SAFE public projects git trees. - safe/jmp/linux-2.6/blob - security/keys/process_keys.c

   1 /* Management of a process's keyrings
   2  *
   3  * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
   4  * Written by David Howells (dhowells@redhat.com)
   5  *
   6  * This program is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU General Public License
   8  * as published by the Free Software Foundation; either version
   9  * 2 of the License, or (at your option) any later version.
  10  */
  11
  12 #include <linux/module.h>
  13 #include <linux/init.h>
  14 #include <linux/sched.h>
  15 #include <linux/slab.h>
  16 #include <linux/keyctl.h>
  17 #include <linux/fs.h>
  18 #include <linux/err.h>
  19 #include <linux/mutex.h>
  20 #include <asm/uaccess.h>
  21 #include "internal.h"
  22
  23 /* session keyring create vs join semaphore */
  24 static DEFINE_MUTEX(key_session_mutex);
  25
  26 /* user keyring creation semaphore */
  27 static DEFINE_MUTEX(key_user_keyring_mutex);
  28
  29 /* the root user's tracking struct */
  30 struct key_user root_key_user = {
  31         .usage          = ATOMIC_INIT(3),
  32         .cons_lock      = __MUTEX_INITIALIZER(root_key_user.cons_lock),
  33         .lock           = __SPIN_LOCK_UNLOCKED(root_key_user.lock),
  34         .nkeys          = ATOMIC_INIT(2),
  35         .nikeys         = ATOMIC_INIT(2),
  36         .uid            = 0,
  37 };
  38
  39 /*****************************************************************************/
  40 /*
  41  * install user and user session keyrings for a particular UID
  42  */
  43 int install_user_keyrings(void)
  44 {
  45         struct user_struct *user;
  46         const struct cred *cred;
  47         struct key *uid_keyring, *session_keyring;
  48         char buf[20];
  49         int ret;
  50
  51         cred = current_cred();
  52         user = cred->user;
  53
  54         kenter("%p{%u}", user, user->uid);
  55
  56         if (user->uid_keyring) {
  57                 kleave(" = 0 [exist]");
  58                 return 0;
  59         }
  60
  61         mutex_lock(&key_user_keyring_mutex);
  62         ret = 0;
  63
  64         if (!user->uid_keyring) {
  65                 /* get the UID-specific keyring
  66                  * - there may be one in existence already as it may have been
  67                  *   pinned by a session, but the user_struct pointing to it
  68                  *   may have been destroyed by setuid */
  69                 sprintf(buf, "_uid.%u", user->uid);
  70
  71                 uid_keyring = find_keyring_by_name(buf, true);
  72                 if (IS_ERR(uid_keyring)) {
  73                         uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
  74                                                     cred, KEY_ALLOC_IN_QUOTA,
  75                                                     NULL);
  76                         if (IS_ERR(uid_keyring)) {
  77                                 ret = PTR_ERR(uid_keyring);
  78                                 goto error;
  79                         }
  80                 }
  81
  82                 /* get a default session keyring (which might also exist
  83                  * already) */
  84                 sprintf(buf, "_uid_ses.%u", user->uid);
  85
  86                 session_keyring = find_keyring_by_name(buf, true);
  87                 if (IS_ERR(session_keyring)) {
  88                         session_keyring =
  89                                 keyring_alloc(buf, user->uid, (gid_t) -1,
  90                                               cred, KEY_ALLOC_IN_QUOTA, NULL);
  91                         if (IS_ERR(session_keyring)) {
  92                                 ret = PTR_ERR(session_keyring);
  93                                 goto error_release;
  94                         }
  95
  96                         /* we install a link from the user session keyring to
  97                          * the user keyring */
  98                         ret = key_link(session_keyring, uid_keyring);
  99                         if (ret < 0)
 100                                 goto error_release_both;
 101                 }
 102
 103                 /* install the keyrings */
 104                 user->uid_keyring = uid_keyring;
 105                 user->session_keyring = session_keyring;
 106         }
 107
 108         mutex_unlock(&key_user_keyring_mutex);
 109         kleave(" = 0");
 110         return 0;
 111
 112 error_release_both:
 113         key_put(session_keyring);
 114 error_release:
 115         key_put(uid_keyring);
 116 error:
 117         mutex_unlock(&key_user_keyring_mutex);
 118         kleave(" = %d", ret);
 119         return ret;
 120 }
 121
 122 /*
 123  * install a fresh thread keyring directly to new credentials
 124  */
 125 int install_thread_keyring_to_cred(struct cred *new)
 126 {
 127         struct key *keyring;
