diff options
| author | David Howells <dhowells@redhat.com> | 2013-08-30 11:07:37 -0400 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2013-09-25 12:17:01 -0400 |
| commit | 008643b86c5f33c115c84ccdda1725cac3ad50ad (patch) | |
| tree | 951ea0d3d7b84ce3570da17f03f45a53f3e4b35d | |
| parent | b56e5a17b6b9acd16997960504b9940d0d7984e7 (diff) | |
KEYS: Add a 'trusted' flag and a 'trusted only' flag
Add KEY_FLAG_TRUSTED to indicate that a key either comes from a trusted source
or had a cryptographic signature chain that led back to a trusted key the
kernel already possessed.
Add KEY_FLAGS_TRUSTED_ONLY to indicate that a keyring will only accept links to
keys marked with KEY_FLAGS_TRUSTED.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
| -rw-r--r-- | include/linux/key-type.h | 1 | ||||
| -rw-r--r-- | include/linux/key.h | 3 | ||||
| -rw-r--r-- | kernel/system_keyring.c | 4 | ||||
| -rw-r--r-- | security/keys/key.c | 8 | ||||
| -rw-r--r-- | security/keys/keyring.c | 4 |
5 files changed, 19 insertions, 1 deletions
diff --git a/include/linux/key-type.h b/include/linux/key-type.h index f58737bcb050..a74c3a84dfdd 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h | |||
| @@ -45,6 +45,7 @@ struct key_preparsed_payload { | |||
| 45 | const void *data; /* Raw data */ | 45 | const void *data; /* Raw data */ |
| 46 | size_t datalen; /* Raw datalen */ | 46 | size_t datalen; /* Raw datalen */ |
| 47 | size_t quotalen; /* Quota length for proposed payload */ | 47 | size_t quotalen; /* Quota length for proposed payload */ |
| 48 | bool trusted; /* True if key is trusted */ | ||
| 48 | }; | 49 | }; |
| 49 | 50 | ||
| 50 | typedef int (*request_key_actor_t)(struct key_construction *key, | 51 | typedef int (*request_key_actor_t)(struct key_construction *key, |
diff --git a/include/linux/key.h b/include/linux/key.h index 010dbb618aca..80d677483e31 100644 --- a/include/linux/key.h +++ b/include/linux/key.h | |||
| @@ -168,6 +168,8 @@ struct key { | |||
| 168 | #define KEY_FLAG_NEGATIVE 5 /* set if key is negative */ | 168 | #define KEY_FLAG_NEGATIVE 5 /* set if key is negative */ |
| 169 | #define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */ | 169 | #define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */ |
| 170 | #define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */ | 170 | #define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */ |
| 171 | #define KEY_FLAG_TRUSTED 8 /* set if key is trusted */ | ||
| 172 | #define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */ | ||
| 171 | 173 | ||
| 172 | /* the key type and key description string | 174 | /* the key type and key description string |
| 173 | * - the desc is used to match a key against search criteria | 175 | * - the desc is used to match a key against search criteria |
| @@ -218,6 +220,7 @@ extern struct key *key_alloc(struct key_type *type, | |||
| 218 | #define KEY_ALLOC_IN_QUOTA 0x0000 /* add to quota, reject if would overrun */ | 220 | #define KEY_ALLOC_IN_QUOTA 0x0000 /* add to quota, reject if would overrun */ |
| 219 | #define KEY_ALLOC_QUOTA_OVERRUN 0x0001 /* add to quota, permit even if overrun */ | 221 | #define KEY_ALLOC_QUOTA_OVERRUN 0x0001 /* add to quota, permit even if overrun */ |
| 220 | #define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */ | 222 | #define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */ |
| 223 | #define KEY_ALLOC_TRUSTED 0x0004 /* Key should be flagged as trusted */ | ||
| 221 | 224 | ||
| 222 | extern void key_revoke(struct key *key); | 225 | extern void key_revoke(struct key *key); |
| 223 | extern void key_invalidate(struct key *key); | 226 | extern void key_invalidate(struct key *key); |
diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c index 51c35141a13a..5296721eca5b 100644 --- a/kernel/system_keyring.c +++ b/kernel/system_keyring.c | |||
| @@ -40,6 +40,7 @@ static __init int system_trusted_keyring_init(void) | |||
