From: Dmitry Kasatkin <d.kasatkin@samsung.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: linux-security-module <linux-security-module@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
Josh Boyer <jwboyer@redhat.com>,
keyrings <keyrings@linux-nfs.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [RFC PATCH v5 3/4] ima: define '.ima' as a builtin 'trusted' keyring
Date: Mon, 09 Jun 2014 11:45:20 +0300 [thread overview]
Message-ID: <53957420.3080709@samsung.com> (raw)
In-Reply-To: <1402097230.11626.73.camel@dhcp-9-2-203-236.watson.ibm.com>
On 07/06/14 02:27, Mimi Zohar wrote:
> On Sat, 2014-06-07 at 00:53 +0300, Dmitry Kasatkin wrote:
>> On 3 June 2014 20:58, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>>> Require all keys added to the IMA keyring be signed by an
>>> existing trusted key on the system trusted keyring.
>>>
>>> Changelog v5:
>>> - Move integrity_init_keyring() to init_ima() - Dmitry
>>> - reset keyring[id] on failure - Dmitry
>>>
>>> Changelog v1:
>>> - don't link IMA trusted keyring to user keyring
>>>
>>> Changelog:
>>> - define stub integrity_init_keyring() function (reported-by Fengguang Wu)
>>> - differentiate between regular and trusted keyring names.
>>> - replace printk with pr_info (D. Kasatkin)
>>> - only make the IMA keyring a trusted keyring (reported-by D. Kastatkin)
>>> - define stub integrity_init_keyring() definition based on
>>> CONFIG_INTEGRITY_SIGNATURE, not CONFIG_INTEGRITY_ASYMMETRIC_KEYS.
>>> (reported-by Jim Davis)
>>>
>>> Signed-off-by: Mimi Zohar<zohar@linux.vnet.ibm.com>
>>> ---
>>> security/integrity/digsig.c | 26 ++++++++++++++++++++++++++
>>> security/integrity/ima/Kconfig | 8 ++++++++
>>> security/integrity/ima/ima_main.c | 12 ++++++++++--
>>> security/integrity/integrity.h | 5 +++++
>>> 4 files changed, 49 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
>>> index b4af4eb..fa4c2fd 100644
>>> --- a/security/integrity/digsig.c
>>> +++ b/security/integrity/digsig.c
>>> @@ -13,7 +13,9 @@
>>> #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>>>
>>> #include <linux/err.h>
>>> +#include <linux/sched.h>
>>> #include <linux/rbtree.h>
>>> +#include <linux/cred.h>
>>> #include <linux/key-type.h>
>>> #include <linux/digsig.h>
>>>
>>> @@ -24,7 +26,11 @@ static struct key *keyring[INTEGRITY_KEYRING_MAX];
>>> static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
>>> "_evm",
>>> "_module",
>>> +#ifndef CONFIG_IMA_TRUSTED_KEYRING
>>> "_ima",
>>> +#else
>>> + ".ima",
>>> +#endif
>>> };
>>>
>>> int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
>>> @@ -56,3 +62,23 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
>>>
>>> return -EOPNOTSUPP;
>>> }
>>> +
>>> +int integrity_init_keyring(const unsigned int id)
>>> +{
>>> + const struct cred *cred = current_cred();
>>> +
>>> + keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
>>> + KGIDT_INIT(0), cred,
>>> + ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
>>> + KEY_USR_VIEW | KEY_USR_READ |
>>> + KEY_USR_WRITE | KEY_USR_SEARCH),
>>> + KEY_ALLOC_NOT_IN_QUOTA, NULL);
>>> + if (!IS_ERR(keyring[id]))
>>> + set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
>>> + else {
>>> + pr_info("Can't allocate %s keyring (%ld)\n",
>>> + keyring_name[id], PTR_ERR(keyring[id]));
>>> + keyring[id] = NULL;
>>> + }
>>> + return 0;
>>> +}
>>> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
>>> index 81a2797..dad8d4c 100644
>>> --- a/security/integrity/ima/Kconfig
>>> +++ b/security/integrity/ima/Kconfig
>>> @@ -123,3 +123,11 @@ config IMA_APPRAISE
>>> For more information on integrity appraisal refer to:
>>> <http://linux-ima.sourceforge.net>
>>> If unsure, say N.
