old set,
598  * discarding the override set.
599  */
600 void revert_creds(const struct cred *old)
601 {
602         const struct cred *override = current->cred;
603
604         kdebug("revert_creds(%p{%d,%d})", old,
605                atomic_read(&old->usage),
606                read_cred_subscribers(old));
607
608         validate_creds(old);
609         validate_creds(override);
610         alter_cred_subscribers(old, 1);
611         rcu_assign_pointer(current->cred, old);
612         alter_cred_subscribers(override, -1);
613         put_cred(override);
614 }
615 EXPORT_SYMBOL(revert_creds);
616
617 /*
618  * initialise the credentials stuff
619  */
620 void __init cred_init(void)
621 {
622         /* allocate a slab in which we can store credentials */
623         cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred),
624                                      0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
625 }
626
627 /**
628  * prepare_kernel_cred - Prepare a set of credentials for a kernel service
629  * @daemon: A userspace daemon to be used as a reference
630  *
631  * Prepare a set of credentials for a kernel service.  This can then be used to
632  * override a task's own credentials so that work can be done on behalf of that
633  * task that requires a different subjective context.
634  *
635  * @daemon is used to provide a base for the security record, but can be NULL.
636  * If @daemon is supplied, then the security data will be derived from that;
637  * otherwise they'll be set to 0 and no groups, full capabilities and no keys.
638  *
639  * The caller may change these controls afterwards if desired.
640  *
641  * Returns the new credentials or NULL if out of memory.
642  *
643  * Does not take, and does not return holding current->cred_replace_mutex.
644  */
645 struct cred *prepare_kernel_cred(struct task_struct *daemon)
646 {
647 #ifdef CONFIG_KEYS
648         struct thread_group_cred *tgcred;
649 #endif
650         const struct cred *old;
651         struct cred *new;
652
653         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
654         if (!new)
655                 return NULL;
656
657 #ifdef CONFIG_KEYS
658         tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
659         if (!tgcred) {
660                 kmem_cache_free(cred_jar, new);
661                 return NULL;
662         }
663 #endif
664
665         kdebug("prepare_kernel_cred() alloc %p", new);
666
667         if (daemon)
668                 old = get_task_cred(daemon);
669         else
670                 old = get_cred(&init_cred);
671
672         validate_creds(old);
673
674         *new = *old;
675         atomic_set(&new->usage, 1);
676         set_cred_subscribers(new, 0);
677         get_uid(new->user);
678         get_group_info(new->group_info);
679
680 #ifdef CONFIG_KEYS
681         atomic_set(&tgcred->usage, 1);
682         spin_lock_init(&tgcred->lock);
683         tgcred->process_keyring = NULL;
684         tgcred->session_keyring = NULL;
685         new->tgcred = tgcred;
686         new->request_key_auth = NULL;
687         new->thread_keyring = NULL;
688         new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
689 #endif
690
691 #ifdef CONFIG_SECURITY
692         new->security = NULL;
693 #endif
694         if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
695                 goto error;
696
697         put_cred(old);
698         validate_creds(new);
699         return new;
700
701 error:
702         put_cred(new);
703         put_cred(old);
704         return NULL;
705 }
706 EXPORT_SYMBOL(prepare_kernel_cred);
707
708 /**
709  * set_security_override - Set the security ID in a set of credentials
710  * @new: The credentials to alter
711  * @secid: The LSM security ID to set
712  *
713  * Set the LSM security ID in a set of credentials so that the subjective
714  * security is overridden when an alternative set of credentials is used.
715  */
716 int set_security_override(struct cred *new, u32 secid)
717 {
718         return security_kernel_act_as(new, secid);
719 }
720 EXPORT_SYMBOL(set_security_override);
721
722 /**
723  * set_security_override_from_ctx - Set the security ID in a set of credentials
724  * @new: The credentials to alter
725  * @secctx: The LSM security context to generate the security ID from.
726  *
727  * Set the LSM security ID in a set of credentials so that the subjective
728  * security is overridden when an alternative set of credentials is used.  The
729  * security ID is specified in string form as a security context to be
730  * interpreted by the LSM.
731  */
732 int set_security_override_from_ctx(struct cred *new, const char *secctx)
733 {
734         u32 secid;
735         int ret;
736
737         ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
738         if (ret < 0)
739                 return ret;
740
741         return set_security_override(new, secid);
742 }
743 EXPORT_SYMBOL(set_security_override_from_ctx);
744
745 /**
746  * set_create_files_as - Set the LSM file create context in a set of credentials
747  * @new: The credentials to alter
748  * @inode: The inode to take the context from
749  *
750  * Change the LSM file creation context in a set of credentials to be the same
751  * as the object context of the specified inode, so that the new inodes have
752  * the same MAC context as that inode.
