process_keys.c 17.2 KB
Newer Older
L
Linus Torvalds 已提交
1 2
/* process_keys.c: management of a process's keyrings
 *
3
 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
L
Linus Torvalds 已提交
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
 * Written by David Howells (dhowells@redhat.com)
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version
 * 2 of the License, or (at your option) any later version.
 */

#include <linux/module.h>
#include <linux/init.h>
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/keyctl.h>
#include <linux/fs.h>
#include <linux/err.h>
I
Ingo Molnar 已提交
19
#include <linux/mutex.h>
L
Linus Torvalds 已提交
20 21 22 23
#include <asm/uaccess.h>
#include "internal.h"

/* session keyring create vs join semaphore */
I
Ingo Molnar 已提交
24
static DEFINE_MUTEX(key_session_mutex);
L
Linus Torvalds 已提交
25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

/* the root user's tracking struct */
struct key_user root_key_user = {
	.usage		= ATOMIC_INIT(3),
	.consq		= LIST_HEAD_INIT(root_key_user.consq),
	.lock		= SPIN_LOCK_UNLOCKED,
	.nkeys		= ATOMIC_INIT(2),
	.nikeys		= ATOMIC_INIT(2),
	.uid		= 0,
};

/* the root user's UID keyring */
struct key root_user_keyring = {
	.usage		= ATOMIC_INIT(1),
	.serial		= 2,
	.type		= &key_type_keyring,
	.user		= &root_key_user,
	.sem		= __RWSEM_INITIALIZER(root_user_keyring.sem),
43
	.perm		= (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL,
44
	.flags		= 1 << KEY_FLAG_INSTANTIATED,
L
Linus Torvalds 已提交
45 46 47 48 49 50 51 52 53 54 55 56 57
	.description	= "_uid.0",
#ifdef KEY_DEBUGGING
	.magic		= KEY_DEBUG_MAGIC,
#endif
};

/* the root user's default session keyring */
struct key root_session_keyring = {
	.usage		= ATOMIC_INIT(1),
	.serial		= 1,
	.type		= &key_type_keyring,
	.user		= &root_key_user,
	.sem		= __RWSEM_INITIALIZER(root_session_keyring.sem),
58
	.perm		= (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL,
59
	.flags		= 1 << KEY_FLAG_INSTANTIATED,
L
Linus Torvalds 已提交
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101
	.description	= "_uid_ses.0",
#ifdef KEY_DEBUGGING
	.magic		= KEY_DEBUG_MAGIC,
#endif
};

/*****************************************************************************/
/*
 * allocate the keyrings to be associated with a UID
 */
int alloc_uid_keyring(struct user_struct *user)
{
	struct key *uid_keyring, *session_keyring;
	char buf[20];
	int ret;

	/* concoct a default session keyring */
	sprintf(buf, "_uid_ses.%u", user->uid);

	session_keyring = keyring_alloc(buf, user->uid, (gid_t) -1, 0, NULL);
	if (IS_ERR(session_keyring)) {
		ret = PTR_ERR(session_keyring);
		goto error;
	}

	/* and a UID specific keyring, pointed to by the default session
	 * keyring */
	sprintf(buf, "_uid.%u", user->uid);

	uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1, 0,
				    session_keyring);
	if (IS_ERR(uid_keyring)) {
		key_put(session_keyring);
		ret = PTR_ERR(uid_keyring);
		goto error;
	}

	/* install the keyrings */
	user->uid_keyring = uid_keyring;
	user->session_keyring = session_keyring;
	ret = 0;

102
error:
L
Linus Torvalds 已提交
103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159
	return ret;

} /* end alloc_uid_keyring() */

/*****************************************************************************/
/*
 * deal with the UID changing
 */
void switch_uid_keyring(struct user_struct *new_user)
{
#if 0 /* do nothing for now */
	struct key *old;

