certs: Fix blacklist flag type confusion

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

KEY_FLAG_KEEP is not meant to be passed to keyring_alloc() or key_alloc(),
as these only take KEY_ALLOC_* flags. KEY_FLAG_KEEP has the same value as
KEY_ALLOC_BYPASS_RESTRICTION, but fortunately only key_create_or_update()
uses it. LSMs using the key_alloc hook don't check that flag.

KEY_FLAG_KEEP is then ignored but fortunately (again) the root user cannot
write to the blacklist keyring, so it is not possible to remove a key/hash
from it.

Fix this by adding a KEY_ALLOC_SET_KEEP flag that tells key_alloc() to set
KEY_FLAG_KEEP on the new key. blacklist_init() can then, correctly, pass
this to keyring_alloc().

We can also use this in ima_mok_init() rather than setting the flag
manually.

Note that this doesn't fix an observable bug with the current
implementation but it is required to allow addition of new hashes to the
blacklist in the future without making it possible for them to be removed.

Fixes: 734114f8782f ("KEYS: Add a system blacklist keyring")
Reported-by: Mickaël Salaün <mic@linux.microsoft.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Mickaël Salaün <mic@linux.microsoft.com>
cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Woodhouse <dwmw2@infradead.org>

David Howells 5 years ago 4993e1f9 f14602ca

+6 -4

4 changed files

expand all

certs

blacklist.c

include

linux

key.h

security

integrity

ima

ima_mok.c

keys

key.c

+1 -1

certs/blacklist.c

··· 162 162 KEY_USR_VIEW | KEY_USR_READ | 163 163 KEY_USR_SEARCH, 164 164 KEY_ALLOC_NOT_IN_QUOTA | 165 - KEY_FLAG_KEEP, 165 + KEY_ALLOC_SET_KEEP, 166 166 NULL, NULL); 167 167 if (IS_ERR(blacklist_keyring)) 168 168 panic("Can't allocate system blacklist keyring\n");

include/linux/key.h

··· 289 289 #define KEY_ALLOC_BUILT_IN 0x0004 /* Key is built into kernel */ 290 290 #define KEY_ALLOC_BYPASS_RESTRICTION 0x0008 /* Override the check on restricted keyrings */ 291 291 #define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */ 292 + #define KEY_ALLOC_SET_KEEP 0x0020 /* Set the KEEP flag on the key/keyring */ 292 293 293 294 extern void key_revoke(struct key *key); 294 295 extern void key_invalidate(struct key *key);

+2 -3

security/integrity/ima/ima_mok.c

··· 38 38 (KEY_POS_ALL & ~KEY_POS_SETATTR) | 39 39 KEY_USR_VIEW | KEY_USR_READ | 40 40 KEY_USR_WRITE | KEY_USR_SEARCH, 41 - KEY_ALLOC_NOT_IN_QUOTA, 41 + KEY_ALLOC_NOT_IN_QUOTA | 42 + KEY_ALLOC_SET_KEEP, 42 43 restriction, NULL); 43 44 44 45 if (IS_ERR(ima_blacklist_keyring)) 45 46 panic("Can't allocate IMA blacklist keyring."); 46 - 47 - set_bit(KEY_FLAG_KEEP, &ima_blacklist_keyring->flags); 48 47 return 0; 49 48 } 50 49 device_initcall(ima_mok_init);

security/keys/key.c

··· 303 303 key->flags |= 1 << KEY_FLAG_BUILTIN; 304 304 if (flags & KEY_ALLOC_UID_KEYRING) 305 305 key->flags |= 1 << KEY_FLAG_UID_KEYRING; 306 + if (flags & KEY_ALLOC_SET_KEEP) 307 + key->flags |= 1 << KEY_FLAG_KEEP; 306 308 307 309 #ifdef KEY_DEBUGGING 308 310 key->magic = KEY_DEBUG_MAGIC;