[PATCH] Keys: Add LSM hooks for key management [try #3]

The attached patch adds LSM hooks for key management facilities. The notable changes are: (1) The key struct now supports a security pointer for the use of security modules. This will permit key labelling and restrictions on which programs may access a key. (2) Security modules get a chance to note (or abort) the allocation of a key. (3) The key permission checking can now be enhanced by the security modules; the permissions check consults LSM if all other checks bear out. (4) The key permissions checking functions now return an error code rather than a boolean value. (5) An extra permission has been added to govern the modification of attributes (UID, GID, permissions). Note that there isn't an LSM hook specifically for each keyctl() operation, but rather the permissions hook allows control of individual operations based on the permission request bits. Key management access control through LSM is enabled by automatically if both CONFIG_KEYS and CONFIG_SECURITY are enabled. This should be applied on top of the patch ensubjected: [PATCH] Keys: Possessor permissions should be additive Signed-Off-By: David Howells <dhowells@redhat.com> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
author: David Howells <dhowells@redhat.com> 2005-10-30 18:02:44 -0500
committer: Linus Torvalds <torvalds@g5.osdl.org> 2005-10-30 20:37:23 -0500
commit: 29db9190634067c5a328ee5fcc2890251b836b4b (patch)
tree: 07ec242789230824f1fa8bcbbe681fd5bf166fa8 /include
parent: 2aa349f6e37ce030060c994d3aebbff4ab703565 (diff)
3 files changed, 84 insertions, 5 deletions
diff --git a/include/linux/key-ui.h b/include/linux/key-ui.h
index 7a2e332067c3..e8b8a7a5c496 100644
--- a/include/linux/key-ui.h
+++ b/include/linux/key-ui.h
@@ -24,7 +24,8 @@ extern spinlock_t key_serial_lock;
 #define KEY_WRITE       0x04    /* require permission to update / modify */
 #define KEY_SEARCH      0x08    /* require permission to search (keyring) or find (key) */
 #define KEY_LINK        0x10    /* require permission to link */
-#define KEY_ALL         0x1f    /* all the above permissions */
+#define KEY_SETATTR     0x20    /* require permission to change attributes */
+#define KEY_ALL         0x3f    /* all the above permissions */
 /*
 * the keyring payload contains a list of the keys to which the keyring is
diff --git a/include/linux/key.h b/include/linux/key.h
index f1efa016dbf3..53513a3be53b 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -40,28 +40,32 @@ struct key;
 #define KEY_POS_WRITE   0x04000000      /* possessor can update key payload / add link to keyring */
 #define KEY_POS_SEARCH  0x08000000      /* possessor can find a key in search / search a keyring */
 #define KEY_POS_LINK    0x10000000      /* possessor can create a link to a key/keyring */
-#define KEY_POS_ALL     0x1f000000
+#define KEY_POS_SETATTR 0x20000000      /* possessor can set key attributes */
+#define KEY_POS_ALL     0x3f000000
 #define KEY_USR_VIEW    0x00010000      /* user permissions... */
 #define KEY_USR_READ    0x00020000
 #define KEY_USR_WRITE   0x00040000
 #define KEY_USR_SEARCH  0x00080000
 #define KEY_USR_LINK    0x00100000
-#define KEY_USR_ALL     0x001f0000
+#define KEY_USR_SETATTR 0x00200000
+#define KEY_USR_ALL     0x003f0000
 #define KEY_GRP_VIEW    0x00000100      /* group permissions... */
 #define KEY_GRP_READ    0x00000200
 #define KEY_GRP_WRITE   0x00000400
 #define KEY_GRP_SEARCH  0x00000800
 #define KEY_GRP_LINK    0x00001000
-#define KEY_GRP_ALL     0x00001f00
+#define KEY_GRP_SETATTR 0x00002000
+#define KEY_GRP_ALL     0x00003f00
 #define KEY_OTH_VIEW    0x00000001      /* third party permissions... */
 #define KEY_OTH_READ    0x00000002
 #define KEY_OTH_WRITE   0x00000004
 #define KEY_OTH_SEARCH  0x00000008
 #define KEY_OTH_LINK    0x00000010
-#define KEY_OTH_ALL     0x0000001f
+#define KEY_OTH_SETATTR 0x00000020
+#define KEY_OTH_ALL     0x0000003f
 struct seq_file;
 struct user_struct;
@@ -119,6 +123,7 @@ struct key {
        struct key_type         *type;          /* type of key */
        struct rw_semaphore     sem;            /* change vs change sem */
        struct key_user         *user;          /* owner of this key */
+        void                    *security;      /* security data for this key */
        time_t                  expiry;         /* time at which key expires (or 0) */
        uid_t                   uid;
        gid_t                   gid;
diff --git a/include/linux/security.h b/include/linux/security.h
index 607ee209ea3b..f7e0ae018712 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -30,6 +30,7 @@
 #include <linux/shm.h>
 #include <linux/msg.h>
 #include <linux/sched.h>
+#include <linux/key.h>
 struct ctl_table;
@@ -788,6 +789,27 @@ struct swap_info_struct;
 * @sk_free_security:
 *      Deallocate security structure.
