Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris:
 "Highlights:

   - A new LSM, "LoadPin", from Kees Cook is added, which allows forcing
     of modules and firmware to be loaded from a specific device (this
     is from ChromeOS, where the device as a whole is verified
     cryptographically via dm-verity).

     This is disabled by default but can be configured to be enabled by
     default (don't do this if you don't know what you're doing).

   - Keys: allow authentication data to be stored in an asymmetric key.
     Lots of general fixes and updates.

   - SELinux: add restrictions for loading of kernel modules via
     finit_module().  Distinguish non-init user namespace capability
     checks.  Apply execstack check on thread stacks"

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (48 commits)
  LSM: LoadPin: provide enablement CONFIG
  Yama: use atomic allocations when reporting
  seccomp: Fix comment typo
  ima: add support for creating files using the mknodat syscall
  ima: fix ima_inode_post_setattr
  vfs: forbid write access when reading a file into memory
  fs: fix over-zealous use of "const"
  selinux: apply execstack check on thread stacks
  selinux: distinguish non-init user namespace capability checks
  LSM: LoadPin for kernel file loading restrictions
  fs: define a string representation of the kernel_read_file_id enumeration
  Yama: consolidate error reporting
  string_helpers: add kstrdup_quotable_file
  string_helpers: add kstrdup_quotable_cmdline
  string_helpers: add kstrdup_quotable
  selinux: check ss_initialized before revalidating an inode label
  selinux: delay inode label lookup as long as possible
  selinux: don't revalidate an inode's label when explicitly setting it
  selinux: Change bool variable name to index.
  KEYS: Add KEYCTL_DH_COMPUTE command
  ...

14 files changed, 175 insertions, 95 deletions

diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
index 441aff9b5aa7..583f199400a3 100644
--- a/include/crypto/pkcs7.h
+++ b/include/crypto/pkcs7.h
@@ -12,6 +12,7 @@
 #ifndef _CRYPTO_PKCS7_H
 #define _CRYPTO_PKCS7_H
 
+#include <linux/verification.h>
 #include <crypto/public_key.h>
 
 struct key;
@@ -26,14 +27,13 @@ extern void pkcs7_free_message(struct pkcs7_message *pkcs7);
 
 extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
                                   const void **_data, size_t *_datalen,
-                                  bool want_wrapper);
+                                  size_t *_headerlen);
 
 /*
  * pkcs7_trust.c
  */
 extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
-                                struct key *trust_keyring,
-                                bool *_trusted);
+                                struct key *trust_keyring);
 
 /*
  * pkcs7_verify.c
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index aa730ea7faf8..882ca0e1e7a5 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -15,20 +15,6 @@
 #define _LINUX_PUBLIC_KEY_H
 
 /*
- * The use to which an asymmetric key is being put.
- */
-enum key_being_used_for {
-        VERIFYING_MODULE_SIGNATURE,
-        VERIFYING_FIRMWARE_SIGNATURE,
-        VERIFYING_KEXEC_PE_SIGNATURE,
-        VERIFYING_KEY_SIGNATURE,
-        VERIFYING_KEY_SELF_SIGNATURE,
-        VERIFYING_UNSPECIFIED_SIGNATURE,
-        NR__KEY_BEING_USED_FOR
-};
-extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR];
-
-/*
  * Cryptographic data for the public-key subtype of the asymmetric key type.
  *
  * Note that this may include private part of the key as well as the public
@@ -41,12 +27,13 @@ struct public_key {
         const char *pkey_algo;
 };
 
-extern void public_key_destroy(void *payload);
+extern void public_key_free(struct public_key *key);
 
 /*
  * Public key cryptography signature data
  */
 struct public_key_signature {
+        struct asymmetric_key_id *auth_ids[2];
         u8 *s;                  /* Signature */
         u32 s_size;             /* Number of bytes in signature */
         u8 *digest;
@@ -55,17 +42,21 @@ struct public_key_signature {
         const char *hash_algo;
 };
 
+extern void public_key_signature_free(struct public_key_signature *sig);
+
 extern struct asymmetric_key_subtype public_key_subtype;
+
 struct key;
+struct key_type;
+union key_payload;
+
+extern int restrict_link_by_signature(struct key *trust_keyring,
+                                      const struct key_type *type,
+                                      const union key_payload *payload);
+
 extern int verify_signature(const struct key *key,
                             const struct public_key_signature *sig);
 