	/* switch to the new user's session keyring if we were running under
	 * root's default session keyring */
	if (new_user->uid != 0 &&
	    current->session_keyring == &root_session_keyring
	    ) {
		atomic_inc(&new_user->session_keyring->usage);

		task_lock(current);
		old = current->session_keyring;
		current->session_keyring = new_user->session_keyring;
		task_unlock(current);

		key_put(old);
	}
#endif

} /* end switch_uid_keyring() */

/*****************************************************************************/
/*
 * install a fresh thread keyring, discarding the old one
 */
int install_thread_keyring(struct task_struct *tsk)
{
	struct key *keyring, *old;
	char buf[20];
	int ret;

	sprintf(buf, "_tid.%u", tsk->pid);

	keyring = keyring_alloc(buf, tsk->uid, tsk->gid, 1, NULL);
	if (IS_ERR(keyring)) {
		ret = PTR_ERR(keyring);
		goto error;
	}

	task_lock(tsk);
	old = tsk->thread_keyring;
	tsk->thread_keyring = keyring;
	task_unlock(tsk);

	ret = 0;

	key_put(old);
160
error:
L
Linus Torvalds 已提交
161 162 163 164 165 166 167 168
	return ret;

} /* end install_thread_keyring() */

/*****************************************************************************/
/*
 * make sure a process keyring is installed
 */
169
int install_process_keyring(struct task_struct *tsk)
L
Linus Torvalds 已提交
170 171 172 173 174
{
	struct key *keyring;
	char buf[20];
	int ret;

175 176
	might_sleep();

L
Linus Torvalds 已提交
177 178 179 180 181 182 183 184 185
	if (!tsk->signal->process_keyring) {
		sprintf(buf, "_pid.%u", tsk->tgid);

		keyring = keyring_alloc(buf, tsk->uid, tsk->gid, 1, NULL);
		if (IS_ERR(keyring)) {
			ret = PTR_ERR(keyring);
			goto error;
		}

186
		/* attach keyring */
187
		spin_lock_irq(&tsk->sighand->siglock);
L
Linus Torvalds 已提交
188 189 190 191
		if (!tsk->signal->process_keyring) {
			tsk->signal->process_keyring = keyring;
			keyring = NULL;
		}
192
		spin_unlock_irq(&tsk->sighand->siglock);
L
Linus Torvalds 已提交
193 194 195 196 197

		key_put(keyring);
	}

	ret = 0;
198
error:
L
Linus Torvalds 已提交
199 200 201 202 203 204 205 206 207 208 209 210 211 212
	return ret;

} /* end install_process_keyring() */

/*****************************************************************************/
/*
 * install a session keyring, discarding the old one
 * - if a keyring is not supplied, an empty one is invented
 */
static int install_session_keyring(struct task_struct *tsk,
				   struct key *keyring)
{
	struct key *old;
	char buf[20];
213 214

	might_sleep();
L
Linus Torvalds 已提交
215 216 217 218 219 220

	/* create an empty session keyring */
	if (!keyring) {
		sprintf(buf, "_ses.%u", tsk->tgid);

		keyring = keyring_alloc(buf, tsk->uid, tsk->gid, 1, NULL);
221 222
		if (IS_ERR(keyring))
			return PTR_ERR(keyring);
L
Linus Torvalds 已提交
223 224 225 226 227 228
	}
	else {
		atomic_inc(&keyring->usage);
	}

	/* install the keyring */
229 230
	spin_lock_irq(&tsk->sighand->siglock);
	old = tsk->signal->session_keyring;
231
	rcu_assign_pointer(tsk->signal->session_keyring, keyring);
232
	spin_unlock_irq(&tsk->sighand->siglock);
L
Linus Torvalds 已提交
233

234 235 236 237 238 239
	/* we're using RCU on the pointer, but there's no point synchronising
	 * on it if it didn't previously point to anything */
	if (old) {
		synchronize_rcu();
		key_put(old);
	}
L
Linus Torvalds 已提交
240

241
	return 0;
L
Linus Torvalds 已提交
242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257

} /* end install_session_keyring() */

/*****************************************************************************/
/*
 * copy the keys in a thread group for fork without CLONE_THREAD
 */
int copy_thread_group_keys(struct task_struct *tsk)
{
	key_check(current->thread_group->session_keyring);
	key_check(current->thread_group->process_keyring);

	/* no process keyring yet */
	tsk->signal->process_keyring = NULL;