 *
+ * Security hooks affecting all Key Management operations
+ *
+ * @key_alloc:
+ *      Permit allocation of a key and assign security data. Note that key does
+ *      not have a serial number assigned at this point.
+ *      @key points to the key.
+ *      Return 0 if permission is granted, -ve error otherwise.
+ * @key_free:
+ *      Notification of destruction; free security data.
+ *      @key points to the key.
+ *      No return value.
+ * @key_permission:
+ *      See whether a specific operational right is granted to a process on a
+ *      key.
+ *      @key_ref refers to the key (key pointer + possession attribute bit).
+ *      @context points to the process to provide the context against which to
+ *       evaluate the security data on the key.
+ *      @perm describes the combination of permissions required of this key.
+ *      Return 1 if permission granted, 0 if permission denied and -ve it the
+ *      normal permissions model should be effected.
+ *
 * Security hooks affecting all System V IPC operations.
 *
 * @ipc_permission:
@@ -1216,6 +1238,17 @@ struct security_operations {
        int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority);
        void (*sk_free_security) (struct sock *sk);
 #endif  /* CONFIG_SECURITY_NETWORK */
+        /* key management security hooks */
+#ifdef CONFIG_KEYS
+        int (*key_alloc)(struct key *key);
+        void (*key_free)(struct key *key);
+        int (*key_permission)(key_ref_t key_ref,
+                              struct task_struct *context,
+                              key_perm_t perm);
+#endif  /* CONFIG_KEYS */
 };
 /* global variables */
@@ -2764,5 +2797,45 @@ static inline void security_sk_free(struct sock *sk)
 }
 #endif  /* CONFIG_SECURITY_NETWORK */
+#ifdef CONFIG_KEYS
+#ifdef CONFIG_SECURITY
+static inline int security_key_alloc(struct key *key)
+{
+        return security_ops->key_alloc(key);
+}
+static inline void security_key_free(struct key *key)
+{
+        security_ops->key_free(key);
+}
+static inline int security_key_permission(key_ref_t key_ref,
+                                          struct task_struct *context,
+                                          key_perm_t perm)
+{
+        return security_ops->key_permission(key_ref, context, perm);
+}
+#else
+static inline int security_key_alloc(struct key *key)
+{
+        return 0;
+}
+static inline void security_key_free(struct key *key)
+{
+}
+static inline int security_key_permission(key_ref_t key_ref,
+                                          struct task_struct *context,
+                                          key_perm_t perm)
+{
+        return 0;
+}
+#endif
+#endif /* CONFIG_KEYS */
 #endif /* ! __LINUX_SECURITY_H */
author	David Howells <dhowells@redhat.com>	2005-10-30 18:02:44 -0500
committer	Linus Torvalds <torvalds@g5.osdl.org>	2005-10-30 20:37:23 -0500
commit	29db9190634067c5a328ee5fcc2890251b836b4b (patch)
tree	07ec242789230824f1fa8bcbbe681fd5bf166fa8 /include
parent	2aa349f6e37ce030060c994d3aebbff4ab703565 (diff)

diff --git a/include/linux/key-ui.h b/include/linux/key-ui.h index 7a2e332067c3..e8b8a7a5c496 100644 --- a/include/linux/key-ui.h +++ b/include/linux/key-ui.h
@@ -24,7 +24,8 @@ extern spinlock_t key_serial_lock;
24	#define KEY_WRITE 0x04 /* require permission to update / modify */	24	#define KEY_WRITE 0x04 /* require permission to update / modify */
25	#define KEY_SEARCH 0x08 /* require permission to search (keyring) or find (key) */	25	#define KEY_SEARCH 0x08 /* require permission to search (keyring) or find (key) */
26	#define KEY_LINK 0x10 /* require permission to link */	26	#define KEY_LINK 0x10 /* require permission to link */
27	#define KEY_ALL 0x1f /* all the above permissions */	27	#define KEY_SETATTR 0x20 /* require permission to change attributes */
		28	#define KEY_ALL 0x3f /* all the above permissions */
28		29
29	/*	30	/*
