From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com, dhowells@redhat.com, casey@schaufler-ca.com,
sashal@kernel.org, jamorris@linux.microsoft.com,
linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
keyrings@vger.kernel.org
Cc: nramas@linux.microsoft.com
Subject: [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys k
Date: Wed, 23 Oct 2019 23:39:49 +0000 [thread overview]
Message-ID: <20191023233950.22072-4-nramas@linux.microsoft.com> (raw)
In-Reply-To: <20191023233950.22072-1-nramas@linux.microsoft.com>
Added an ima policy hook BUILTIN_TRUSTED_KEYS to measure keys added
to builtin_trusted_keys keyring.
Added a helper function to check if the given keyring is
the builtin_trusted_keys keyring.
Defined a function to map the keyring to ima policy hook function
and use it when measuring the key.
Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
---
Documentation/ABI/testing/ima_policy | 1 +
certs/system_keyring.c | 5 +++++
include/keys/system_keyring.h | 2 ++
security/integrity/ima/ima.h | 2 ++
security/integrity/ima/ima_api.c | 1 +
security/integrity/ima/ima_main.c | 25 +++++++++++++++++++++++--
security/integrity/ima/ima_queue.c | 2 +-
7 files changed, 35 insertions(+), 3 deletions(-)
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index fc376a323908..25566c74e679 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -29,6 +29,7 @@ Description:
[FIRMWARE_CHECK]
[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
[KEXEC_CMDLINE]
+ [BUILTIN_TRUSTED_KEYS]
mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
[[^]MAY_EXEC]
fsmagic:= hex value
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 1eba08a1af82..5533c7f92fef 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -283,3 +283,8 @@ void __init set_platform_trusted_keys(struct key *keyring)
platform_trusted_keys = keyring;
}
#endif
+
+inline bool is_builtin_trusted_keyring(struct key *keyring)
+{
+ return (keyring = builtin_trusted_keys);
+}
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index c1a96fdf598b..2bc0aaa07f05 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -66,4 +66,6 @@ static inline void set_platform_trusted_keys(struct key *keyring)
}
#endif
+extern bool is_builtin_trusted_keyring(struct key *keyring);
+
#endif /* _KEYS_SYSTEM_KEYRING_H */
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 38279707632a..92c25a6b4da7 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -23,6 +23,7 @@
#include <crypto/hash_info.h>
#include <crypto/public_key.h>
#include <keys/asymmetric-type.h>
+#include <keys/system_keyring.h>
#include "../integrity.h"
@@ -192,6 +193,7 @@ static inline unsigned long ima_hash_key(u8 *digest)
hook(KEXEC_INITRAMFS_CHECK) \
hook(POLICY_CHECK) \
hook(KEXEC_CMDLINE) \
+ hook(BUILTIN_TRUSTED_KEYS) \
hook(MAX_CHECK)
#define __ima_hook_enumify(ENUM) ENUM,
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index f614e22bf39f..cc04706b7e7a 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -175,6 +175,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
* subj,obj, and type: are LSM specific.
* func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK
* | KEXEC_CMDLINE
+ * | BUILTIN_TRUSTED_KEYS
* mask: contains the permission mask
* fsmagic: hex value
*
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index bce430b3386e..986f80eead4d 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -605,6 +605,24 @@ int ima_load_data(enum kernel_load_data_id id)
return 0;
}
+/*
+ * Maps the given keyring to a IMA Hook.
+ * @keyring: A keyring to which a key maybe linked to.
+ *
+ * This function currently handles only builtin_trusted_keys.
+ * To handle more keyrings, this function, ima hook and
+ * ima policy handler need to be updated.
+ */
+static enum ima_hooks keyring_policy_map(struct key *keyring)
+{
+ enum ima_hooks func = NONE;
+
+ if (is_builtin_trusted_keyring(keyring))
+ func = BUILTIN_TRUSTED_KEYS;
+
+ return func;
+}
+
/*
* process_buffer_measurement - Measure the buffer to ima log.
* @buf: pointer to the buffer that needs to be added to the log.