 128
 129         keyring = keyring_alloc("_tid", new->uid, new->gid, new,
 130                                 KEY_ALLOC_QUOTA_OVERRUN, NULL);
 131         if (IS_ERR(keyring))
 132                 return PTR_ERR(keyring);
 133
 134         new->thread_keyring = keyring;
 135         return 0;
 136 }
 137
 138 /*
 139  * install a fresh thread keyring, discarding the old one
 140  */
 141 static int install_thread_keyring(void)
 142 {
 143         struct cred *new;
 144         int ret;
 145
 146         new = prepare_creds();
 147         if (!new)
 148                 return -ENOMEM;
 149
 150         BUG_ON(new->thread_keyring);
 151
 152         ret = install_thread_keyring_to_cred(new);
 153         if (ret < 0) {
 154                 abort_creds(new);
 155                 return ret;
 156         }
 157
 158         return commit_creds(new);
 159 }
 160
 161 /*
 162  * install a process keyring directly to a credentials struct
 163  * - returns -EEXIST if there was already a process keyring, 0 if one installed,
 164  *   and other -ve on any other error
 165  */
 166 int install_process_keyring_to_cred(struct cred *new)
 167 {
 168         struct key *keyring;
 169         int ret;
 170
 171         if (new->tgcred->process_keyring)
 172                 return -EEXIST;
 173
 174         keyring = keyring_alloc("_pid", new->uid, new->gid,
 175                                 new, KEY_ALLOC_QUOTA_OVERRUN, NULL);
 176         if (IS_ERR(keyring))
 177                 return PTR_ERR(keyring);
 178
 179         spin_lock_irq(&new->tgcred->lock);
 180         if (!new->tgcred->process_keyring) {
 181                 new->tgcred->process_keyring = keyring;
 182                 keyring = NULL;
 183                 ret = 0;
 184         } else {
 185                 ret = -EEXIST;
 186         }
 187         spin_unlock_irq(&new->tgcred->lock);
 188         key_put(keyring);
 189         return ret;
 190 }
 191
 192 /*
 193  * make sure a process keyring is installed
 194  * - we
 195  */
 196 static int install_process_keyring(void)
 197 {
 198         struct cred *new;
 199         int ret;
 200
 201         new = prepare_creds();
 202         if (!new)
 203                 return -ENOMEM;
 204
 205         ret = install_process_keyring_to_cred(new);
 206         if (ret < 0) {
 207                 abort_creds(new);
 208                 return ret != -EEXIST ?: 0;
 209         }
 210
 211         return commit_creds(new);
 212 }
 213
 214 /*
 215  * install a session keyring directly to a credentials struct
 216  */
 217 static int install_session_keyring_to_cred(struct cred *cred,
 218                                            struct key *keyring)
 219 {
 220         unsigned long flags;
 221         struct key *old;
 222
 223         might_sleep();
 224
 225         /* create an empty session keyring */
 226         if (!keyring) {
 227                 flags = KEY_ALLOC_QUOTA_OVERRUN;
 228                 if (cred->tgcred->session_keyring)
 229                         flags = KEY_ALLOC_IN_QUOTA;
 230
 231                 keyring = keyring_alloc("_ses", cred->uid, cred->gid,
 232                                         cred, flags, NULL);
 233                 if (IS_ERR(keyring))
 234                         return PTR_ERR(keyring);
 235         } else {
 236                 atomic_inc(&keyring->usage);
 237         }
 238
 239         /* install the keyring */
 240         spin_lock_irq(&cred->tgcred->lock);
 241         old = cred->tgcred->session_keyring;
 242         rcu_assign_pointer(cred->tgcred->session_keyring, keyring);
 243         spin_unlock_irq(&cred->tgcred->lock);
 244
 245         /* we're using RCU on the pointer, but there's no point synchronising
 246          * on it if it didn't previously point to anything */
 247         if (old) {
 248                 synchronize_rcu();
 249                 key_put(old);
 250         }
 251
 252         return 0;
 253 }
 254
 255 /*
 256  * install a session keyring, discarding the old one
 257  * - if a keyring is not supplied, an empty one is invented
 258  */
 259 static int install_session_keyring(struct key *keyring)
 260 {
 261         struct cred *new;
 262         int ret;
 263
 264         new = prepare_creds();
 265         if (!new)
 266                 return -ENOMEM;
 267
 268         ret = install_session_keyring_to_cred(new, NULL);
 269         if (ret < 0) {
 270                 abort_creds(new);
 271                 return ret;
 272         }
 273
 274         return commit_creds(new);
 275 }
 276
 277 /*****************************************************************************/
 278 /*
 279  * deal with execve()
 280  */
 281 int exec_keys(struct task_struct *tsk)
 282 {
 283         struct thread_group_cred *tgcred = NULL;
 284         struct cred *new;
 285
 286 #ifdef CONFIG_KEYS
 287         tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