>>> +
>>> +config IMA_TRUSTED_KEYRING
>>> + bool "Require all keys on the _ima keyring be signed"
>>> + depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
>>> + default y
>>> + help
>>> + This option requires that all keys added to the _ima
>>> + keyring be signed by a key on the system trusted keyring.
>>> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
>>> index 09baa33..4c60cc5 100644
>>> --- a/security/integrity/ima/ima_main.c
>>> +++ b/security/integrity/ima/ima_main.c
>>> @@ -328,8 +328,16 @@ static int __init init_ima(void)
>>>
>>> hash_setup(CONFIG_IMA_DEFAULT_HASH);
>>> error = ima_init();
>>> - if (!error)
>>> - ima_initialized = 1;
>>> + if (error)
>>> + goto out;
>>> +
>>> +#ifdef CONFIG_IMA_TRUSTED_KEYRING
>>> + error = integrity_init_keyring(INTEGRITY_KEYRING_IMA);
>>> + if (error)
>>> + goto out;
>>> +#endif
>> integrity_init_keyring() has variation in header file...
>> Why do you need #ifdef in .c file? You you usually do not like it...
> Up to now, unsigned certificates could be added to the IMA keyring. We
> can not all of a sudden require all keys being added to the IMA keyring
> to be signed. Although there is a stub integrity_init_keyring()
> function definition, it is based on CONFIG_INTEGRITY_SIGNATURE, not
> CONFIG_IMA_TRUSTED_KEYRING.
>
> Right, ifdef's don't belong in C code. One solution would be to define
> ima_init_keyring() as a wrapper for integrity_init_keyring() and a stub
> function.
>
> Mimi
I think 'ima_init_keyring" could be a good approach.
>From other hand, if you look to kernel/module.c, then you will find ~40
#ifdefs of the source code...
So it may be indeed clear from __init point of view what we initialize
and what not...
- Dmitry
>>> + ima_initialized = 1;
>>> +out:
>>> return error;
>>> }
>>>
>>> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
>>> index 33c0a70..09c440d 100644
>>> --- a/security/integrity/integrity.h
>>> +++ b/security/integrity/integrity.h
>>> @@ -124,6 +124,7 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
>>> int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
>>> const char *digest, int digestlen);
>>>
>>> +int integrity_init_keyring(const unsigned int id);
>>> #else
>>>
>>> static inline int integrity_digsig_verify(const unsigned int id,
>>> @@ -133,6 +134,10 @@ static inline int integrity_digsig_verify(const unsigned int id,
>>> return -EOPNOTSUPP;
>>> }
>>>
>>> +static inline int integrity_init_keyring(const unsigned int id)
>>> +{
>>> + return 0;
>>> +}
>>> #endif /* CONFIG_INTEGRITY_SIGNATURE */
>>>
>>> #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
>>> --
>>> 1.8.1.4
>>>
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next prev parent reply other threads:[~2014-06-09 8:45 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-03 17:58 [RFC PATCH v5 0/4] ima: extending secure boot certificate chain of trust Mimi Zohar
2014-06-03 17:58 ` [RFC PATCH v5 1/4] KEYS: special dot prefixed keyring name bug fix Mimi Zohar
2014-06-06 21:48 ` Dmitry Kasatkin
2014-06-06 22:00 ` Mimi Zohar