-struct asymmetric_key_id;
-extern struct key *x509_request_asymmetric_key(struct key *keyring,
-                                               const struct asymmetric_key_id *id,
-                                               const struct asymmetric_key_id *skid,
-                                               bool partial);
-
 int public_key_verify_signature(const struct public_key *pkey,
                                 const struct public_key_signature *sig);
 
diff --git a/include/keys/asymmetric-subtype.h b/include/keys/asymmetric-subtype.h
index 4915d40d3c3c..2480469ce8fb 100644
--- a/include/keys/asymmetric-subtype.h
+++ b/include/keys/asymmetric-subtype.h
@@ -32,7 +32,7 @@ struct asymmetric_key_subtype {
         void (*describe)(const struct key *key, struct seq_file *m);
 
         /* Destroy a key of this subtype */
-        void (*destroy)(void *payload);
+        void (*destroy)(void *payload_crypto, void *payload_auth);
 
         /* Verify the signature on a key of this subtype (optional) */
         int (*verify_signature)(const struct key *key,
diff --git a/include/keys/asymmetric-type.h b/include/keys/asymmetric-type.h
index 59c1df9cf922..b38240716d41 100644
--- a/include/keys/asymmetric-type.h
+++ b/include/keys/asymmetric-type.h
@@ -15,6 +15,7 @@
 #define _KEYS_ASYMMETRIC_TYPE_H
 
 #include <linux/key-type.h>
+#include <linux/verification.h>
 
 extern struct key_type key_type_asymmetric;
 
@@ -23,9 +24,10 @@ extern struct key_type key_type_asymmetric;
  * follows:
  */
 enum asymmetric_payload_bits {
-        asym_crypto,
-        asym_subtype,
-        asym_key_ids,
+        asym_crypto,            /* The data representing the key */
+        asym_subtype,           /* Pointer to an asymmetric_key_subtype struct */
+        asym_key_ids,           /* Pointer to an asymmetric_key_ids struct */
+        asym_auth               /* The key's authorisation (signature, parent key ID) */
 };
 
 /*
@@ -74,6 +76,11 @@ const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key)
         return key->payload.data[asym_key_ids];
 }
 
+extern struct key *find_asymmetric_key(struct key *keyring,
+                                       const struct asymmetric_key_id *id_0,
+                                       const struct asymmetric_key_id *id_1,
+                                       bool partial);
+
 /*
  * The payload is at the discretion of the subtype.
  */
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 39fd38cfa8c9..fbd4647767e9 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -12,51 +12,40 @@
 #ifndef _KEYS_SYSTEM_KEYRING_H
 #define _KEYS_SYSTEM_KEYRING_H
 
+#include <linux/key.h>
+
 #ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
 
-#include <linux/key.h>
-#include <crypto/public_key.h>
+extern int restrict_link_by_builtin_trusted(struct key *keyring,
+                                            const struct key_type *type,
+                                            const union key_payload *payload);
 
-extern struct key *system_trusted_keyring;
-static inline struct key *get_system_trusted_keyring(void)
-{
-        return system_trusted_keyring;
-}
 #else
-static inline struct key *get_system_trusted_keyring(void)
-{
-        return NULL;
-}
+#define restrict_link_by_builtin_trusted restrict_link_reject
 #endif
 
-#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
-extern int system_verify_data(const void *data, unsigned long len,
-                              const void *raw_pkcs7, size_t pkcs7_len,
-                              enum key_being_used_for usage);
+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+extern int restrict_link_by_builtin_and_secondary_trusted(
+        struct key *keyring,
+        const struct key_type *type,
+        const union key_payload *payload);
+#else
+#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
 #endif
 
-#ifdef CONFIG_IMA_MOK_KEYRING
-extern struct key *ima_mok_keyring;
+#ifdef CONFIG_IMA_BLACKLIST_KEYRING
 extern struct key *ima_blacklist_keyring;
 
