From: Tyler Hicks <tyhicks@linux.microsoft.com>
To: Mimi Zohar <zohar@linux.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: James Morris <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Tushar Sugandhi <tusharsu@linux.microsoft.com>,
Nayna Jain <nayna@linux.ibm.com>,
linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [PATCH 0/2] ima: Fix keyrings race condition and other key related bugs
Date: Mon, 27 Jul 2020 09:08:29 -0500 [thread overview]
Message-ID: <20200727140831.64251-1-tyhicks@linux.microsoft.com> (raw)
Nayna pointed out that the "keyrings=" option in an IMA policy rule
should only be accepted when CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is
enabled:
https://lore.kernel.org/linux-integrity/336cc947-1f70-0286-6506-6df3d1d23a1d@linux.vnet.ibm.com/
While fixing this, the compiler warned me about the potential for the
ima_keyrings pointer to be NULL despite it being used, without a check
for NULL, as the destination address for the strcpy() in
ima_match_keyring().
It also became apparent that there was not adequate locking around the
use of the pre-allocated buffer that ima_keyrings points to. The kernel
keyring has a lock (.sem member of struct key) that ensures only one key
can be added to a given keyring at a time but there's no protection
against adding multiple keys to different keyrings at the same time.
The first patch in this series fixes both ima_keyrings related issues by
parsing the list of keyrings in a KEY_CHECK rule at policy load time
rather than deferring the parsing to policy check time. Once that fix is
in place, the second patch can enforce that
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS must be enabled in order to use
"func=KEY_CHECK" or "keyrings=" options in IMA policy.
The new "keyrings=" value handling is done in a generic manner that can
be reused by other options in the future. This seems to make sense as
"appraise_type=" has similar style (though it doesn't need to be fully
parsed at this time) and using "|" as an alternation delimiter is
becoming the norm in IMA policy.
This series is based on commit 311aa6aafea4 ("ima: move
APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime") in
next-integrity.
Tyler
Tyler Hicks (2):
ima: Pre-parse the list of keyrings in a KEY_CHECK rule
ima: Fail rule parsing when asymmetric key measurement isn't
supportable
security/integrity/ima/ima_policy.c | 142 +++++++++++++++++++---------
1 file changed, 96 insertions(+), 46 deletions(-)
--
2.25.1
next reply other threads:[~2020-07-27 14:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-27 14:08 Tyler Hicks [this message]
2020-07-27 14:08 ` [PATCH 1/2] ima: Pre-parse the list of keyrings in a KEY_CHECK rule Tyler Hicks
2020-07-28 14:25 ` Lakshmi Ramasubramanian
2020-08-06 15:34 ` Nayna
2020-08-06 15:46 ` Tyler Hicks
2020-07-27 14:08 ` [PATCH 2/2] ima: Fail rule parsing when asymmetric key measurement isn't supportable Tyler Hicks
2020-07-28 14:14 ` Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200727140831.64251-1-tyhicks@linux.microsoft.com \
--to=tyhicks@linux.microsoft.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=nramas@linux.microsoft.com \
--cc=serge@hallyn.com \
--cc=tusharsu@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.