From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com, dhowells@redhat.com, casey@schaufler-ca.com,
sashal@kernel.org, jamorris@linux.microsoft.com,
linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
keyrings@vger.kernel.org
Cc: nramas@linux.microsoft.com
Subject: [PATCH v1 6/6] KEYS: measure keys when they are created or updated
Date: Wed, 23 Oct 2019 00:18:18 +0000 [thread overview]
Message-ID: <20191023001818.3684-7-nramas@linux.microsoft.com> (raw)
In-Reply-To: <20191023001818.3684-1-nramas@linux.microsoft.com>
A new LSM function namely, security_key_create_or_update, has
been added. This function is called by key_create_or_update
function when a new key is created or an existing key is updated.
This call is made when the key has been instantiated and linked
to the target keyring.
security_key_create_or_update is passed the target keyring, key,
key creation flags, and a boolean flag indicating whether
the key was newly created or an existing key was updated.
This function calls the ima function ima_post_key_create_or_update
to measure the key.
Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
---
include/linux/ima.h | 15 +++++++-
include/linux/security.h | 13 ++++++-
security/keys/key.c | 78 +++++++++++++++++++++++++++++++++++-----
security/security.c | 10 ++++++
4 files changed, 105 insertions(+), 11 deletions(-)
diff --git a/include/linux/ima.h b/include/linux/ima.h
index a20ad398d260..ce763901380d 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -24,7 +24,11 @@ extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
enum kernel_read_file_id id);
extern void ima_post_path_mknod(struct dentry *dentry);
extern void ima_kexec_cmdline(const void *buf, int size);
-
+extern int ima_post_key_create_or_update(struct key *keyring,
+ struct key *key,
+ const struct cred *cred,
+ unsigned long flags,
+ bool create);
#ifdef CONFIG_IMA_KEXEC
extern void ima_add_kexec_buffer(struct kimage *image);
#endif
@@ -91,6 +95,15 @@ static inline void ima_post_path_mknod(struct dentry *dentry)
}
static inline void ima_kexec_cmdline(const void *buf, int size) {}
+
+static inline int ima_post_key_create_or_update(struct key *keyring,
+ struct key *key,
+ const struct cred *cred,
+ unsigned long flags,
+ bool create)
+{
+ return 0;
+}
#endif /* CONFIG_IMA */
#ifndef CONFIG_IMA_KEXEC
diff --git a/include/linux/security.h b/include/linux/security.h
index 5f7441abbf42..c8348da3db2e 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1677,7 +1677,9 @@ void security_key_free(struct key *key);
int security_key_permission(key_ref_t key_ref,
const struct cred *cred, unsigned perm);
int security_key_getsecurity(struct key *key, char **_buffer);
-
+int security_key_create_or_update(struct key *keyring, struct key *key,
+ const struct cred *cred,
+ unsigned long flags, bool create);
#else
static inline int security_key_alloc(struct key *key,
@@ -1704,6 +1706,15 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer)
return 0;
}
+static inline int security_key_create_or_update(struct key *keyring,
+ struct key *key,
+ const struct cred *cred,
+ unsigned long flags,
+ bool create)
+{
+ return 0;
+}
+
#endif
#endif /* CONFIG_KEYS */
diff --git a/security/keys/key.c b/security/keys/key.c
index 764f4c57913e..b913feaf196e 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -781,7 +781,7 @@ static inline key_ref_t __key_update(key_ref_t key_ref,
}
/**
- * key_create_or_update - Update or create and instantiate a key.
+ * __key_create_or_update - Update or create and instantiate a key.
* @keyring_ref: A pointer to the destination keyring with possession flag.
* @type: The type of key.
* @description: The searchable description for the key.
@@ -789,6 +789,8 @@ static inline key_ref_t __key_update(key_ref_t key_ref,
* @plen: The length of @payload.
* @perm: The permissions mask for a new key.
* @flags: The quota flags for a new key.
+ * @create: Set to true if the key was newly created.
+ * Set to false if the key was updated.
*
* Search the destination keyring for a key of the same description and if one
* is found, update it, otherwise create and instantiate a new one and create a
@@ -805,13 +807,14 @@ static inline key_ref_t __key_update(key_ref_t key_ref,
* On success, the possession flag from the keyring ref will be tacked on to
* the key ref before it is returned.