-static inline struct key *get_ima_mok_keyring(void)
-{
-        return ima_mok_keyring;
-}
 static inline struct key *get_ima_blacklist_keyring(void)
 {
         return ima_blacklist_keyring;
 }
 #else
-static inline struct key *get_ima_mok_keyring(void)
-{
-        return NULL;
-}
 static inline struct key *get_ima_blacklist_keyring(void)
 {
         return NULL;
 }
-#endif /* CONFIG_IMA_MOK_KEYRING */
+#endif /* CONFIG_IMA_BLACKLIST_KEYRING */
 
 
 #endif /* _KEYS_SYSTEM_KEYRING_H */
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 851390c8d75b..10d3d8f8a65b 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2634,15 +2634,34 @@ static inline void i_readcount_inc(struct inode *inode)
 #endif
 extern int do_pipe_flags(int *, int);
 
+#define __kernel_read_file_id(id) \
+        id(UNKNOWN, unknown)            \
+        id(FIRMWARE, firmware)          \
+        id(MODULE, kernel-module)               \
+        id(KEXEC_IMAGE, kexec-image)            \
+        id(KEXEC_INITRAMFS, kexec-initramfs)    \
+        id(POLICY, security-policy)             \
+        id(MAX_ID, )
+
+#define __fid_enumify(ENUM, dummy) READING_ ## ENUM,
+#define __fid_stringify(dummy, str) #str,
+
 enum kernel_read_file_id {
-        READING_FIRMWARE = 1,
-        READING_MODULE,
-        READING_KEXEC_IMAGE,
-        READING_KEXEC_INITRAMFS,
-        READING_POLICY,
-        READING_MAX_ID
+        __kernel_read_file_id(__fid_enumify)
+};
+
+static const char * const kernel_read_file_str[] = {
+        __kernel_read_file_id(__fid_stringify)
 };
 
+static inline const char *kernel_read_file_id_str(enum kernel_read_file_id id)
+{
+        if (id < 0 || id >= READING_MAX_ID)
+                return kernel_read_file_str[READING_UNKNOWN];
+
+        return kernel_read_file_str[id];
+}
+
 extern int kernel_read(struct file *, loff_t, char *, unsigned long);
 extern int kernel_read_file(struct file *, void **, loff_t *, loff_t,
                             enum kernel_read_file_id);
diff --git a/include/linux/ima.h b/include/linux/ima.h
index e6516cbbe9bf..0eb7c2e7f0d6 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -21,6 +21,7 @@ extern int ima_file_mmap(struct file *file, unsigned long prot);
 extern int ima_read_file(struct file *file, enum kernel_read_file_id id);
 extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
                               enum kernel_read_file_id id);
+extern void ima_post_path_mknod(struct dentry *dentry);
 
 #else
 static inline int ima_bprm_check(struct linux_binprm *bprm)
@@ -54,6 +55,11 @@ static inline int ima_post_read_file(struct file *file, void *buf, loff_t size,
         return 0;
 }
 
+static inline void ima_post_path_mknod(struct dentry *dentry)
+{
+        return;
+}
+
 #endif /* CONFIG_IMA */
 
 #ifdef CONFIG_IMA_APPRAISE
diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index 7463355a198b..eaee981c5558 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -45,7 +45,6 @@ struct key_preparsed_payload {
         size_t          datalen;        /* Raw datalen */
         size_t          quotalen;       /* Quota length for proposed payload */
         time_t          expiry;         /* Expiry time of key */
-        bool            trusted;        /* True if key is trusted */
 };
 
 typedef int (*request_key_actor_t)(struct key_construction *key,
diff --git a/include/linux/key.h b/include/linux/key.h
index 5f5b1129dc92..722914798f37 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -173,11 +173,9 @@ struct key {
 #define KEY_FLAG_NEGATIVE       5       /* set if key is negative */
 #define KEY_FLAG_ROOT_CAN_CLEAR 6       /* set if key can be cleared by root without permission */
 #define KEY_FLAG_INVALIDATED    7       /* set if key has been invalidated */
-#define KEY_FLAG_TRUSTED        8       /* set if key is trusted */
-#define KEY_FLAG_TRUSTED_ONLY   9       /* set if keyring only accepts links to trusted keys */
-#define KEY_FLAG_BUILTIN        10      /* set if key is builtin */
-#define KEY_FLAG_ROOT_CAN_INVAL 11      /* set if key can be invalidated by root without permission */
-#define KEY_FLAG_KEEP           12      /* set if key should not be removed */
+#define KEY_FLAG_BUILTIN        8       /* set if key is built in to the kernel */
+#define KEY_FLAG_ROOT_CAN_INVAL 9       /* set if key can be invalidated by root without permission */
+#define KEY_FLAG_KEEP           10      /* set if key should not be removed */
 