@@ -706,19 +724,22 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key,
unsigned long flags, bool create)
{
const struct public_key *pk;
+ enum ima_hooks func;
if (key->type != &key_type_asymmetric)
return;
+ func = keyring_policy_map(keyring);
+
if (!ima_initialized) {
- ima_queue_key_for_measurement(key, NONE);
+ ima_queue_key_for_measurement(key, func);
return;
}
pk = key->payload.data[asym_crypto];
process_buffer_measurement(pk->key, pk->keylen,
key->description,
- NONE, 0);
+ func, 0);
}
static int __init init_ima(void)
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index d42987022c12..ed77c4dc0520 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -319,7 +319,7 @@ void ima_measure_queued_keys(void)
process_buffer_measurement(entry->public_key,
entry->public_key_len,
entry->key_description,
- NONE, 0);
+ entry->func, 0);
list_del(&entry->list);
ima_free_trusted_key_entry(entry);
}
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com, dhowells@redhat.com, casey@schaufler-ca.com,
sashal@kernel.org, jamorris@linux.microsoft.com,
linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
keyrings@vger.kernel.org
Cc: nramas@linux.microsoft.com
Subject: [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys keyring
Date: Wed, 23 Oct 2019 16:39:49 -0700 [thread overview]
Message-ID: <20191023233950.22072-4-nramas@linux.microsoft.com> (raw)
In-Reply-To: <20191023233950.22072-1-nramas@linux.microsoft.com>
Added an ima policy hook BUILTIN_TRUSTED_KEYS to measure keys added
to builtin_trusted_keys keyring.
Added a helper function to check if the given keyring is
the builtin_trusted_keys keyring.
Defined a function to map the keyring to ima policy hook function
and use it when measuring the key.
Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
---
Documentation/ABI/testing/ima_policy | 1 +
certs/system_keyring.c | 5 +++++
include/keys/system_keyring.h | 2 ++
security/integrity/ima/ima.h | 2 ++
security/integrity/ima/ima_api.c | 1 +
security/integrity/ima/ima_main.c | 25 +++++++++++++++++++++++--
security/integrity/ima/ima_queue.c | 2 +-
7 files changed, 35 insertions(+), 3 deletions(-)
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index fc376a323908..25566c74e679 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -29,6 +29,7 @@ Description:
[FIRMWARE_CHECK]
[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
[KEXEC_CMDLINE]
+ [BUILTIN_TRUSTED_KEYS]
mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
[[^]MAY_EXEC]
fsmagic:= hex value
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 1eba08a1af82..5533c7f92fef 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -283,3 +283,8 @@ void __init set_platform_trusted_keys(struct key *keyring)
platform_trusted_keys = keyring;
}
#endif
+
+inline bool is_builtin_trusted_keyring(struct key *keyring)
+{
+ return (keyring == builtin_trusted_keys);
+}
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index c1a96fdf598b..2bc0aaa07f05 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -66,4 +66,6 @@ static inline void set_platform_trusted_keys(struct key *keyring)
}
#endif
+extern bool is_builtin_trusted_keyring(struct key *keyring);
+
#endif /* _KEYS_SYSTEM_KEYRING_H */
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 38279707632a..92c25a6b4da7 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -23,6 +23,7 @@
#include <crypto/hash_info.h>
#include <crypto/public_key.h>
#include <keys/asymmetric-type.h>
+#include <keys/system_keyring.h>
#include "../integrity.h"
@@ -192,6 +193,7 @@ static inline unsigned long ima_hash_key(u8 *digest)
hook(KEXEC_INITRAMFS_CHECK) \
hook(POLICY_CHECK) \
hook(KEXEC_CMDLINE) \
+ hook(BUILTIN_TRUSTED_KEYS) \
hook(MAX_CHECK)
#define __ima_hook_enumify(ENUM) ENUM,
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index f614e22bf39f..cc04706b7e7a 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -175,6 +175,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
* subj,obj, and type: are LSM specific.
* func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK
* | KEXEC_CMDLINE
+ * | BUILTIN_TRUSTED_KEYS
* mask: contains the permission mask
* fsmagic: hex value
*
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index bce430b3386e..986f80eead4d 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -605,6 +605,24 @@ int ima_load_data(enum kernel_load_data_id id)
return 0;
}
+/*
+ * Maps the given keyring to a IMA Hook.
