tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

keys: add a "logon" key type

For CIFS, we want to be able to store NTLM credentials (aka username
and password) in the keyring. We do not, however want to allow users
to fetch those keys back out of the keyring since that would be a
security risk.

Unfortunately, due to the nuances of key permission bits, it's not
possible to do this. We need to grant search permissions so the kernel
can find these keys, but that also implies permissions to read the
payload.

Resolve this by adding a new key_type. This key type is essentially
the same as key_type_user, but does not define a .read op. This
prevents the payload from ever being visible from userspace. This
key type also vets the description to ensure that it's "qualified"
by checking to ensure that it has a ':' in it that is preceded by
other characters.

Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>

authored by

Jeff Layton and committed by
Steve French 9f6ed2ca ce91acb3

+41 -1
+2 -1
include/keys/user-type.h
··· 17 17 18 18 /*****************************************************************************/ 19 19 /* 20 - * the payload for a key of type "user" 20 + * the payload for a key of type "user" or "logon" 21 21 * - once filled in and attached to a key: 22 22 * - the payload struct is invariant may not be changed, only replaced 23 23 * - the payload must be read with RCU procedures or with the key semaphore ··· 33 33 }; 34 34 35 35 extern struct key_type key_type_user; 36 + extern struct key_type key_type_logon; 36 37 37 38 extern int user_instantiate(struct key *key, const void *data, size_t datalen); 38 39 extern int user_update(struct key *key, const void *data, size_t datalen);
+1
security/keys/internal.h
··· 33 33 34 34 extern struct key_type key_type_dead; 35 35 extern struct key_type key_type_user; 36 + extern struct key_type key_type_logon; 36 37 37 38 /*****************************************************************************/ 38 39 /*
+1
security/keys/key.c
··· 999 999 list_add_tail(&key_type_keyring.link, &key_types_list); 1000 1000 list_add_tail(&key_type_dead.link, &key_types_list); 1001 1001 list_add_tail(&key_type_user.link, &key_types_list); 1002 + list_add_tail(&key_type_logon.link, &key_types_list); 1002 1003 1003 1004 /* record the root user tracking */ 1004 1005 rb_link_node(&root_key_user.node,
+37
security/keys/user_defined.c
··· 18 18 #include <asm/uaccess.h> 19 19 #include "internal.h" 20 20 21 + static int logon_vet_description(const char *desc); 22 + 21 23 /* 22 24 * user defined keys take an arbitrary string as the description and an 23 25 * arbitrary blob of data as the payload ··· 36 34 }; 37 35 38 36 EXPORT_SYMBOL_GPL(key_type_user); 37 + 38 + /* 39 + * This key type is essentially the same as key_type_user, but it does 40 + * not define a .read op. This is suitable for storing username and 41 + * password pairs in the keyring that you do not want to be readable 42 + * from userspace. 43 + */ 44 + struct key_type key_type_logon = { 45 + .name = "logon", 46 + .instantiate = user_instantiate, 47 + .update = user_update, 48 + .match = user_match, 49 + .revoke = user_revoke, 50 + .destroy = user_destroy, 51 + .describe = user_describe, 52 + .vet_description = logon_vet_description, 53 + }; 54 + EXPORT_SYMBOL_GPL(key_type_logon); 39 55 40 56 /* 41 57 * instantiate a user defined key ··· 209 189 } 210 190 211 191 EXPORT_SYMBOL_GPL(user_read); 192 + 193 + /* Vet the description for a "logon" key */ 194 + static int logon_vet_description(const char *desc) 195 + { 196 + char *p; 197 + 198 + /* require a "qualified" description string */ 199 + p = strchr(desc, ':'); 200 + if (!p) 201 + return -EINVAL; 202 + 203 + /* also reject description with ':' as first char */ 204 + if (p == desc) 205 + return -EINVAL; 206 + 207 + return 0; 208 + }