| 40 | if (IS_ERR(system_trusted_keyring)) | 40 | if (IS_ERR(system_trusted_keyring)) |
| 41 | panic("Can't allocate system trusted keyring\n"); | 41 | panic("Can't allocate system trusted keyring\n"); |
| 42 | 42 | ||
| 43 | set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags); | ||
| 43 | return 0; | 44 | return 0; |
| 44 | } | 45 | } |
| 45 | 46 | ||
| @@ -82,7 +83,8 @@ static __init int load_system_certificate_list(void) | |||
| 82 | plen, | 83 | plen, |
| 83 | (KEY_POS_ALL & ~KEY_POS_SETATTR) | | 84 | (KEY_POS_ALL & ~KEY_POS_SETATTR) | |
| 84 | KEY_USR_VIEW, | 85 | KEY_USR_VIEW, |
| 85 | KEY_ALLOC_NOT_IN_QUOTA); | 86 | KEY_ALLOC_NOT_IN_QUOTA | |
| 87 | KEY_ALLOC_TRUSTED); | ||
| 86 | if (IS_ERR(key)) { | 88 | if (IS_ERR(key)) { |
| 87 | pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", | 89 | pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", |
| 88 | PTR_ERR(key)); | 90 | PTR_ERR(key)); |
diff --git a/security/keys/key.c b/security/keys/key.c index a819b5c7d4ec..d331ea9ef380 100644 --- a/security/keys/key.c +++ b/security/keys/key.c | |||
| @@ -300,6 +300,8 @@ struct key *key_alloc(struct key_type *type, const char *desc, | |||
| 300 | 300 | ||
| 301 | if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) | 301 | if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) |
| 302 | key->flags |= 1 << KEY_FLAG_IN_QUOTA; | 302 | key->flags |= 1 << KEY_FLAG_IN_QUOTA; |
| 303 | if (flags & KEY_ALLOC_TRUSTED) | ||
| 304 | key->flags |= 1 << KEY_FLAG_TRUSTED; | ||
| 303 | 305 | ||
| 304 | memset(&key->type_data, 0, sizeof(key->type_data)); | 306 | memset(&key->type_data, 0, sizeof(key->type_data)); |
| 305 | 307 | ||
| @@ -813,6 +815,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, | |||
| 813 | prep.data = payload; | 815 | prep.data = payload; |
| 814 | prep.datalen = plen; | 816 | prep.datalen = plen; |
| 815 | prep.quotalen = index_key.type->def_datalen; | 817 | prep.quotalen = index_key.type->def_datalen; |
| 818 | prep.trusted = flags & KEY_ALLOC_TRUSTED; | ||
| 816 | if (index_key.type->preparse) { | 819 | if (index_key.type->preparse) { |
| 817 | ret = index_key.type->preparse(&prep); | 820 | ret = index_key.type->preparse(&prep); |
| 818 | if (ret < 0) { | 821 | if (ret < 0) { |
| @@ -827,6 +830,11 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, | |||
| 827 | } | 830 | } |
| 828 | index_key.desc_len = strlen(index_key.description); | 831 | index_key.desc_len = strlen(index_key.description); |
| 829 | 832 | ||
| 833 | key_ref = ERR_PTR(-EPERM); | ||
| 834 | if (!prep.trusted && test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags)) | ||
| 835 | goto error_free_prep; | ||
| 836 | flags |= prep.trusted ? KEY_ALLOC_TRUSTED : 0; | ||
| 837 | |||
| 830 | ret = __key_link_begin(keyring, &index_key, &edit); | 838 | ret = __key_link_begin(keyring, &index_key, &edit); |
| 831 | if (ret < 0) { | 839 | if (ret < 0) { |
| 832 | key_ref = ERR_PTR(ret); | 840 | key_ref = ERR_PTR(ret); |
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index f7cdea22214f..9b6f6e09b50c 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c | |||
| @@ -1183,6 +1183,10 @@ int key_link(struct key *keyring, struct key *key) | |||
| 1183 | key_check(keyring); | 1183 | key_check(keyring); |
| 1184 | key_check(key); | 1184 | key_check(key); |
| 1185 | 1185 | ||
| 1186 | if (test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags) && | ||
| 1187 | !test_bit(KEY_FLAG_TRUSTED, &key->flags)) | ||
| 1188 | return -EPERM; | ||
| 1189 | |||
| 1186 | ret = __key_link_begin(keyring, &key->index_key, &edit); | 1190 | ret = __key_link_begin(keyring, &key->index_key, &edit); |
| 1187 | if (ret == 0) { | 1191 | if (ret == 0) { |
| 1188 | kdebug("begun {%d,%d}", keyring->serial, atomic_read(&keyring->usage)); | 1192 | kdebug("begun {%d,%d}", keyring->serial, atomic_read(&keyring->usage)); |