         /* the key type and key description string
          * - the desc is used to match a key against search criteria
@@ -205,6 +203,20 @@ struct key {
                 };
                 int reject_error;
         };
+
+        /* This is set on a keyring to restrict the addition of a link to a key
+         * to it.  If this method isn't provided then it is assumed that the
+         * keyring is open to any addition.  It is ignored for non-keyring
+         * keys.
+         *
+         * This is intended for use with rings of trusted keys whereby addition
+         * to the keyring needs to be controlled.  KEY_ALLOC_BYPASS_RESTRICTION
+         * overrides this, allowing the kernel to add extra keys without
+         * restriction.
+         */
+        int (*restrict_link)(struct key *keyring,
+                             const struct key_type *type,
+                             const union key_payload *payload);
 };
 
 extern struct key *key_alloc(struct key_type *type,
@@ -212,14 +224,17 @@ extern struct key *key_alloc(struct key_type *type,
                              kuid_t uid, kgid_t gid,
                              const struct cred *cred,
                              key_perm_t perm,
-                             unsigned long flags);
+                             unsigned long flags,
+                             int (*restrict_link)(struct key *,
+                                                  const struct key_type *,
+                                                  const union key_payload *));
 
 
-#define KEY_ALLOC_IN_QUOTA      0x0000  /* add to quota, reject if would overrun */
-#define KEY_ALLOC_QUOTA_OVERRUN 0x0001  /* add to quota, permit even if overrun */
-#define KEY_ALLOC_NOT_IN_QUOTA  0x0002  /* not in quota */
-#define KEY_ALLOC_TRUSTED       0x0004  /* Key should be flagged as trusted */
-#define KEY_ALLOC_BUILT_IN      0x0008  /* Key is built into kernel */
+#define KEY_ALLOC_IN_QUOTA              0x0000  /* add to quota, reject if would overrun */
+#define KEY_ALLOC_QUOTA_OVERRUN         0x0001  /* add to quota, permit even if overrun */
+#define KEY_ALLOC_NOT_IN_QUOTA          0x0002  /* not in quota */
+#define KEY_ALLOC_BUILT_IN              0x0004  /* Key is built into kernel */
+#define KEY_ALLOC_BYPASS_RESTRICTION    0x0008  /* Override the check on restricted keyrings */
 
 extern void key_revoke(struct key *key);
 extern void key_invalidate(struct key *key);
@@ -288,8 +303,15 @@ extern struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid
                                  const struct cred *cred,
                                  key_perm_t perm,
                                  unsigned long flags,
+                                 int (*restrict_link)(struct key *,
+                                                      const struct key_type *,
+                                                      const union key_payload *),
                                  struct key *dest);
 
+extern int restrict_link_reject(struct key *keyring,
+                                const struct key_type *type,
+                                const union key_payload *payload);
+
 extern int keyring_clear(struct key *keyring);
 
 extern key_ref_t keyring_search(key_ref_t keyring,
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 512fd000562b..7ae397669d8b 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1805,7 +1805,6 @@ struct security_hook_heads {
         struct list_head tun_dev_attach_queue;
         struct list_head tun_dev_attach;
         struct list_head tun_dev_open;
-        struct list_head skb_owned_by;
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
         struct list_head xfrm_policy_alloc_security;
@@ -1894,5 +1893,10 @@ extern void __init yama_add_hooks(void);
 #else
 static inline void __init yama_add_hooks(void) { }
 #endif
+#ifdef CONFIG_SECURITY_LOADPIN
+void __init loadpin_add_hooks(void);
+#else
+static inline void loadpin_add_hooks(void) { };
+#endif
 
 #endif /* ! __LINUX_LSM_HOOKS_H */
diff --git a/include/linux/string_helpers.h b/include/linux/string_helpers.h
index dabe643eb5fa..5ce9538f290e 100644
--- a/include/linux/string_helpers.h
+++ b/include/linux/string_helpers.h
@@ -3,6 +3,8 @@
 
