From: Dmitry Kasatkin <d.kasatkin@samsung.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: linux-security-module <linux-security-module@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
Josh Boyer <jwboyer@redhat.com>,
keyrings <keyrings@linux-nfs.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [RFC PATCH v4 3/4] ima: define '.ima' as a builtin 'trusted' keyring
Date: Mon, 09 Jun 2014 14:43:16 +0300 [thread overview]
Message-ID: <53959DD4.6010306@samsung.com> (raw)
In-Reply-To: <1402311976.7064.5.camel@dhcp-9-2-203-236.watson.ibm.com>
On 09/06/14 14:06, Mimi Zohar wrote:
> On Fri, 2014-05-30 at 19:05 +0300, Dmitry Kasatkin wrote:
>> On 28 May 2014 22:26, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>>> On Wed, 2014-05-28 at 21:55 +0300, Dmitry Kasatkin wrote:
>>>> On 28 May 2014 18:09, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>>>>> Require all keys added to the IMA keyring be signed by an
>>>>> existing trusted key on the system trusted keyring.
>>>>>
>>>>> Changelog v1:
>>>>> - don't link IMA trusted keyring to user keyring
>>>>>
>>>>> Changelog:
>>>>> - define stub integrity_init_keyring() function (reported-by Fengguang Wu)
>>>>> - differentiate between regular and trusted keyring names.
>>>>> - replace printk with pr_info (D. Kasatkin)
>>>>> - only make the IMA keyring a trusted keyring (reported-by D. Kastatkin)
>>>>> - define stub integrity_init_keyring() definition based on
>>>>> CONFIG_INTEGRITY_SIGNATURE, not CONFIG_INTEGRITY_ASYMMETRIC_KEYS.
>>>>> (reported-by Jim Davis)
>>>>>
>>>>> Signed-off-by: Mimi Zohar<zohar@linux.vnet.ibm.com>
>>>>> ---
>>>>> security/integrity/digsig.c | 26 +++++++++++++++++++++++++-
>>>>> security/integrity/ima/Kconfig | 8 ++++++++
>>>>> security/integrity/ima/ima_appraise.c | 11 +++++++++++
>>>>> security/integrity/integrity.h | 5 +++++
>>>>> 4 files changed, 49 insertions(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
>>>>> index b4af4eb..7da5f9c 100644
>>>>> --- a/security/integrity/digsig.c
>>>>> +++ b/security/integrity/digsig.c
>>>>> @@ -13,7 +13,9 @@
>>>>> #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>>>>>
>>>>> #include <linux/err.h>
>>>>> +#include <linux/sched.h>
>>>>> #include <linux/rbtree.h>
>>>>> +#include <linux/cred.h>
>>>>> #include <linux/key-type.h>
>>>>> #include <linux/digsig.h>
>>>>>
>>>>> @@ -24,7 +26,11 @@ static struct key *keyring[INTEGRITY_KEYRING_MAX];
>>>>> static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
>>>>> "_evm",
>>>>> "_module",
>>>>> +#ifndef CONFIG_IMA_TRUSTED_KEYRING
>>>>> "_ima",
>>>>> +#else
>>>>> + ".ima",
>>>>> +#endif
>>>>> };
>>>>>
>>>>> int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
>>>>> @@ -35,7 +41,7 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
>>>>>
>>>>> if (!keyring[id]) {
>>>>> keyring[id] =
>>>>> - request_key(&key_type_keyring, keyring_name[id], NULL);
>>>>> + request_key(&key_type_keyring, keyring_name[id], NULL);
>>>>> if (IS_ERR(keyring[id])) {
>>>>> int err = PTR_ERR(keyring[id]);
>>>>> pr_err("no %s keyring: %d\n", keyring_name[id], err);
>>>>> @@ -56,3 +62,21 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
>>>>>
>>>>> return -EOPNOTSUPP;
>>>>> }
>>>>> +
>>>>> +int integrity_init_keyring(const unsigned int id)
>>>>> +{
>>>>> + const struct cred *cred = current_cred();
>>>>> +
>>>>> + keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
>>>>> + KGIDT_INIT(0), cred,
>>>>> + ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
>>>>> + KEY_USR_VIEW | KEY_USR_READ |
>>>>> + KEY_USR_WRITE | KEY_USR_SEARCH),
>>>>> + KEY_ALLOC_NOT_IN_QUOTA, NULL);
>>>> Last parameter "destination" is NULL. It makes keyring "unsearchable"
>>>> from user space.