30	* the keyring payload contains a list of the keys to which the keyring is	31	* the keyring payload contains a list of the keys to which the keyring is


diff --git a/include/linux/key.h b/include/linux/key.h index f1efa016dbf3..53513a3be53b 100644 --- a/include/linux/key.h +++ b/include/linux/key.h
@@ -40,28 +40,32 @@ struct key;
40	#define KEY_POS_WRITE 0x04000000 /* possessor can update key payload / add link to keyring */	40	#define KEY_POS_WRITE 0x04000000 /* possessor can update key payload / add link to keyring */
41	#define KEY_POS_SEARCH 0x08000000 /* possessor can find a key in search / search a keyring */	41	#define KEY_POS_SEARCH 0x08000000 /* possessor can find a key in search / search a keyring */
42	#define KEY_POS_LINK 0x10000000 /* possessor can create a link to a key/keyring */	42	#define KEY_POS_LINK 0x10000000 /* possessor can create a link to a key/keyring */
43	#define KEY_POS_ALL 0x1f000000	43	#define KEY_POS_SETATTR 0x20000000 /* possessor can set key attributes */
		44	#define KEY_POS_ALL 0x3f000000
44		45
45	#define KEY_USR_VIEW 0x00010000 /* user permissions... */	46	#define KEY_USR_VIEW 0x00010000 /* user permissions... */
46	#define KEY_USR_READ 0x00020000	47	#define KEY_USR_READ 0x00020000
47	#define KEY_USR_WRITE 0x00040000	48	#define KEY_USR_WRITE 0x00040000
48	#define KEY_USR_SEARCH 0x00080000	49	#define KEY_USR_SEARCH 0x00080000
49	#define KEY_USR_LINK 0x00100000	50	#define KEY_USR_LINK 0x00100000
50	#define KEY_USR_ALL 0x001f0000	51	#define KEY_USR_SETATTR 0x00200000
		52	#define KEY_USR_ALL 0x003f0000
51		53
52	#define KEY_GRP_VIEW 0x00000100 /* group permissions... */	54	#define KEY_GRP_VIEW 0x00000100 /* group permissions... */
53	#define KEY_GRP_READ 0x00000200	55	#define KEY_GRP_READ 0x00000200
54	#define KEY_GRP_WRITE 0x00000400	56	#define KEY_GRP_WRITE 0x00000400
55	#define KEY_GRP_SEARCH 0x00000800	57	#define KEY_GRP_SEARCH 0x00000800
56	#define KEY_GRP_LINK 0x00001000	58	#define KEY_GRP_LINK 0x00001000
57	#define KEY_GRP_ALL 0x00001f00	59	#define KEY_GRP_SETATTR 0x00002000
		60	#define KEY_GRP_ALL 0x00003f00
58		61
59	#define KEY_OTH_VIEW 0x00000001 /* third party permissions... */	62	#define KEY_OTH_VIEW 0x00000001 /* third party permissions... */
60	#define KEY_OTH_READ 0x00000002	63	#define KEY_OTH_READ 0x00000002
61	#define KEY_OTH_WRITE 0x00000004	64	#define KEY_OTH_WRITE 0x00000004
62	#define KEY_OTH_SEARCH 0x00000008	65	#define KEY_OTH_SEARCH 0x00000008
63	#define KEY_OTH_LINK 0x00000010	66	#define KEY_OTH_LINK 0x00000010
64	#define KEY_OTH_ALL 0x0000001f	67	#define KEY_OTH_SETATTR 0x00000020
		68	#define KEY_OTH_ALL 0x0000003f
65		69
66	struct seq_file;	70	struct seq_file;
67	struct user_struct;	71	struct user_struct;
@@ -119,6 +123,7 @@ struct key {
119	struct key_type type; / type of key */	123	struct key_type type; / type of key */
120	struct rw_semaphore sem; /* change vs change sem */	124	struct rw_semaphore sem; /* change vs change sem */
121	struct key_user user; / owner of this key */	125	struct key_user user; / owner of this key */
		126	void security; / security data for this key */
122	time_t expiry; /* time at which key expires (or 0) */	127	time_t expiry; /* time at which key expires (or 0) */
123	uid_t uid;	128	uid_t uid;
124	gid_t gid;	129	gid_t gid;


diff --git a/include/linux/security.h b/include/linux/security.h index 607ee209ea3b..f7e0ae018712 100644 --- a/include/linux/security.h +++ b/include/linux/security.h
@@ -30,6 +30,7 @@
30	#include <linux/shm.h>	30	#include <linux/shm.h>
31	#include <linux/msg.h>	31	#include <linux/msg.h>
32	#include <linux/sched.h>	32	#include <linux/sched.h>
		33	#include <linux/key.h>
33		34
34	struct ctl_table;	35	struct ctl_table;
35		36
@@ -788,6 +789,27 @@ struct swap_info_struct;
788	* @sk_free_security:	789	* @sk_free_security:
789	* Deallocate security structure.	790	* Deallocate security structure.