 288         if (!tgcred)
 289                 return -ENOMEM;
 290 #endif
 291
 292         new = prepare_creds();
 293         if (new < 0)
 294                 return -ENOMEM;
 295
 296         /* newly exec'd tasks don't get a thread keyring */
 297         key_put(new->thread_keyring);
 298         new->thread_keyring = NULL;
 299
 300         /* create a new per-thread-group creds for all this set of threads to
 301          * share */
 302         memcpy(tgcred, new->tgcred, sizeof(struct thread_group_cred));
 303
 304         atomic_set(&tgcred->usage, 1);
 305         spin_lock_init(&tgcred->lock);
 306
 307         /* inherit the session keyring; new process keyring */
 308         key_get(tgcred->session_keyring);
 309         tgcred->process_keyring = NULL;
 310
 311         release_tgcred(new);
 312         new->tgcred = tgcred;
 313
 314         commit_creds(new);
 315         return 0;
 316
 317 } /* end exec_keys() */
 318
 319 /*****************************************************************************/
 320 /*
 321  * the filesystem user ID changed
 322  */
 323 void key_fsuid_changed(struct task_struct *tsk)
 324 {
 325         /* update the ownership of the thread keyring */
 326         BUG_ON(!tsk->cred);
 327         if (tsk->cred->thread_keyring) {
 328                 down_write(&tsk->cred->thread_keyring->sem);
 329                 tsk->cred->thread_keyring->uid = tsk->cred->fsuid;
 330                 up_write(&tsk->cred->thread_keyring->sem);
 331         }
 332
 333 } /* end key_fsuid_changed() */
 334
 335 /*****************************************************************************/
 336 /*
 337  * the filesystem group ID changed
 338  */
 339 void key_fsgid_changed(struct task_struct *tsk)
 340 {
 341         /* update the ownership of the thread keyring */
 342         BUG_ON(!tsk->cred);
 343         if (tsk->cred->thread_keyring) {
 344                 down_write(&tsk->cred->thread_keyring->sem);
 345                 tsk->cred->thread_keyring->gid = tsk->cred->fsgid;
 346                 up_write(&tsk->cred->thread_keyring->sem);
 347         }
 348
 349 } /* end key_fsgid_changed() */
 350
 351 /*****************************************************************************/
 352 /*
 353  * search the process keyrings for the first matching key
 354  * - we use the supplied match function to see if the description (or other
 355  *   feature of interest) matches
 356  * - we return -EAGAIN if we didn't find any matching key
 357  * - we return -ENOKEY if we found only negative matching keys
 358  */
 359 key_ref_t search_process_keyrings(struct key_type *type,
 360                                   const void *description,
 361                                   key_match_func_t match,
 362                                   const struct cred *cred)
 363 {
 364         struct request_key_auth *rka;
 365         key_ref_t key_ref, ret, err;
 366
 367         might_sleep();
 368
 369         /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
 370          * searchable, but we failed to find a key or we found a negative key;
 371          * otherwise we want to return a sample error (probably -EACCES) if
 372          * none of the keyrings were searchable
 373          *
 374          * in terms of priority: success > -ENOKEY > -EAGAIN > other error
 375          */
 376         key_ref = NULL;
 377         ret = NULL;
 378         err = ERR_PTR(-EAGAIN);
 379
 380         /* search the thread keyring first */
 381         if (cred->thread_keyring) {
 382                 key_ref = keyring_search_aux(
 383                         make_key_ref(cred->thread_keyring, 1),
 384                         cred, type, description, match);
 385                 if (!IS_ERR(key_ref))
 386                         goto found;
 387
 388                 switch (PTR_ERR(key_ref)) {
 389                 case -EAGAIN: /* no key */
 390                         if (ret)
 391                                 break;
 392                 case -ENOKEY: /* negative key */
 393                         ret = key_ref;
 394                         break;
 395                 default:
 396                         err = key_ref;
 397                         break;
 398                 }
 399         }
 400
 401         /* search the process keyring second */
 402         if (cred->tgcred->process_keyring) {
 403                 key_ref = keyring_search_aux(
 404                         make_key_ref(cred->tgcred->process_keyring, 1),
 405                         cred, type, description, match);
 406                 if (!IS_ERR(key_ref))
 407                         goto found;
 408
 409                 switch (PTR_ERR(key_ref)) {
 410                 case -EAGAIN: /* no key */
 411                         if (ret)
 412                                 break;
 413                 case -ENOKEY: /* negative key */
 414                         ret = key_ref;
