/*
* the key control system call, 32-bit compatibility version for 64-bit archs
* - this should only be called if the 64-bit arch uses weird pointers in
* 32-bit mode or doesn't guarantee that the top 32-bits of the argument
* registers on taking a 32-bit syscall are zero
* - if you can, you should call sys_keyctl directly
*/
asmlinkage long compat_sys_keyctl(u32 option,
u32 arg2, u32 arg3, u32 arg4, u32 arg5)
{
switch (option) {
case KEYCTL_GET_KEYRING_ID:
return keyctl_get_keyring_ID(arg2, arg3);
case KEYCTL_JOIN_SESSION_KEYRING:
return keyctl_join_session_keyring(compat_ptr(arg2));
case KEYCTL_UPDATE:
return keyctl_update_key(arg2, compat_ptr(arg3), arg4);
case KEYCTL_REVOKE:
return keyctl_revoke_key(arg2);
case KEYCTL_DESCRIBE:
return keyctl_describe_key(arg2, compat_ptr(arg3), arg4);
case KEYCTL_CLEAR:
return keyctl_keyring_clear(arg2);
case KEYCTL_LINK:
return keyctl_keyring_link(arg2, arg3);
case KEYCTL_UNLINK:
return keyctl_keyring_unlink(arg2, arg3);
case KEYCTL_SEARCH:
return keyctl_keyring_search(arg2, compat_ptr(arg3),
compat_ptr(arg4), arg5);
case KEYCTL_READ:
return keyctl_read_key(arg2, compat_ptr(arg3), arg4);
case KEYCTL_CHOWN:
return keyctl_chown_key(arg2, arg3, arg4);
case KEYCTL_SETPERM:
return keyctl_setperm_key(arg2, arg3);
case KEYCTL_INSTANTIATE:
return keyctl_instantiate_key(arg2, compat_ptr(arg3), arg4,
arg5);
case KEYCTL_NEGATE:
return keyctl_negate_key(arg2, arg3, arg4);
case KEYCTL_SET_REQKEY_KEYRING:
return keyctl_set_reqkey_keyring(arg2);
case KEYCTL_SET_TIMEOUT:
return keyctl_set_timeout(arg2, arg3);
case KEYCTL_ASSUME_AUTHORITY:
return keyctl_assume_authority(arg2);
case KEYCTL_GET_SECURITY:
return keyctl_get_security(arg2, compat_ptr(arg3), arg4);
case KEYCTL_SESSION_TO_PARENT:
return keyctl_session_to_parent();
default:
return -EOPNOTSUPP;
}
} /* end compat_sys_keyctl() */
int
main(int argc, char *argv[])
{
int ret = 1;
char *secret_cmd = NULL;
char *subprocess_argv[4];
struct sm_opts *opts = NULL;
key_serial_t key_id;
char key_payload[KEY_PAYLOAD_MAXLEN];
char session_name[SESSION_NAME_MAXLEN];
// parse_opts gives use default values if not provided
opts = sm_opts_parse(argc, argv);
if (opts == NULL) {
ret = 1;
goto exit;
}
if (opts->flags & OPT_HELP || opts->flags & OPT_UNRECOGNIZED) {
print_usage();
ret = 0;
goto exit;
}
if (opts->flags & OPT_VERSION) {
fprintf(stderr, PACKAGE_NAME " " PACKAGE_VERSION "\n");
ret = 0;
goto exit;
}
// We deal with only one session name for the moment
sprintf(session_name, "sm-session-%u", SM_MAGIC);
// Start to request a key in the current session if present
key_id = request_key("user", session_name, NULL, KEY_SPEC_SESSION_KEYRING);
if (opts->flags & OPT_QUIT ) {
if (key_id > 0)
keyctl_revoke(key_id);
else
fprintf(stderr, "No keyring session could be found.\n");
ret = 0;
goto exit;
}
if (opts->flags & OPT_SHOW_KEYID) {
if (key_id > 0) {
printf("%d\n", key_id);
ret = 0;
goto exit;
} else {
fprintf(stderr, "No key is attached to the current session.\n");
ret = 1;
goto exit;
}
}
if (key_id <= 0) {
// Ask the user to enter his secret phrase and
memset(key_payload, 0, KEY_PAYLOAD_MAXLEN);
sprintf(key_payload, "%s", getpass("Secret: "));
if (strlen(key_payload) == 0) {
fprintf(stderr, "An empty secret phrase is not supported.\n");
ret = 1;
goto exit;
}
key_id = add_key("user", session_name, key_payload,
strlen(key_payload), KEY_SPEC_SESSION_KEYRING);
if (key_id < 0) {
fprintf(stderr, "FATAL: Cannot add a passphrase, is CONFIG_KEYS enabled in your kernel?\n");
ret = 1;
goto exit;
}
// To be able to find again the passphrase in the next execution of sm,
// we have to attach the current keyring session to the shell
// interpreter which executed this cmd
keyctl_session_to_parent();
} else {
// Read the passphrase
memset(key_payload, 0, KEY_PAYLOAD_MAXLEN);
if (keyctl_read(key_id, key_payload, KEY_PAYLOAD_MAXLEN) < 0) {
ret = 1;
goto exit;
}
}
// We should have here a valid key id, so trigger the timeout again
keyctl_set_timeout(key_id, (unsigned int) opts->timeout_sec);
// Replace all {} occurrences by the secret phrase
secret_cmd = replace_str(opts->cmd, opts->repl_str, key_payload);
// Execute the secret cmd
if (secret_cmd) {
// Replacing the current executable image will at least return the exit
// code of the executed command
subprocess_argv[0] = "sh";
subprocess_argv[1] = "-c";
subprocess_argv[2] = secret_cmd;
subprocess_argv[3] = NULL;
execvp("/bin/sh", subprocess_argv);
assert(0);
}
exit:
if (opts)
sm_opts_free(opts);
return ret;
}