790	*	791	*
		792	* Security hooks affecting all Key Management operations
		793	*
		794	* @key_alloc:
		795	* Permit allocation of a key and assign security data. Note that key does
		796	* not have a serial number assigned at this point.
		797	* @key points to the key.
		798	* Return 0 if permission is granted, -ve error otherwise.
		799	* @key_free:
		800	* Notification of destruction; free security data.
		801	* @key points to the key.
		802	* No return value.
		803	* @key_permission:
		804	* See whether a specific operational right is granted to a process on a
		805	* key.
		806	* @key_ref refers to the key (key pointer + possession attribute bit).
		807	* @context points to the process to provide the context against which to
		808	* evaluate the security data on the key.
		809	* @perm describes the combination of permissions required of this key.
		810	* Return 1 if permission granted, 0 if permission denied and -ve it the
		811	* normal permissions model should be effected.
		812	*
791	* Security hooks affecting all System V IPC operations.	813	* Security hooks affecting all System V IPC operations.
792	*	814	*
793	* @ipc_permission:	815	* @ipc_permission:
@@ -1216,6 +1238,17 @@ struct security_operations {
1216	int (sk_alloc_security) (struct sock sk, int family, gfp_t priority);	1238	int (sk_alloc_security) (struct sock sk, int family, gfp_t priority);
1217	void (sk_free_security) (struct sock sk);	1239	void (sk_free_security) (struct sock sk);
1218	#endif /* CONFIG_SECURITY_NETWORK */	1240	#endif /* CONFIG_SECURITY_NETWORK */
		1241
		1242	/* key management security hooks */
		1243	#ifdef CONFIG_KEYS
		1244	int (key_alloc)(struct key key);
		1245	void (key_free)(struct key key);
		1246	int (*key_permission)(key_ref_t key_ref,
		1247	struct task_struct *context,
		1248	key_perm_t perm);
		1249
		1250	#endif /* CONFIG_KEYS */
		1251
1219	};	1252	};
1220		1253
1221	/* global variables */	1254	/* global variables */
@@ -2764,5 +2797,45 @@ static inline void security_sk_free(struct sock *sk)
2764	}	2797	}
2765	#endif /* CONFIG_SECURITY_NETWORK */	2798	#endif /* CONFIG_SECURITY_NETWORK */
2766		2799
		2800	#ifdef CONFIG_KEYS
		2801	#ifdef CONFIG_SECURITY
		2802	static inline int security_key_alloc(struct key *key)
		2803	{
		2804	return security_ops->key_alloc(key);
		2805	}
		2806
		2807	static inline void security_key_free(struct key *key)
		2808	{
		2809	security_ops->key_free(key);
		2810	}
		2811
		2812	static inline int security_key_permission(key_ref_t key_ref,
		2813	struct task_struct *context,
		2814	key_perm_t perm)
		2815	{
		2816	return security_ops->key_permission(key_ref, context, perm);
		2817	}
		2818
		2819	#else
		2820
		2821	static inline int security_key_alloc(struct key *key)
		2822	{
		2823	return 0;
		2824	}
		2825
		2826	static inline void security_key_free(struct key *key)
		2827	{
		2828	}
		2829
		2830	static inline int security_key_permission(key_ref_t key_ref,
		2831	struct task_struct *context,
		2832	key_perm_t perm)
		2833	{
		2834	return 0;
		2835	}
		2836
		2837	#endif
		2838	#endif /* CONFIG_KEYS */
		2839
2767	#endif /* ! __LINUX_SECURITY_H */	2840	#endif /* ! __LINUX_SECURITY_H */
2768		2841