 415                         break;
 416                 default:
 417                         err = key_ref;
 418                         break;
 419                 }
 420         }
 421
 422         /* search the session keyring */
 423         if (cred->tgcred->session_keyring) {
 424                 rcu_read_lock();
 425                 key_ref = keyring_search_aux(
 426                         make_key_ref(rcu_dereference(
 427                                              cred->tgcred->session_keyring),
 428                                      1),
 429                         cred, type, description, match);
 430                 rcu_read_unlock();
 431
 432                 if (!IS_ERR(key_ref))
 433                         goto found;
 434
 435                 switch (PTR_ERR(key_ref)) {
 436                 case -EAGAIN: /* no key */
 437                         if (ret)
 438                                 break;
 439                 case -ENOKEY: /* negative key */
 440                         ret = key_ref;
 441                         break;
 442                 default:
 443                         err = key_ref;
 444                         break;
 445                 }
 446         }
 447         /* or search the user-session keyring */
 448         else if (cred->user->session_keyring) {
 449                 key_ref = keyring_search_aux(
 450                         make_key_ref(cred->user->session_keyring, 1),
 451                         cred, type, description, match);
 452                 if (!IS_ERR(key_ref))
 453                         goto found;
 454
 455                 switch (PTR_ERR(key_ref)) {
 456                 case -EAGAIN: /* no key */
 457                         if (ret)
 458                                 break;
 459                 case -ENOKEY: /* negative key */
 460                         ret = key_ref;
 461                         break;
 462                 default:
 463                         err = key_ref;
 464                         break;
 465                 }
 466         }
 467
 468         /* if this process has an instantiation authorisation key, then we also
 469          * search the keyrings of the process mentioned there
 470          * - we don't permit access to request_key auth keys via this method
 471          */
 472         if (cred->request_key_auth &&
 473             cred == current_cred() &&
 474             type != &key_type_request_key_auth
 475             ) {
 476                 /* defend against the auth key being revoked */
 477                 down_read(&cred->request_key_auth->sem);
 478
 479                 if (key_validate(cred->request_key_auth) == 0) {
 480                         rka = cred->request_key_auth->payload.data;
 481
 482                         key_ref = search_process_keyrings(type, description,
 483                                                           match, rka->cred);
 484
 485                         up_read(&cred->request_key_auth->sem);
 486
 487                         if (!IS_ERR(key_ref))
 488                                 goto found;
 489
 490                         switch (PTR_ERR(key_ref)) {
 491                         case -EAGAIN: /* no key */
 492                                 if (ret)
 493                                         break;
 494                         case -ENOKEY: /* negative key */
 495                                 ret = key_ref;
 496                                 break;
 497                         default:
 498                                 err = key_ref;
 499                                 break;
 500                         }
 501                 } else {
 502                         up_read(&cred->request_key_auth->sem);
 503                 }
 504         }
 505
 506         /* no key - decide on the error we're going to go for */
 507         key_ref = ret ? ret : err;
 508
 509 found:
 510         return key_ref;
 511
 512 } /* end search_process_keyrings() */
 513
 514 /*****************************************************************************/
 515 /*
 516  * see if the key we're looking at is the target key
 517  */
 518 static int lookup_user_key_possessed(const struct key *key, const void *target)
 519 {
 520         return key == target;
 521
 522 } /* end lookup_user_key_possessed() */
 523
 524 /*****************************************************************************/
 525 /*
 526  * lookup a key given a key ID from userspace with a given permissions mask
 527  * - don't create special keyrings unless so requested
 528  * - partially constructed keys aren't found unless requested
 529  */
 530 key_ref_t lookup_user_key(key_serial_t id, int create, int partial,
 531                           key_perm_t perm)
 532 {
 533         struct request_key_auth *rka;
 534         const struct cred *cred;
 535         struct key *key;
 536         key_ref_t key_ref, skey_ref;