+ * @keyring: A keyring to which a key maybe linked to.
+ *
+ * This function currently handles only builtin_trusted_keys.
+ * To handle more keyrings, this function, ima hook and
+ * ima policy handler need to be updated.
+ */
+static enum ima_hooks keyring_policy_map(struct key *keyring)
+{
+ enum ima_hooks func = NONE;
+
+ if (is_builtin_trusted_keyring(keyring))
+ func = BUILTIN_TRUSTED_KEYS;
+
+ return func;
+}
+
/*
* process_buffer_measurement - Measure the buffer to ima log.
* @buf: pointer to the buffer that needs to be added to the log.
@@ -706,19 +724,22 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key,
unsigned long flags, bool create)
{
const struct public_key *pk;
+ enum ima_hooks func;
if (key->type != &key_type_asymmetric)
return;
+ func = keyring_policy_map(keyring);
+
if (!ima_initialized) {
- ima_queue_key_for_measurement(key, NONE);
+ ima_queue_key_for_measurement(key, func);
return;
}
pk = key->payload.data[asym_crypto];
process_buffer_measurement(pk->key, pk->keylen,
key->description,
- NONE, 0);
+ func, 0);
}
static int __init init_ima(void)
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index d42987022c12..ed77c4dc0520 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -319,7 +319,7 @@ void ima_measure_queued_keys(void)
process_buffer_measurement(entry->public_key,
entry->public_key_len,
entry->key_description,
- NONE, 0);
+ entry->func, 0);
list_del(&entry->list);
ima_free_trusted_key_entry(entry);
}
--
2.17.1
next prev parent reply other threads:[~2019-10-23 23:39 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-23 23:39 [PATCH v2 0/4] KEYS: measure keys when they are created or updated Lakshmi Ramasubramanian
2019-10-23 23:39 ` Lakshmi Ramasubramanian
2019-10-23 23:39 ` [PATCH v2 1/4] KEYS: Defined an ima hook for measuring keys on key create or update Lakshmi Ramasubramanian
2019-10-23 23:39 ` Lakshmi Ramasubramanian
2019-10-25 19:40 ` Mimi Zohar
2019-10-25 19:40 ` Mimi Zohar
2019-10-25 19:49 ` Lakshmi Ramasubramanian
2019-10-25 19:49 ` Lakshmi Ramasubramanian
2019-10-25 22:28 ` Lakshmi Ramasubramanian
2019-10-25 22:28 ` Lakshmi Ramasubramanian
2019-10-27 14:47 ` Mimi Zohar
2019-10-27 14:47 ` Mimi Zohar
2019-10-28 14:58 ` Lakshmi Ramasubramanian
2019-10-28 14:58 ` Lakshmi Ramasubramanian
2019-10-23 23:39 ` [PATCH v2 2/4] KEYS: Queue key for measurement if ima is not initialized. Measure queued keys when i Lakshmi Ramasubramanian
2019-10-23 23:39 ` [PATCH v2 2/4] KEYS: Queue key for measurement if ima is not initialized. Measure queued keys when ima is initialized Lakshmi Ramasubramanian
2019-10-23 23:39 ` Lakshmi Ramasubramanian [this message]
2019-10-23 23:39 ` [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys keyring Lakshmi Ramasubramanian
2019-10-27 14:33 ` [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_ke Mimi Zohar
2019-10-27 14:33 ` [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys keyring Mimi Zohar
2019-10-28 15:12 ` [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_ke Lakshmi Ramasubramanian
2019-10-28 15:12 ` [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys keyring Lakshmi Ramasubramanian
2019-10-28 17:08 ` [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_ke Mimi Zohar
2019-10-28 17:08 ` [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys keyring Mimi Zohar
2019-10-28 15:56 ` [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_ke Lakshmi Ramasubramanian
2019-10-28 15:56 ` [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys keyring Lakshmi Ramasubramanian
2019-10-23 23:39 ` [PATCH v2 4/4] KEYS: Enabled ima policy " Lakshmi Ramasubramanian
2019-10-23 23:39 ` Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191023233950.22072-4-nramas@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=jamorris@linux.microsoft.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.