 #include <linux/types.h>
 
+struct file;
+
 /* Descriptions of the types of units to
  * print in */
 enum string_size_units {
@@ -68,4 +70,8 @@ static inline int string_escape_str_any_np(const char *src, char *dst,
         return string_escape_str(src, dst, sz, ESCAPE_ANY_NP, only);
 }
 
+char *kstrdup_quotable(const char *src, gfp_t gfp);
+char *kstrdup_quotable_cmdline(struct task_struct *task, gfp_t gfp);
+char *kstrdup_quotable_file(struct file *file, gfp_t gfp);
+
 #endif
diff --git a/include/linux/verification.h b/include/linux/verification.h
new file mode 100644
index 000000000000..a10549a6c7cd
--- /dev/null
+++ b/include/linux/verification.h
@@ -0,0 +1,49 @@
+/* Signature verification
+ *
+ * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#ifndef _LINUX_VERIFICATION_H
+#define _LINUX_VERIFICATION_H
+
+/*
+ * The use to which an asymmetric key is being put.
+ */
+enum key_being_used_for {
+        VERIFYING_MODULE_SIGNATURE,
+        VERIFYING_FIRMWARE_SIGNATURE,
+        VERIFYING_KEXEC_PE_SIGNATURE,
+        VERIFYING_KEY_SIGNATURE,
+        VERIFYING_KEY_SELF_SIGNATURE,
+        VERIFYING_UNSPECIFIED_SIGNATURE,
+        NR__KEY_BEING_USED_FOR
+};
+extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR];
+
+#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
+
+struct key;
+
+extern int verify_pkcs7_signature(const void *data, size_t len,
+                                  const void *raw_pkcs7, size_t pkcs7_len,
+                                  struct key *trusted_keys,
+                                  enum key_being_used_for usage,
+                                  int (*view_content)(void *ctx,
+                                                      const void *data, size_t len,
+                                                      size_t asn1hdrlen),
+                                  void *ctx);
+
+#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
+extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
+                                   struct key *trusted_keys,
+                                   enum key_being_used_for usage);
+#endif
+
+#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
+#endif /* _LINUX_VERIFY_PEFILE_H */
diff --git a/include/linux/verify_pefile.h b/include/linux/verify_pefile.h
deleted file mode 100644
index da2049b5161c..000000000000
--- a/include/linux/verify_pefile.h
+++ /dev/null
@@ -1,22 +0,0 @@
-/* Signed PE file verification
- *
- * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
- * Written by David Howells (dhowells@redhat.com)
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public Licence
- * as published by the Free Software Foundation; either version
- * 2 of the Licence, or (at your option) any later version.
- */
-
-#ifndef _LINUX_VERIFY_PEFILE_H
-#define _LINUX_VERIFY_PEFILE_H
-
-#include <crypto/public_key.h>
-
-extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
-                                   struct key *trusted_keyring,
-                                   enum key_being_used_for usage,
-                                   bool *_trusted);
-
-#endif /* _LINUX_VERIFY_PEFILE_H */
diff --git a/include/uapi/linux/keyctl.h b/include/uapi/linux/keyctl.h
index 840cb990abe2..86eddd6241f3 100644
--- a/include/uapi/linux/keyctl.h
+++ b/include/uapi/linux/keyctl.h
@@ -12,6 +12,8 @@
 #ifndef _LINUX_KEYCTL_H
 #define _LINUX_KEYCTL_H
 
+#include <linux/types.h>
+
 /* special process keyring shortcut IDs */
 #define KEY_SPEC_THREAD_KEYRING         -1      /* - key ID for thread-specific keyring */
 #define KEY_SPEC_PROCESS_KEYRING        -2      /* - key ID for process-specific keyring */
@@ -57,5 +59,13 @@
 #define KEYCTL_INSTANTIATE_IOV          20      /* instantiate a partially constructed key */
 #define KEYCTL_INVALIDATE               21      /* invalidate a key */
 #define KEYCTL_GET_PERSISTENT           22      /* get a user's persistent keyring */
+#define KEYCTL_DH_COMPUTE               23      /* Compute Diffie-Hellman values */
+
+/* keyctl structures */
+struct keyctl_dh_params {
+        __s32 private;
+        __s32 prime;
+        __s32 base;
+};
 
 #endif /*  _LINUX_KEYCTL_H */