 537         int ret;
 538
 539 try_again:
 540         cred = get_current_cred();
 541         key_ref = ERR_PTR(-ENOKEY);
 542
 543         switch (id) {
 544         case KEY_SPEC_THREAD_KEYRING:
 545                 if (!cred->thread_keyring) {
 546                         if (!create)
 547                                 goto error;
 548
 549                         ret = install_thread_keyring();
 550                         if (ret < 0) {
 551                                 key = ERR_PTR(ret);
 552                                 goto error;
 553                         }
 554                         goto reget_creds;
 555                 }
 556
 557                 key = cred->thread_keyring;
 558                 atomic_inc(&key->usage);
 559                 key_ref = make_key_ref(key, 1);
 560                 break;
 561
 562         case KEY_SPEC_PROCESS_KEYRING:
 563                 if (!cred->tgcred->process_keyring) {
 564                         if (!create)
 565                                 goto error;
 566
 567                         ret = install_process_keyring();
 568                         if (ret < 0) {
 569                                 key = ERR_PTR(ret);
 570                                 goto error;
 571                         }
 572                         goto reget_creds;
 573                 }
 574
 575                 key = cred->tgcred->process_keyring;
 576                 atomic_inc(&key->usage);
 577                 key_ref = make_key_ref(key, 1);
 578                 break;
 579
 580         case KEY_SPEC_SESSION_KEYRING:
 581                 if (!cred->tgcred->session_keyring) {
 582                         /* always install a session keyring upon access if one
 583                          * doesn't exist yet */
 584                         ret = install_user_keyrings();
 585                         if (ret < 0)
 586                                 goto error;
 587                         ret = install_session_keyring(
 588                                 cred->user->session_keyring);
 589
 590                         if (ret < 0)
 591                                 goto error;
 592                         goto reget_creds;
 593                 }
 594
 595                 rcu_read_lock();
 596                 key = rcu_dereference(cred->tgcred->session_keyring);
 597                 atomic_inc(&key->usage);
 598                 rcu_read_unlock();
 599                 key_ref = make_key_ref(key, 1);
 600                 break;
 601
 602         case KEY_SPEC_USER_KEYRING:
 603                 if (!cred->user->uid_keyring) {
 604                         ret = install_user_keyrings();
 605                         if (ret < 0)
 606                                 goto error;
 607                 }
 608
 609                 key = cred->user->uid_keyring;
 610                 atomic_inc(&key->usage);
 611                 key_ref = make_key_ref(key, 1);
 612                 break;
 613
 614         case KEY_SPEC_USER_SESSION_KEYRING:
 615                 if (!cred->user->session_keyring) {
 616                         ret = install_user_keyrings();
 617                         if (ret < 0)
 618                                 goto error;
 619                 }
 620
 621                 key = cred->user->session_keyring;
 622                 atomic_inc(&key->usage);
 623                 key_ref = make_key_ref(key, 1);
 624                 break;
 625
 626         case KEY_SPEC_GROUP_KEYRING:
 627                 /* group keyrings are not yet supported */
 628                 key = ERR_PTR(-EINVAL);
 629                 goto error;
 630
 631         case KEY_SPEC_REQKEY_AUTH_KEY:
 632                 key = cred->request_key_auth;
 633                 if (!key)
 634                         goto error;
 635
 636                 atomic_inc(&key->usage);
 637                 key_ref = make_key_ref(key, 1);
 638                 break;
 639
 640         case KEY_SPEC_REQUESTOR_KEYRING:
 641                 if (!cred->request_key_auth)
 642                         goto error;
 643
 644                 down_read(&cred->request_key_auth->sem);
 645                 if (cred->request_key_auth->flags & KEY_FLAG_REVOKED) {
 646                         key_ref = ERR_PTR(-EKEYREVOKED);
 647                         key = NULL;
 648                 } else {
 649                         rka = cred->request_key_auth->payload.data;
 650                         key = rka->dest_keyring;
 651                         atomic_inc(&key->usage);
 652                 }
 653                 up_read(&cred->request_key_auth->sem);
 654                 if (!key)
 655                         goto error;
 656                 key_ref = make_key_ref(key, 1);
 657                 break;
 658
 659         default:
 660                 key_ref = ERR_PTR(-EINVAL);
 661                 if (id < 1)
 662                         goto error;
 663