*/
-key_ref_t key_create_or_update(key_ref_t keyring_ref,
- const char *type,
- const char *description,
- const void *payload,
- size_t plen,
- key_perm_t perm,
- unsigned long flags)
+static key_ref_t __key_create_or_update(key_ref_t keyring_ref,
+ const char *type,
+ const char *description,
+ const void *payload,
+ size_t plen,
+ key_perm_t perm,
+ unsigned long flags,
+ bool *create)
{
struct keyring_index_key index_key = {
.description = description,
@@ -936,6 +939,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
goto error_link_end;
}
+ *create = true;
key_ref = make_key_ref(key, is_key_possessed(keyring_ref));
error_link_end:
@@ -948,7 +952,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
error:
return key_ref;
- found_matching_key:
+found_matching_key:
/* we found a matching key, so we're going to try to update it
* - we can drop the locks first as we have the key pinned
*/
@@ -964,9 +968,65 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
}
}
+ *create = false;
key_ref = __key_update(key_ref, &prep);
goto error_free_prep;
}
+
+/**
+ * key_create_or_update - Update or create and instantiate a key.
+ * @keyring_ref: A pointer to the destination keyring with possession flag.
+ * @type: The type of key.
+ * @description: The searchable description for the key.
+ * @payload: The data to use to instantiate or update the key.
+ * @plen: The length of @payload.
+ * @perm: The permissions mask for a new key.
+ * @flags: The quota flags for a new key.
+ *
+ * Calls the internal function __key_create_or_update.
+ * If successful calls the security LSM hook.
+ */
+key_ref_t key_create_or_update(key_ref_t keyring_ref,
+ const char *type,
+ const char *description,
+ const void *payload,
+ size_t plen,
+ key_perm_t perm,
+ unsigned long flags)
+{
+ key_ref_t key_ref;
+ struct key *keyring, *key = NULL;
+ int ret = 0;
+ bool create = false;
+
+ key_ref = __key_create_or_update(keyring_ref, type, description,
+ payload, plen, perm, flags,
+ &create);
+ if (IS_ERR(key_ref))
+ goto out;
+
+ keyring = key_ref_to_ptr(keyring_ref);
+ key = key_ref_to_ptr(key_ref);
+
+ /* let the security module know about
+ * the created or updated key.
+ */
+ ret = security_key_create_or_update(keyring, key,
+ current_cred(),
+ flags, create);
+ if (ret < 0)
+ goto security_error;
+ else
+ goto out;
+
+security_error:
+ key_unlink(keyring, key);
+ key_put(key);
+ key_ref = ERR_PTR(ret);
+
+out:
+ return key_ref;
+}
EXPORT_SYMBOL(key_create_or_update);
/**
diff --git a/security/security.c b/security/security.c
index 250ee2d76406..707a9e7fa94d 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2303,6 +2303,16 @@ int security_key_getsecurity(struct key *key, char **_buffer)
return call_int_hook(key_getsecurity, 0, key, _buffer);
}
+int security_key_create_or_update(struct key *keyring,
+ struct key *key,
+ const struct cred *cred,
+ unsigned long flags,
+ bool create)
+{
+ return ima_post_key_create_or_update(keyring, key, cred,
+ flags, create);
+}
+
#endif /* CONFIG_KEYS */
#ifdef CONFIG_AUDIT
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com, dhowells@redhat.com, casey@schaufler-ca.com,
sashal@kernel.org, jamorris@linux.microsoft.com,
linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
keyrings@vger.kernel.org
Cc: nramas@linux.microsoft.com
Subject: [PATCH v1 6/6] KEYS: measure keys when they are created or updated
Date: Tue, 22 Oct 2019 17:18:18 -0700 [thread overview]
Message-ID: <20191023001818.3684-7-nramas@linux.microsoft.com> (raw)
In-Reply-To: <20191023001818.3684-1-nramas@linux.microsoft.com>
A new LSM function namely, security_key_create_or_update, has
been added. This function is called by key_create_or_update
function when a new key is created or an existing key is updated.
This call is made when the key has been instantiated and linked
to the target keyring.
security_key_create_or_update is passed the target keyring, key,
key creation flags, and a boolean flag indicating whether
the key was newly created or an existing key was updated.
This function calls the ima function ima_post_key_create_or_update
to measure the key.
Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
---
include/linux/ima.h | 15 +++++++-
include/linux/security.h | 13 ++++++-
security/keys/key.c | 78 +++++++++++++++++++++++++++++++++++-----
security/security.c | 10 ++++++
4 files changed, 105 insertions(+), 11 deletions(-)
diff --git a/include/linux/ima.h b/include/linux/ima.h
index a20ad398d260..ce763901380d 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -24,7 +24,11 @@ extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
enum kernel_read_file_id id);
extern void ima_post_path_mknod(struct dentry *dentry);
extern void ima_kexec_cmdline(const void *buf, int size);
-
+extern int ima_post_key_create_or_update(struct key *keyring,
+ struct key *key,
+ const struct cred *cred,
+ unsigned long flags,
+ bool create);
#ifdef CONFIG_IMA_KEXEC
extern void ima_add_kexec_buffer(struct kimage *image);
#endif
@@ -91,6 +95,15 @@ static inline void ima_post_path_mknod(struct dentry *dentry)
}
static inline void ima_kexec_cmdline(const void *buf, int size) {}
+
+static inline int ima_post_key_create_or_update(struct key *keyring,
+ struct key *key,
+ const struct cred *cred,
+ unsigned long flags,
+ bool create)
+{
+ return 0;
+}
#endif /* CONFIG_IMA */
#ifndef CONFIG_IMA_KEXEC
diff --git a/include/linux/security.h b/include/linux/security.h
index 5f7441abbf42..c8348da3db2e 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1677,7 +1677,9 @@ void security_key_free(struct key *key);
int security_key_permission(key_ref_t key_ref,
const struct cred *cred, unsigned perm);
int security_key_getsecurity(struct key *key, char **_buffer);
-
+int security_key_create_or_update(struct key *keyring, struct key *key,
+ const struct cred *cred,
+ unsigned long flags, bool create);
#else
static inline int security_key_alloc(struct key *key,
@@ -1704,6 +1706,15 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer)
return 0;
}
+static inline int security_key_create_or_update(struct key *keyring,
+ struct key *key,
+ const struct cred *cred,
+ unsigned long flags,
+ bool create)
+{
+ return 0;
+}
+
#endif
#endif /* CONFIG_KEYS */
diff --git a/security/keys/key.c b/security/keys/key.c
index 764f4c57913e..b913feaf196e 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -781,7 +781,7 @@ static inline key_ref_t __key_update(key_ref_t key_ref,
}
/**
- * key_create_or_update - Update or create and instantiate a key.
+ * __key_create_or_update - Update or create and instantiate a key.
* @keyring_ref: A pointer to the destination keyring with possession flag.
* @type: The type of key.
* @description: The searchable description for the key.
@@ -789,6 +789,8 @@ static inline key_ref_t __key_update(key_ref_t key_ref,
* @plen: The length of @payload.
* @perm: The permissions mask for a new key.
* @flags: The quota flags for a new key.
+ * @create: Set to true if the key was newly created.
+ * Set to false if the key was updated.
*
* Search the destination keyring for a key of the same description and if one
* is found, update it, otherwise create and instantiate a new one and create a
@@ -805,13 +807,14 @@ static inline key_ref_t __key_update(key_ref_t key_ref,
* On success, the possession flag from the keyring ref will be tacked on to
* the key ref before it is returned.
*/
-key_ref_t key_create_or_update(key_ref_t keyring_ref,
- const char *type,
- const char *description,
- const void *payload,
- size_t plen,
- key_perm_t perm,
- unsigned long flags)
+static key_ref_t __key_create_or_update(key_ref_t keyring_ref,
+ const char *type,
+ const char *description,
+ const void *payload,
+ size_t plen,
+ key_perm_t perm,
+ unsigned long flags,
+ bool *create)
{
struct keyring_index_key index_key = {
.description = description,
@@ -936,6 +939,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
goto error_link_end;
}
+ *create = true;
key_ref = make_key_ref(key, is_key_possessed(keyring_ref));
error_link_end:
@@ -948,7 +952,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
error:
return key_ref;
- found_matching_key:
+found_matching_key:
/* we found a matching key, so we're going to try to update it
* - we can drop the locks first as we have the key pinned
*/
@@ -964,9 +968,65 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
}
}
+ *create = false;
key_ref = __key_update(key_ref, &prep);
goto error_free_prep;
}
+
+/**
+ * key_create_or_update - Update or create and instantiate a key.
+ * @keyring_ref: A pointer to the destination keyring with possession flag.
+ * @type: The type of key.
+ * @description: The searchable description for the key.
+ * @payload: The data to use to instantiate or update the key.
+ * @plen: The length of @payload.
+ * @perm: The permissions mask for a new key.
+ * @flags: The quota flags for a new key.
+ *
+ * Calls the internal function __key_create_or_update.
+ * If successful calls the security LSM hook.
