From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754453AbcBHPEU (ORCPT <rfc822;w@1wt.eu>);
	Mon, 8 Feb 2016 10:04:20 -0500
Received: from e23smtp07.au.ibm.com ([202.81.31.140]:35134 "EHLO
	e23smtp07.au.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754250AbcBHPEC (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 8 Feb 2016 10:04:02 -0500
X-IBM-Helo: d23dlp03.au.ibm.com
X-IBM-MailFrom: zohar@linux.vnet.ibm.com
X-IBM-RcptTo: keyrings@vger.kernel.org;linux-kernel@vger.kernel.org;linux-security-module@vger.kernel.org
Message-ID: <1454943785.2648.195.camel@linux.vnet.ibm.com>
Subject: Re: [RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2]
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
        petkan@mip-labs.com, linux-kernel@vger.kernel.org
Date: Mon, 08 Feb 2016 10:03:05 -0500
In-Reply-To: <25433.1454939711@warthog.procyon.org.uk>
References: <1454938472.2648.173.camel@linux.vnet.ibm.com>
	 <1453318283.2858.27.camel@linux.vnet.ibm.com>
	 <20160119113026.23238.4498.stgit@warthog.procyon.org.uk>
	 <20160119113041.23238.44728.stgit@warthog.procyon.org.uk>
	 <24522.1454513272@warthog.procyon.org.uk>
	 <25433.1454939711@warthog.procyon.org.uk>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 16020815-0025-0000-0000-000002E90D65
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, 2016-02-08 at 13:55 +0000, David Howells wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> 
> > In addition, this patch set removes the IMA blacklist without any method for
> > adding blacklisted IMA keys to the system blacklist keyring.
> 
> That's not true.
> 
> Patch 18 enables userspace to add keys to the system blacklist keyring,
> provided those keys are validly signed:
> 
> -			      KEY_USR_SEARCH,
> +			      KEY_USR_SEARCH | KEY_USR_WRITE,
>  			      KEY_ALLOC_NOT_IN_QUOTA |
>  			      KEY_FLAG_KEEP,
> -			      NULL, NULL);
> +			      restrict_link_by_system_trusted, NULL);
> 
> After this commit, you can do everything with the system blacklist keyring
> that you can currently do with the IMA blacklist keyring.

Right, this patch makes the system blacklist keyring writable by
userspace and removes the IMA blacklist.  What I don't understand is how
to add a key that is currently on the IMA keyring to the system
blacklist? 

With the IMA blacklist, the same certificate that was added to the IMA
keyring could be added to the blacklist. (Probably not the best idea.)

The system black list currently only supports the  TBSCertificate hash,
not the key-id.   I have the signed certificate being added to the IMA
keyring.  I'm missing the step of getting the TBSCertificate hash based
on the certificate.

Mimi