	/* same session keyring */
258
	rcu_read_lock();
L
Linus Torvalds 已提交
259
	tsk->signal->session_keyring =
260 261
		key_get(rcu_dereference(current->signal->session_keyring));
	rcu_read_unlock();
L
Linus Torvalds 已提交
262 263 264 265 266 267 268 269 270 271 272 273

	return 0;

} /* end copy_thread_group_keys() */

/*****************************************************************************/
/*
 * copy the keys for fork
 */
int copy_keys(unsigned long clone_flags, struct task_struct *tsk)
{
	key_check(tsk->thread_keyring);
274
	key_check(tsk->request_key_auth);
L
Linus Torvalds 已提交
275 276 277

	/* no thread keyring yet */
	tsk->thread_keyring = NULL;
278 279 280 281

	/* copy the request_key() authorisation for this thread */
	key_get(tsk->request_key_auth);

L
Linus Torvalds 已提交
282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298
	return 0;

} /* end copy_keys() */

/*****************************************************************************/
/*
 * dispose of thread group keys upon thread group destruction
 */
void exit_thread_group_keys(struct signal_struct *tg)
{
	key_put(tg->session_keyring);
	key_put(tg->process_keyring);

} /* end exit_thread_group_keys() */

/*****************************************************************************/
/*
299
 * dispose of per-thread keys upon thread exit
L
Linus Torvalds 已提交
300 301 302 303
 */
void exit_keys(struct task_struct *tsk)
{
	key_put(tsk->thread_keyring);
304
	key_put(tsk->request_key_auth);
L
Linus Torvalds 已提交
305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324

} /* end exit_keys() */

/*****************************************************************************/
/*
 * deal with execve()
 */
int exec_keys(struct task_struct *tsk)
{
	struct key *old;

	/* newly exec'd tasks don't get a thread keyring */
	task_lock(tsk);
	old = tsk->thread_keyring;
	tsk->thread_keyring = NULL;
	task_unlock(tsk);

	key_put(old);

	/* discard the process keyring from a newly exec'd task */
325
	spin_lock_irq(&tsk->sighand->siglock);
L
Linus Torvalds 已提交
326 327
	old = tsk->signal->process_keyring;
	tsk->signal->process_keyring = NULL;
328
	spin_unlock_irq(&tsk->sighand->siglock);
L
Linus Torvalds 已提交
329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384

	key_put(old);

	return 0;

} /* end exec_keys() */

/*****************************************************************************/
/*
 * deal with SUID programs
 * - we might want to make this invent a new session keyring
 */
int suid_keys(struct task_struct *tsk)
{
	return 0;

} /* end suid_keys() */

/*****************************************************************************/
/*
 * the filesystem user ID changed
 */
void key_fsuid_changed(struct task_struct *tsk)
{
	/* update the ownership of the thread keyring */
	if (tsk->thread_keyring) {
		down_write(&tsk->thread_keyring->sem);
		tsk->thread_keyring->uid = tsk->fsuid;
		up_write(&tsk->thread_keyring->sem);
	}

} /* end key_fsuid_changed() */

/*****************************************************************************/
/*
 * the filesystem group ID changed
 */
void key_fsgid_changed(struct task_struct *tsk)
{
	/* update the ownership of the thread keyring */
	if (tsk->thread_keyring) {
		down_write(&tsk->thread_keyring->sem);
		tsk->thread_keyring->gid = tsk->fsgid;
		up_write(&tsk->thread_keyring->sem);
	}

} /* end key_fsgid_changed() */

/*****************************************************************************/
/*
 * search the process keyrings for the first matching key
 * - we use the supplied match function to see if the description (or other
 *   feature of interest) matches
 * - we return -EAGAIN if we didn't find any matching key
 * - we return -ENOKEY if we found only negative matching keys
 */
385 386 387 388
key_ref_t search_process_keyrings(struct key_type *type,
				  const void *description,
				  key_match_func_t match,
				  struct task_struct *context)
L
Linus Torvalds 已提交
389
{
390
	struct request_key_auth *rka;
391
	key_ref_t key_ref, ret, err;
L
Linus Torvalds 已提交
392 393 394 395 396 397 398 399

	/* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
	 * searchable, but we failed to find a key or we found a negative key;
	 * otherwise we want to return a sample error (probably -EACCES) if
	 * none of the keyrings were searchable
	 *
	 * in terms of priority: success > -ENOKEY > -EAGAIN > other error
	 */
400
	key_ref = NULL;
L
Linus Torvalds 已提交
401 402 403 404
	ret = NULL;
	err = ERR_PTR(-EAGAIN);

	/* search the thread keyring first */
405
	if (context->thread_keyring) {
406 407 408 409
		key_ref = keyring_search_aux(
			make_key_ref(context->thread_keyring, 1),
			context, type, description, match);
		if (!IS_ERR(key_ref))
L
Linus Torvalds 已提交
410 411
			goto found;

412
		switch (PTR_ERR(key_ref)) {
L
Linus Torvalds 已提交
413 414 415 416
		case -EAGAIN: /* no key */
			if (ret)
				break;
		case -ENOKEY: /* negative key */
417
			ret = key_ref;
L
Linus Torvalds 已提交
418 419
			break;
		default:
420
			err = key_ref;
L
Linus Torvalds 已提交
421 422 423 424 425
			break;
		}
	}

	/* search the process keyring second */
426
	if (context->signal->process_keyring) {
427 428 429 430
		key_ref = keyring_search_aux(
			make_key_ref(context->signal->process_keyring, 1),
			context, type, description, match);
		if (!IS_ERR(key_ref))
L
Linus Torvalds 已提交
431 432
			goto found;

433
		switch (PTR_ERR(key_ref)) {
L
Linus Torvalds 已提交
434 435 436 437
		case -EAGAIN: /* no key */
			if (ret)
				break;
		case -ENOKEY: /* negative key */
438
			ret = key_ref;
L
Linus Torvalds 已提交
439 440
			break;
		default:
441
			err = key_ref;
L
Linus Torvalds 已提交
442 443 444 445
			break;
		}
	}

446 447
	/* search the session keyring */
	if (context->signal->session_keyring) {
448
		rcu_read_lock();
449 450 451 452
		key_ref = keyring_search_aux(
			make_key_ref(rcu_dereference(
					     context->signal->session_keyring),
				     1),
453
			context, type, description, match);
454
		rcu_read_unlock();
455

456
		if (!IS_ERR(key_ref))
457 458
			goto found;

459
		switch (PTR_ERR(key_ref)) {
460 461 462 463
		case -EAGAIN: /* no key */
			if (ret)
				break;
		case -ENOKEY: /* negative key */
464
			ret = key_ref;
465 466
			break;
		default:
467
			err = key_ref;
468 469
			break;
		}
470 471 472 473 474 475
	}
	/* or search the user-session keyring */
	else {
		key_ref = keyring_search_aux(
			make_key_ref(context->user->session_keyring, 1),
			context, type, description, match);
476
		if (!IS_ERR(key_ref))
477 478
			goto found;

479
		switch (PTR_ERR(key_ref)) {
480 481 482 483
		case -EAGAIN: /* no key */
			if (ret)
				break;
		case -ENOKEY: /* negative key */
484
			ret = key_ref;
485 486
			break;
		default:
487
			err = key_ref;
488 489
			break;
		}
490
	}
491 492 493 494 495 496 497 498 499 500 501 502 503 504 505

	/* if this process has an instantiation authorisation key, then we also
	 * search the keyrings of the process mentioned there
	 * - we don't permit access to request_key auth keys via this method
	 */
	if (context->request_key_auth &&
	    context == current &&
	    type != &key_type_request_key_auth &&
	    key_validate(context->request_key_auth) == 0
	    ) {
		rka = context->request_key_auth->payload.data;

		key_ref = search_process_keyrings(type, description, match,
						  rka->context);

506
		if (!IS_ERR(key_ref))
507
			goto found;
L
Linus Torvalds 已提交
508

509
		switch (PTR_ERR(key_ref)) {
510 511 512 513
		case -EAGAIN: /* no key */
			if (ret)
				break;
		case -ENOKEY: /* negative key */
514
			ret = key_ref;
L
Linus Torvalds 已提交
515
			break;
516
		default:
517
			err = key_ref;
518 519
			break;
		}
L
Linus Torvalds 已提交
520 521 522
	}

	/* no key - decide on the error we're going to go for */
523
	key_ref = ret ? ret : err;
L
Linus Torvalds 已提交
524

525
found:
526
	return key_ref;
L
Linus Torvalds 已提交
527 528 529

} /* end search_process_keyrings() */

530 531 532 533 534 535 536 537 538 539
/*****************************************************************************/
/*
 * see if the key we're looking at is the target key
 */
static int lookup_user_key_possessed(const struct key *key, const void *target)
{
	return key == target;

} /* end lookup_user_key_possessed() */

L
Linus Torvalds 已提交
540 541 542 543 544 545
/*****************************************************************************/
/*
 * lookup a key given a key ID from userspace with a given permissions mask
 * - don't create special keyrings unless so requested
 * - partially constructed keys aren't found unless requested
 */
546 547
key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id,
			  int create, int partial, key_perm_t perm)
L
Linus Torvalds 已提交
548
{
549
	key_ref_t key_ref, skey_ref;
L
Linus Torvalds 已提交
550 551 552
	struct key *key;
	int ret;

553 554 555
	if (!context)
		context = current;

556
	key_ref = ERR_PTR(-ENOKEY);
L
Linus Torvalds 已提交
557 558 559

	switch (id) {
	case KEY_SPEC_THREAD_KEYRING:
560
		if (!context->thread_keyring) {
L
Linus Torvalds 已提交
561 562 563
			if (!create)
				goto error;

564
			ret = install_thread_keyring(context);
L
Linus Torvalds 已提交
565 566 567 568 569 570
			if (ret < 0) {
				key = ERR_PTR(ret);
				goto error;
			}
		}

571
		key = context->thread_keyring;
L
Linus Torvalds 已提交
572
		atomic_inc(&key->usage);
573
		key_ref = make_key_ref(key, 1);
L
Linus Torvalds 已提交
574 575 576
		break;

	case KEY_SPEC_PROCESS_KEYRING:
577
		if (!context->signal->process_keyring) {
L
Linus Torvalds 已提交
578 579 580
			if (!create)
				goto error;

581
			ret = install_process_keyring(context);
L
Linus Torvalds 已提交
582 583 584 585 586 587
			if (ret < 0) {
				key = ERR_PTR(ret);
				goto error;
			}
		}

588
		key = context->signal->process_keyring;
L
Linus Torvalds 已提交
589
		atomic_inc(&key->usage);
590
		key_ref = make_key_ref(key, 1);
L
Linus Torvalds 已提交
591 592 593
		break;

	case KEY_SPEC_SESSION_KEYRING:
594
		if (!context->signal->session_keyring) {
L
Linus Torvalds 已提交
595 596 597
			/* always install a session keyring upon access if one
			 * doesn't exist yet */
			ret = install_session_keyring(
598
				context, context->user->session_keyring);
L
Linus Torvalds 已提交
599 600 601 602
			if (ret < 0)
				goto error;
		}

603 604
		rcu_read_lock();
		key = rcu_dereference(context->signal->session_keyring);
L
Linus Torvalds 已提交
605
		atomic_inc(&key->usage);
606
		rcu_read_unlock();
607
		key_ref = make_key_ref(key, 1);
L
Linus Torvalds 已提交
608 609 610
		break;

	case KEY_SPEC_USER_KEYRING:
611
		key = context->user->uid_keyring;
L
Linus Torvalds 已提交
612
		atomic_inc(&key->usage);
613
		key_ref = make_key_ref(key, 1);
L
Linus Torvalds 已提交
614 615 616
		break;

	case KEY_SPEC_USER_SESSION_KEYRING:
617
		key = context->user->session_keyring;
L
Linus Torvalds 已提交
618
		atomic_inc(&key->usage);
619
		key_ref = make_key_ref(key, 1);
L
Linus Torvalds 已提交
620 621 622 623 624 625 626
		break;

	case KEY_SPEC_GROUP_KEYRING:
		/* group keyrings are not yet supported */
		key = ERR_PTR(-EINVAL);
		goto error;