 664                 key = key_lookup(id);
 665                 if (IS_ERR(key)) {
 666                         key_ref = ERR_CAST(key);
 667                         goto error;
 668                 }
 669
 670                 key_ref = make_key_ref(key, 0);
 671
 672                 /* check to see if we possess the key */
 673                 skey_ref = search_process_keyrings(key->type, key,
 674                                                    lookup_user_key_possessed,
 675                                                    cred);
 676
 677                 if (!IS_ERR(skey_ref)) {
 678                         key_put(key);
 679                         key_ref = skey_ref;
 680                 }
 681
 682                 break;
 683         }
 684
 685         if (!partial) {
 686                 ret = wait_for_key_construction(key, true);
 687                 switch (ret) {
 688                 case -ERESTARTSYS:
 689                         goto invalid_key;
 690                 default:
 691                         if (perm)
 692                                 goto invalid_key;
 693                 case 0:
 694                         break;
 695                 }
 696         } else if (perm) {
 697                 ret = key_validate(key);
 698                 if (ret < 0)
 699                         goto invalid_key;
 700         }
 701
 702         ret = -EIO;
 703         if (!partial && !test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
 704                 goto invalid_key;
 705
 706         /* check the permissions */
 707         ret = key_task_permission(key_ref, cred, perm);
 708         if (ret < 0)
 709                 goto invalid_key;
 710
 711 error:
 712         put_cred(cred);
 713         return key_ref;
 714
 715 invalid_key:
 716         key_ref_put(key_ref);
 717         key_ref = ERR_PTR(ret);
 718         goto error;
 719
 720         /* if we attempted to install a keyring, then it may have caused new
 721          * creds to be installed */
 722 reget_creds:
 723         put_cred(cred);
 724         goto try_again;
 725
 726 } /* end lookup_user_key() */
 727
 728 /*****************************************************************************/
 729 /*
 730  * join the named keyring as the session keyring if possible, or attempt to
 731  * create a new one of that name if not
 732  * - if the name is NULL, an empty anonymous keyring is installed instead
 733  * - named session keyring joining is done with a semaphore held
 734  */
 735 long join_session_keyring(const char *name)
 736 {
 737         const struct cred *old;
 738         struct cred *new;
 739         struct key *keyring;
 740         long ret, serial;
 741
 742         /* only permit this if there's a single thread in the thread group -
 743          * this avoids us having to adjust the creds on all threads and risking
 744          * ENOMEM */
 745         if (!is_single_threaded(current))
 746                 return -EMLINK;
 747
 748         new = prepare_creds();
 749         if (!new)
 750                 return -ENOMEM;
 751         old = current_cred();
 752
 753         /* if no name is provided, install an anonymous keyring */
 754         if (!name) {
 755                 ret = install_session_keyring_to_cred(new, NULL);
 756                 if (ret < 0)
 757                         goto error;
 758
 759                 serial = new->tgcred->session_keyring->serial;
 760                 ret = commit_creds(new);
 761                 if (ret == 0)
 762                         ret = serial;
 763                 goto okay;
 764         }
 765
 766         /* allow the user to join or create a named keyring */
 767         mutex_lock(&key_session_mutex);
 768
 769         /* look for an existing keyring of this name */
 770         keyring = find_keyring_by_name(name, false);
 771         if (PTR_ERR(keyring) == -ENOKEY) {
 772                 /* not found - try and create a new one */
 773                 keyring = keyring_alloc(name, old->uid, old->gid, old,
 774                                         KEY_ALLOC_IN_QUOTA, NULL);
 775                 if (IS_ERR(keyring)) {
 776                         ret = PTR_ERR(keyring);
 777                         goto error2;
 778                 }
 779         } else if (IS_ERR(keyring)) {
 780                 ret = PTR_ERR(keyring);
 781                 goto error2;
 782         }
 783
 784         /* we've got a keyring - now to install it */
 785         ret = install_session_keyring_to_cred(new, keyring);
 786         if (ret < 0)
 787                 goto error2;
 788
 789         commit_creds(new);
 790         mutex_unlock(&key_session_mutex);
 791
 792         ret = keyring->serial;
 793         key_put(keyring);
 794 okay:
 795         return ret;
 796
 797 error2:
 798         mutex_unlock(&key_session_mutex);
 799 error:
 800         abort_creds(new);
 801         return ret;
 802 }