753  */
754 int set_create_files_as(struct cred *new, struct inode *inode)
755 {
756         new->fsuid = inode->i_uid;
757         new->fsgid = inode->i_gid;
758         return security_kernel_create_files_as(new, inode);
759 }
760 EXPORT_SYMBOL(set_create_files_as);
761
762 #ifdef CONFIG_DEBUG_CREDENTIALS
763
764 bool creds_are_invalid(const struct cred *cred)
765 {
766         if (cred->magic != CRED_MAGIC)
767                 return true;
768 #ifdef CONFIG_SECURITY_SELINUX
769         /*
770          * cred->security == NULL if security_cred_alloc_blank() or
771          * security_prepare_creds() returned an error.
772          */
773         if (selinux_is_enabled() && cred->security) {
774                 if ((unsigned long) cred->security < PAGE_SIZE)
775                         return true;
776                 if ((*(u32 *)cred->security & 0xffffff00) ==
777                     (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
778                         return true;
779         }
780 #endif
781         return false;
782 }
783 EXPORT_SYMBOL(creds_are_invalid);
784
785 /*
786  * dump invalid credentials
787  */
788 static void dump_invalid_creds(const struct cred *cred, const char *label,
789                                const struct task_struct *tsk)
790 {
791         printk(KERN_ERR "CRED: %s credentials: %p %s%s%s\n",
792                label, cred,
793                cred == &init_cred ? "[init]" : "",
794                cred == tsk->real_cred ? "[real]" : "",
795                cred == tsk->cred ? "[eff]" : "");
796         printk(KERN_ERR "CRED: ->magic=%x, put_addr=%p\n",
797                cred->magic, cred->put_addr);
798         printk(KERN_ERR "CRED: ->usage=%d, subscr=%d\n",
799                atomic_read(&cred->usage),
800                read_cred_subscribers(cred));
801         printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
802                cred->uid, cred->euid, cred->suid, cred->fsuid);
803         printk(KERN_ERR "CRED: ->*gid = { %d,%d,%d,%d }\n",
804                cred->gid, cred->egid, cred->sgid, cred->fsgid);
805 #ifdef CONFIG_SECURITY
806         printk(KERN_ERR "CRED: ->security is %p\n", cred->security);
807         if ((unsigned long) cred->security >= PAGE_SIZE &&
808             (((unsigned long) cred->security & 0xffffff00) !=
809              (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)))
810                 printk(KERN_ERR "CRED: ->security {%x, %x}\n",
811                        ((u32*)cred->security)[0],
812                        ((u32*)cred->security)[1]);
813 #endif
814 }
815
816 /*
817  * report use of invalid credentials
818  */
819 void __invalid_creds(const struct cred *cred, const char *file, unsigned line)
820 {
821         printk(KERN_ERR "CRED: Invalid credentials\n");
822         printk(KERN_ERR "CRED: At %s:%u\n", file, line);
823         dump_invalid_creds(cred, "Specified", current);
824         BUG();
825 }
826 EXPORT_SYMBOL(__invalid_creds);
827
828 /*
829  * check the credentials on a process
830  */
831 void __validate_process_creds(struct task_struct *tsk,
832                               const char *file, unsigned line)
833 {
834         if (tsk->cred == tsk->real_cred) {
835                 if (unlikely(read_cred_subscribers(tsk->cred) < 2 ||
836                              creds_are_invalid(tsk->cred)))
837                         goto invalid_creds;
838         } else {
839                 if (unlikely(read_cred_subscribers(tsk->real_cred) < 1 ||
840                              read_cred_subscribers(tsk->cred) < 1 ||
841                              creds_are_invalid(tsk->real_cred) ||
842                              creds_are_invalid(tsk->cred)))
843                         goto invalid_creds;
844         }
845         return;
846
847 invalid_creds:
848         printk(KERN_ERR "CRED: Invalid process credentials\n");
849         printk(KERN_ERR "CRED: At %s:%u\n", file, line);
850
851         dump_invalid_creds(tsk->real_cred, "Real", tsk);
852         if (tsk->cred != tsk->real_cred)
853                 dump_invalid_creds(tsk->cred, "Effective", tsk);
854         else
855                 printk(KERN_ERR "CRED: Effective creds == Real creds\n");
856         BUG();
857 }
858 EXPORT_SYMBOL(__validate_process_creds);
859
860 /*
861  * check creds for do_exit()
862  */
863 void validate_creds_for_do_exit(struct task_struct *tsk)
864 {
865         kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})",
866                tsk->real_cred, tsk->cred,
867                atomic_read(&tsk->cred->usage),
868                read_cred_subscribers(tsk->cred));
869
870         __validate_process_creds(tsk, __FILE__, __LINE__);
871 }
872
873 #endif /* CONFIG_DEBUG_CREDENTIALS */