>>>> It prevents loading trusted keys from user-space, e.g. initramfs...
>>>>
>>>> Should it be "cred->user->uid_keyring"??
>>> David extended keyctl with the '%keyring' option. For example,
>>> "keyctl show %keyring:.ima" returns the .ima keyring id with a list of
>>> all the keys.
>>>
>> That is not kernel feature, but keyctl feature as I can see.
>> It will not find keyring from user space..
>>
>> keyutils.c 3.5.7 has this kind of thing
>> f = fopen("/proc/keys", "r");
>>
>> But it would require CONFIG_PROC_KEYS to be enabled.
>>
>> May be David may comment...
> David commented on an prior patch set, which defined a new id for the
> system trusted keyring. For hjs comments, refer to
> http://marc.info/?l=linux-security-module&m=137829415530503&w=2
>
> thanks,
>
> Mimi
Fine for me if such API is fine for David.
I just checked one again. They option to enable /proc/keys is called
CONFIG_KEYS_DEBUG_PROC_KEYS
It is a bit weired that in order to be able to load keys to trusted
keyring it is necessary to enable *_DEBUG_* option.
David stated: (1) Make /proc/keys always present if CONFIG_KEYS=y.
It is not there yet...
Should than CONFIG_IMA_TRUSTED_KEYRING "select
CONFIG_KEYS_DEBUG_PROC_KEYS" by David suggestion?
- Dmitry
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next prev parent reply other threads:[~2014-06-09 11:43 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-28 15:09 [RFC PATCH v4 0/4] ima: extending secure boot certificate chain Mimi Zohar
2014-05-28 15:09 ` [RFC PATCH v4 1/4] KEYS: special dot prefixed keyring name bug fix Mimi Zohar
2014-05-30 15:58 ` Dmitry Kasatkin
2014-05-30 17:58 ` Mimi Zohar
[not found] ` <CACE9dm-n4R9CSjfzpzCaYrSWDxCOsgX7w2Cvn4gkR6-Z82Qypg@mail.gmail.com>
2014-05-30 19:12 ` Mimi Zohar
2014-05-30 20:45 ` Dmitry Kasatkin
2014-05-28 15:09 ` [RFC PATCH v4 2/4] KEYS: verify a certificate is signed by a 'trusted' key Mimi Zohar
2014-05-28 15:09 ` [RFC PATCH v4 3/4] ima: define '.ima' as a builtin 'trusted' keyring Mimi Zohar
2014-05-28 18:55 ` Dmitry Kasatkin
2014-05-28 19:26 ` Mimi Zohar
2014-05-30 16:05 ` Dmitry Kasatkin
2014-06-09 11:06 ` Mimi Zohar
2014-06-09 11:43 ` Dmitry Kasatkin [this message]
2014-05-28 15:09 ` [RFC PATCH v4 4/4] KEYS: define an owner trusted keyring Mimi Zohar
2014-05-30 22:37 ` Dmitry Kasatkin
2014-06-01 2:14 ` Mimi Zohar
2014-06-02 10:48 ` Dmitry Kasatkin
2014-06-02 11:33 ` Mimi Zohar
2014-06-02 11:40 ` Dmitry Kasatkin
2014-06-02 11:54 ` Mimi Zohar
2014-06-02 11:55 ` Josh Boyer
2014-06-03 15:02 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53959DD4.6010306@samsung.com \
--to=d.kasatkin@samsung.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jwboyer@redhat.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.