627 628 629 630 631 632 633 634 635
	case KEY_SPEC_REQKEY_AUTH_KEY:
		key = context->request_key_auth;
		if (!key)
			goto error;

		atomic_inc(&key->usage);
		key_ref = make_key_ref(key, 1);
		break;

L
Linus Torvalds 已提交
636
	default:
637
		key_ref = ERR_PTR(-EINVAL);
L
Linus Torvalds 已提交
638 639 640 641
		if (id < 1)
			goto error;

		key = key_lookup(id);
642 643
		if (IS_ERR(key)) {
			key_ref = ERR_PTR(PTR_ERR(key));
L
Linus Torvalds 已提交
644
			goto error;
645 646 647 648 649 650 651 652 653 654 655 656 657 658
		}

		key_ref = make_key_ref(key, 0);

		/* check to see if we possess the key */
		skey_ref = search_process_keyrings(key->type, key,
						   lookup_user_key_possessed,
						   current);

		if (!IS_ERR(skey_ref)) {
			key_put(key);
			key_ref = skey_ref;
		}

L
Linus Torvalds 已提交
659 660 661
		break;
	}

662
	/* check the status */
L
Linus Torvalds 已提交
663 664 665 666 667 668 669
	if (perm) {
		ret = key_validate(key);
		if (ret < 0)
			goto invalid_key;
	}

	ret = -EIO;
670
	if (!partial && !test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
L
Linus Torvalds 已提交
671 672
		goto invalid_key;

673
	/* check the permissions */
674 675
	ret = key_task_permission(key_ref, context, perm);
	if (ret < 0)
L
Linus Torvalds 已提交
676 677
		goto invalid_key;

678 679
error:
	return key_ref;
L
Linus Torvalds 已提交
680

681 682 683
invalid_key:
	key_ref_put(key_ref);
	key_ref = ERR_PTR(ret);
L
Linus Torvalds 已提交
684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706
	goto error;

} /* end lookup_user_key() */

/*****************************************************************************/
/*
 * join the named keyring as the session keyring if possible, or attempt to
 * create a new one of that name if not
 * - if the name is NULL, an empty anonymous keyring is installed instead
 * - named session keyring joining is done with a semaphore held
 */
long join_session_keyring(const char *name)
{
	struct task_struct *tsk = current;
	struct key *keyring;
	long ret;

	/* if no name is provided, install an anonymous keyring */
	if (!name) {
		ret = install_session_keyring(tsk, NULL);
		if (ret < 0)
			goto error;

707 708 709
		rcu_read_lock();
		ret = rcu_dereference(tsk->signal->session_keyring)->serial;
		rcu_read_unlock();
L
Linus Torvalds 已提交
710 711 712 713
		goto error;
	}

	/* allow the user to join or create a named keyring */
I
Ingo Molnar 已提交
714
	mutex_lock(&key_session_mutex);
L
Linus Torvalds 已提交
715 716 717 718 719 720 721 722

	/* look for an existing keyring of this name */
	keyring = find_keyring_by_name(name, 0);
	if (PTR_ERR(keyring) == -ENOKEY) {
		/* not found - try and create a new one */
		keyring = keyring_alloc(name, tsk->uid, tsk->gid, 0, NULL);
		if (IS_ERR(keyring)) {
			ret = PTR_ERR(keyring);
723
			goto error2;
L
Linus Torvalds 已提交
724 725 726 727 728 729 730 731 732 733 734 735 736 737 738
		}
	}
	else if (IS_ERR(keyring)) {
		ret = PTR_ERR(keyring);
		goto error2;
	}

	/* we've got a keyring - now to install it */
	ret = install_session_keyring(tsk, keyring);
	if (ret < 0)
		goto error2;

	ret = keyring->serial;
	key_put(keyring);

739
error2:
I
Ingo Molnar 已提交
740
	mutex_unlock(&key_session_mutex);
741
error:
L
Linus Torvalds 已提交
742 743 744
	return ret;

} /* end join_session_keyring() */