+ */
+key_ref_t key_create_or_update(key_ref_t keyring_ref,
+ const char *type,
+ const char *description,
+ const void *payload,
+ size_t plen,
+ key_perm_t perm,
+ unsigned long flags)
+{
+ key_ref_t key_ref;
+ struct key *keyring, *key = NULL;
+ int ret = 0;
+ bool create = false;
+
+ key_ref = __key_create_or_update(keyring_ref, type, description,
+ payload, plen, perm, flags,
+ &create);
+ if (IS_ERR(key_ref))
+ goto out;
+
+ keyring = key_ref_to_ptr(keyring_ref);
+ key = key_ref_to_ptr(key_ref);
+
+ /* let the security module know about
+ * the created or updated key.
+ */
+ ret = security_key_create_or_update(keyring, key,
+ current_cred(),
+ flags, create);
+ if (ret < 0)
+ goto security_error;
+ else
+ goto out;
+
+security_error:
+ key_unlink(keyring, key);
+ key_put(key);
+ key_ref = ERR_PTR(ret);
+
+out:
+ return key_ref;
+}
EXPORT_SYMBOL(key_create_or_update);
/**
diff --git a/security/security.c b/security/security.c
index 250ee2d76406..707a9e7fa94d 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2303,6 +2303,16 @@ int security_key_getsecurity(struct key *key, char **_buffer)
return call_int_hook(key_getsecurity, 0, key, _buffer);
}
+int security_key_create_or_update(struct key *keyring,
+ struct key *key,
+ const struct cred *cred,
+ unsigned long flags,
+ bool create)
+{
+ return ima_post_key_create_or_update(keyring, key, cred,
+ flags, create);
+}
+
#endif /* CONFIG_KEYS */
#ifdef CONFIG_AUDIT
--
2.17.1
next prev parent reply other threads:[~2019-10-23 0:18 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-23 0:18 [PATCH v1 0/6] KEYS: measure keys when they are created or updated Lakshmi Ramasubramanian
2019-10-23 0:18 ` Lakshmi Ramasubramanian
2019-10-23 0:18 ` [PATCH v1 1/6] KEYS: Helper function to check if the given keyring is builtin_trusted_keys Lakshmi Ramasubramanian
2019-10-23 0:18 ` Lakshmi Ramasubramanian
2019-10-23 0:18 ` [PATCH v1 2/6] KEYS: ima: Refactored process_buffer_measurement function so that it can measure any Lakshmi Ramasubramanian
2019-10-23 0:18 ` [PATCH v1 2/6] KEYS: ima: Refactored process_buffer_measurement function so that it can measure any buffer (and not just KEXEC_CMDLINE one) Lakshmi Ramasubramanian
2019-10-23 13:21 ` [PATCH v1 2/6] KEYS: ima: Refactored process_buffer_measurement function so that it can measure Mimi Zohar
2019-10-23 13:21 ` [PATCH v1 2/6] KEYS: ima: Refactored process_buffer_measurement function so that it can measure any buffer (and not just KEXEC_CMDLINE one) Mimi Zohar
2019-10-23 0:18 ` [PATCH v1 3/6] KEYS: ima hook to measure builtin_trusted_keys Lakshmi Ramasubramanian
2019-10-23 0:18 ` Lakshmi Ramasubramanian
2019-10-23 13:22 ` Mimi Zohar
2019-10-23 13:22 ` Mimi Zohar
2019-10-23 14:49 ` Lakshmi Ramasubramanian
2019-10-23 14:49 ` Lakshmi Ramasubramanian
2019-10-23 17:03 ` Mimi Zohar
2019-10-23 17:03 ` Mimi Zohar
2019-10-23 0:18 ` [PATCH v1 4/6] KEYS: ima functions to queue and dequeue keys to measure Lakshmi Ramasubramanian
2019-10-23 0:18 ` Lakshmi Ramasubramanian
2019-10-23 0:18 ` [PATCH v1 5/6] KEYS: measure queued keys Lakshmi Ramasubramanian
2019-10-23 0:18 ` Lakshmi Ramasubramanian
2019-10-23 13:23 ` Mimi Zohar
2019-10-23 13:23 ` Mimi Zohar
2019-10-23 17:34 ` Lakshmi Ramasubramanian
2019-10-23 17:34 ` Lakshmi Ramasubramanian
2019-10-23 17:52 ` Mimi Zohar
2019-10-23 17:52 ` Mimi Zohar
2019-10-23 18:49 ` Mimi Zohar
2019-10-23 18:49 ` Mimi Zohar
2019-10-23 0:18 ` Lakshmi Ramasubramanian [this message]
2019-10-23 0:18 ` [PATCH v1 6/6] KEYS: measure keys when they are created or updated Lakshmi Ramasubramanian
2019-10-23 18:09 ` Mimi Zohar
2019-10-23 18:09 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191023001818.3684-7-nramas@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=jamorris@linux.microsoft.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.