2014-06-09 7:56 ` Dmitry Kasatkin
2014-06-09 8:17 ` Dmitry Kasatkin
2014-06-03 17:58 ` [RFC PATCH v5 2/4] KEYS: verify a certificate is signed by a 'trusted' key Mimi Zohar
2014-06-06 21:50 ` Dmitry Kasatkin
2014-06-09 13:13 ` Dmitry Kasatkin
2014-06-09 13:48 ` Mimi Zohar
2014-06-09 14:57 ` Dmitry Kasatkin
2014-06-03 17:58 ` [RFC PATCH v5 3/4] ima: define '.ima' as a builtin 'trusted' keyring Mimi Zohar
2014-06-06 21:53 ` Dmitry Kasatkin
2014-06-06 23:27 ` Mimi Zohar
2014-06-09 8:45 ` Dmitry Kasatkin [this message]
2014-06-03 17:58 ` [RFC PATCH v5 4/4] KEYS: define an owner trusted keyring Mimi Zohar
2014-06-09 12:13 ` Dmitry Kasatkin
2014-06-09 12:51 ` Mimi Zohar
2014-06-09 13:05 ` Dmitry Kasatkin
2014-06-09 13:48 ` Mimi Zohar
2014-06-09 13:58 ` Dmitry Kasatkin
2014-06-09 14:06 ` Dmitry Kasatkin
2014-06-09 16:33 ` Mimi Zohar
2014-06-10 8:48 ` [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only Dmitry Kasatkin
2014-06-10 8:48 ` [PATCH 1/4] KEYS: define an owner trusted keyring Dmitry Kasatkin
2014-06-10 12:24 ` Josh Boyer
2014-06-10 12:41 ` Dmitry Kasatkin
2014-06-10 13:07 ` Mimi Zohar
2014-06-10 8:48 ` [PATCH 2/4] KEYS: fix couple of things Dmitry Kasatkin
2014-06-10 8:48 ` [PATCH 3/4] KEYS: validate key trust only with selected owner key Dmitry Kasatkin
2014-06-12 16:03 ` Vivek Goyal
2014-06-12 16:55 ` Mimi Zohar
2014-06-12 17:00 ` Vivek Goyal
2014-06-12 17:17 ` Mimi Zohar
2014-06-12 17:23 ` Vivek Goyal
2014-06-12 17:23 ` Dmitry Kasatkin
2014-06-12 17:32 ` Vivek Goyal
2014-06-12 17:37 ` Mimi Zohar
2014-06-12 18:36 ` Dmitry Kasatkin
2014-06-12 19:01 ` Vivek Goyal
2014-06-12 19:04 ` Dmitry Kasatkin
2014-06-12 19:05 ` Vivek Goyal
2014-06-12 19:15 ` Dmitry Kasatkin
2014-06-10 8:48 ` [PATCH 4/4] KEYS: validate key trust only with builtin keys Dmitry Kasatkin
2014-06-10 12:20 ` [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only Josh Boyer
2014-06-10 12:52 ` Mimi Zohar
2014-06-10 13:21 ` Dmitry Kasatkin
2014-06-10 13:29 ` Josh Boyer
2014-06-10 14:53 ` Mimi Zohar
2014-06-10 12:58 ` Dmitry Kasatkin
2014-06-10 15:08 ` Matthew Garrett
2014-06-10 20:39 ` Dmitry Kasatkin
[not found] ` <CACE9dm9Ff6b3J=05QfcgBv-c_y=5qGNq1-ZSfo4smtj34i1e-A@mail.gmail.com>
2014-06-10 20:40 ` Matthew Garrett
2014-06-10 21:00 ` Dmitry Kasatkin
2014-06-10 21:17 ` Dmitry Kasatkin
2014-06-10 21:25 ` Matthew Garrett
2014-06-10 21:34 ` Dmitry Kasatkin
2014-06-10 21:40 ` Matthew Garrett
2014-06-10 21:45 ` Dmitry Kasatkin
2014-06-11 1:24 ` Mimi Zohar
2014-06-11 2:22 ` Matthew Garrett
2014-06-11 3:08 ` Mimi Zohar
2014-06-11 3:23 ` Matthew Garrett
2014-06-11 12:30 ` Mimi Zohar
2014-06-11 15:20 ` Matthew Garrett
2014-06-27 14:16 ` David Howells
2014-06-10 21:40 ` Dmitry Kasatkin
2014-06-10 12:45 ` Mimi Zohar
2014-06-10 12:49 ` Dmitry Kasatkin
2014-06-11 20:49 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53957420.3080709@samsung.com \
--to=d.kasatkin@samsung.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jwboyer@redhat.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox