tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"Highlights:
- A new LSM, "LoadPin", from Kees Cook is added, which allows forcing
of modules and firmware to be loaded from a specific device (this
is from ChromeOS, where the device as a whole is verified
cryptographically via dm-verity).
This is disabled by default but can be configured to be enabled by
default (don't do this if you don't know what you're doing).
- Keys: allow authentication data to be stored in an asymmetric key.
Lots of general fixes and updates.
- SELinux: add restrictions for loading of kernel modules via
finit_module(). Distinguish non-init user namespace capability
checks. Apply execstack check on thread stacks"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (48 commits)
LSM: LoadPin: provide enablement CONFIG
Yama: use atomic allocations when reporting
seccomp: Fix comment typo
ima: add support for creating files using the mknodat syscall
ima: fix ima_inode_post_setattr
vfs: forbid write access when reading a file into memory
fs: fix over-zealous use of "const"
selinux: apply execstack check on thread stacks
selinux: distinguish non-init user namespace capability checks
LSM: LoadPin for kernel file loading restrictions
fs: define a string representation of the kernel_read_file_id enumeration
Yama: consolidate error reporting
string_helpers: add kstrdup_quotable_file
string_helpers: add kstrdup_quotable_cmdline
string_helpers: add kstrdup_quotable
selinux: check ss_initialized before revalidating an inode label
selinux: delay inode label lookup as long as possible
selinux: don't revalidate an inode's label when explicitly setting it
selinux: Change bool variable name to index.
KEYS: Add KEYCTL_DH_COMPUTE command
...
+1915
-807
+17
Documentation/security/LoadPin.txt
+17
Documentation/security/LoadPin.txt
···
1
+
LoadPin is a Linux Security Module that ensures all kernel-loaded files
2
+
(modules, firmware, etc) all originate from the same filesystem, with
3
+
the expectation that such a filesystem is backed by a read-only device
4
+
such as dm-verity or CDROM. This allows systems that have a verified
5
+
and/or unchangeable filesystem to enforce module and firmware loading
6
+
restrictions without needing to sign the files individually.
7
+
8
+
The LSM is selectable at build-time with CONFIG_SECURITY_LOADPIN, and
9
+
can be controlled at boot-time with the kernel command line option
10
+
"loadpin.enabled". By default, it is enabled, but can be disabled at
11
+
boot ("loadpin.enabled=0").
12
+
13
+
LoadPin starts pinning when it sees the first file loaded. If the
14
+
block device backing the filesystem is not read-only, a sysctl is
15
+
created to toggle pinning: /proc/sys/kernel/loadpin/enabled. (Having
16
+
a mutable filesystem means pinning is mutable too, but having the
17
+
sysctl allows for easy testing on systems with a mutable filesystem.)
+52
Documentation/security/keys.txt
+52
Documentation/security/keys.txt
···
823
823
A process must have search permission on the key for this function to be
824
824
successful.
825
825
826
+
(*) Compute a Diffie-Hellman shared secret or public key
827
+
828
+
long keyctl(KEYCTL_DH_COMPUTE, struct keyctl_dh_params *params,
829
+
char *buffer, size_t buflen);
830
+
831
+
The params struct contains serial numbers for three keys:
832
+
833
+
- The prime, p, known to both parties
834
+
- The local private key
835
+
- The base integer, which is either a shared generator or the
836
+
remote public key
837
+
838
+
The value computed is:
839
+
840
+
result = base ^ private (mod prime)
841
+
842
+
If the base is the shared generator, the result is the local
843
+
public key. If the base is the remote public key, the result is
844
+
the shared secret.
845
+
846
+
The buffer length must be at least the length of the prime, or zero.
847
+
848
+
If the buffer length is nonzero, the length of the result is
849
+
returned when it is successfully calculated and copied in to the
850
+
buffer. When the buffer length is zero, the minimum required
851
+
buffer length is returned.
852
+
853
+
This function will return error EOPNOTSUPP if the key type is not
854
+
supported, error ENOKEY if the key could not be found, or error
855
+
EACCES if the key is not readable by the caller.
826
856
827
857
===============
828
858
KERNEL SERVICES
···
1029
999
struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
1030
1000
const struct cred *cred,
1031
1001
key_perm_t perm,
1002
+
int (*restrict_link)(struct key *,
1003
+
const struct key_type *,
1004
+
unsigned long,
1005
+
const union key_payload *),
1032
1006
unsigned long flags,
1033
1007
struct key *dest);
1034
1008
···
1043
1009
Error EDQUOT can be returned if the keyring would overload the quota (pass
1044
1010
KEY_ALLOC_NOT_IN_QUOTA in flags if the keyring shouldn't be accounted
1045
1011
towards the user's quota). Error ENOMEM can also be returned.
1012
+
1013
+
If restrict_link not NULL, it should point to a function that will be
1014
+
called each time an attempt is made to link a key into the new keyring.
1015
+
This function is called to check whether a key may be added into the keying
1016
+
or not. Callers of key_create_or_update() within the kernel can pass
1017
+
KEY_ALLOC_BYPASS_RESTRICTION to suppress the check. An example of using
1018
+
this is to manage rings of cryptographic keys that are set up when the
1019
+
kernel boots where userspace is also permitted to add keys - provided they
1020
+
can be verified by a key the kernel already has.
1021
+
1022
+
When called, the restriction function will be passed the keyring being
1023
+
added to, the key flags value and the type and payload of the key being
1024
+
added. Note that when a new key is being created, this is called between
1025
+
payload preparsing and actual key creation. The function should return 0
1026
+
to allow the link or an error to reject it.
1027
+
1028
+
A convenience function, restrict_link_reject, exists to always return
1029
+
-EPERM to in this case.
1046
1030
1047
1031
1048
1032
(*) To check the validity of a key, this function can be called:
+6
MAINTAINERS
+6
MAINTAINERS
···
10025
10025
S: Supported
10026
10026
F: security/apparmor/
10027
10027
10028
+
LOADPIN SECURITY MODULE
10029
+
M: Kees Cook <keescook@chromium.org>
10030
+
T: git git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git lsm/loadpin
10031
+
S: Supported
10032
+
F: security/loadpin/
10033
+
10028
10034
YAMA SECURITY MODULE
10029
10035
M: Kees Cook <keescook@chromium.org>
10030
10036
T: git git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git yama/tip
+4
-14
arch/x86/kernel/kexec-bzimage64.c
+4
-14
arch/x86/kernel/kexec-bzimage64.c
···
19
19
#include <linux/kernel.h>
20
20
#include <linux/mm.h>
21
21
#include <linux/efi.h>
22
-
#include <linux/verify_pefile.h>
23
-
#include <keys/system_keyring.h>
22
+
#include <linux/verification.h>
24
23
25
24
#include <asm/bootparam.h>
26
25
#include <asm/setup.h>
···
528
529
#ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
529
530
static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
530
531
{
531
-
bool trusted;
532
-
int ret;
533
-
534
-
ret = verify_pefile_signature(kernel, kernel_len,
535
-
system_trusted_keyring,
536
-
VERIFYING_KEXEC_PE_SIGNATURE,
537
-
&trusted);
538
-
if (ret < 0)
539
-
return ret;
540
-
if (!trusted)
541
-
return -EKEYREJECTED;
542
-
return 0;
532
+
return verify_pefile_signature(kernel, kernel_len,
533
+
NULL,
534
+
VERIFYING_KEXEC_PE_SIGNATURE);
543
535
}
544
536
#endif
545
537
+9
certs/Kconfig
+9
certs/Kconfig
···
17
17
config SYSTEM_TRUSTED_KEYRING
18
18
bool "Provide system-wide ring of trusted keys"
19
19
depends on KEYS
20
+
depends on ASYMMETRIC_KEY_TYPE
20
21
help
21
22
Provide a system keyring to which trusted keys can be added. Keys in
22
23
the keyring are considered to be trusted. Keys may be added at will
···
55
54
help
56
55
This is the number of bytes reserved in the kernel image for a
57
56
certificate to be inserted.
57
+
58
+
config SECONDARY_TRUSTED_KEYRING
59
+
bool "Provide a keyring to which extra trustable keys may be added"
60
+
depends on SYSTEM_TRUSTED_KEYRING
61
+
help
62
+
If set, provide a keyring to which extra keys may be added, provided
63
+
those keys are not blacklisted and are vouched for by a key built
64
+
into the kernel or already in the secondary trusted keyring.
58
65
59
66
endmenu
+113
-26
certs/system_keyring.c
+113
-26
certs/system_keyring.c
···
18
18
#include <keys/system_keyring.h>
19
19
#include <crypto/pkcs7.h>
20
20
21
-
struct key *system_trusted_keyring;
22
-
EXPORT_SYMBOL_GPL(system_trusted_keyring);
21
+
static struct key *builtin_trusted_keys;
22
+
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
23
+
static struct key *secondary_trusted_keys;
24
+
#endif
23
25
24
26
extern __initconst const u8 system_certificate_list[];
25
27
extern __initconst const unsigned long system_certificate_list_size;
26
28
29
+
/**
30
+
* restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
31
+
*
32
+
* Restrict the addition of keys into a keyring based on the key-to-be-added
33
+
* being vouched for by a key in the built in system keyring.
34
+
*/
35
+
int restrict_link_by_builtin_trusted(struct key *keyring,
36
+
const struct key_type *type,
37
+
const union key_payload *payload)
38
+
{
39
+
return restrict_link_by_signature(builtin_trusted_keys, type, payload);
40
+
}
41
+
42
+
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
43
+
/**
44
+
* restrict_link_by_builtin_and_secondary_trusted - Restrict keyring
45
+
* addition by both builtin and secondary keyrings
46
+
*
47
+
* Restrict the addition of keys into a keyring based on the key-to-be-added
48
+
* being vouched for by a key in either the built-in or the secondary system
49
+
* keyrings.
50
+
*/
51
+
int restrict_link_by_builtin_and_secondary_trusted(
52
+
struct key *keyring,
53
+
const struct key_type *type,
54
+
const union key_payload *payload)
55
+
{
56
+
/* If we have a secondary trusted keyring, then that contains a link
57
+
* through to the builtin keyring and the search will follow that link.
58
+
*/
59
+
if (type == &key_type_keyring &&
60
+
keyring == secondary_trusted_keys &&
61
+
payload == &builtin_trusted_keys->payload)
62
+
/* Allow the builtin keyring to be added to the secondary */
63
+
return 0;
64
+
65
+
return restrict_link_by_signature(secondary_trusted_keys, type, payload);
66
+
}
67
+
#endif
68
+
27
69
/*
28
-
* Load the compiled-in keys
70
+
* Create the trusted keyrings
29
71
*/
30
72
static __init int system_trusted_keyring_init(void)
31
73
{
32
-
pr_notice("Initialise system trusted keyring\n");
74
+
pr_notice("Initialise system trusted keyrings\n");
33
75
34
-
system_trusted_keyring =
35
-
keyring_alloc(".system_keyring",
76
+
builtin_trusted_keys =
77
+
keyring_alloc(".builtin_trusted_keys",
36
78
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
37
79
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
38
80
KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
39
-
KEY_ALLOC_NOT_IN_QUOTA, NULL);
40
-
if (IS_ERR(system_trusted_keyring))
41
-
panic("Can't allocate system trusted keyring\n");
81
+
KEY_ALLOC_NOT_IN_QUOTA,
82
+
NULL, NULL);
83
+
if (IS_ERR(builtin_trusted_keys))
84
+
panic("Can't allocate builtin trusted keyring\n");
42
85
43
-
set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags);
86
+
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
87
+
secondary_trusted_keys =
88
+
keyring_alloc(".secondary_trusted_keys",
89
+
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
90
+
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
91
+
KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH |
92
+
KEY_USR_WRITE),
93
+
KEY_ALLOC_NOT_IN_QUOTA,
94
+
restrict_link_by_builtin_and_secondary_trusted,
95
+
NULL);
96
+
if (IS_ERR(secondary_trusted_keys))
97
+
panic("Can't allocate secondary trusted keyring\n");
98
+
99
+
if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)
100
+
panic("Can't link trusted keyrings\n");
101
+
#endif
102
+
44
103
return 0;
45
104
}
46
105
···
135
76
if (plen > end - p)
136
77
goto dodgy_cert;
137
78
138
-
key = key_create_or_update(make_key_ref(system_trusted_keyring, 1),
79
+
key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1),
139
80
"asymmetric",
140
81
NULL,
141
82
p,
···
143
84
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
144
85
KEY_USR_VIEW | KEY_USR_READ),
145
86
KEY_ALLOC_NOT_IN_QUOTA |
146
-
KEY_ALLOC_TRUSTED |
147
-
KEY_ALLOC_BUILT_IN);
87
+
KEY_ALLOC_BUILT_IN |
88
+
KEY_ALLOC_BYPASS_RESTRICTION);
148
89
if (IS_ERR(key)) {
149
90
pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
150
91
PTR_ERR(key));
···
167
108
#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
168
109
169
110
/**
170
-
* Verify a PKCS#7-based signature on system data.
171
-
* @data: The data to be verified.
111
+
* verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
112
+
* @data: The data to be verified (NULL if expecting internal data).
172
113
* @len: Size of @data.
173
114
* @raw_pkcs7: The PKCS#7 message that is the signature.
174
115
* @pkcs7_len: The size of @raw_pkcs7.
116
+
* @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
117
+
* (void *)1UL for all trusted keys).
175
118
* @usage: The use to which the key is being put.
119
+
* @view_content: Callback to gain access to content.
120
+
* @ctx: Context for callback.
176
121
*/
177
-
int system_verify_data(const void *data, unsigned long len,
178
-
const void *raw_pkcs7, size_t pkcs7_len,
179
-
enum key_being_used_for usage)
122
+
int verify_pkcs7_signature(const void *data, size_t len,
123
+
const void *raw_pkcs7, size_t pkcs7_len,
124
+
struct key *trusted_keys,
125
+
enum key_being_used_for usage,
126
+
int (*view_content)(void *ctx,
127
+
const void *data, size_t len,
128
+
size_t asn1hdrlen),
129
+
void *ctx)
180
130
{
181
131
struct pkcs7_message *pkcs7;
182
-
bool trusted;
183
132
int ret;
184
133
185
134
pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
···
195
128
return PTR_ERR(pkcs7);
196
129
197
130
/* The data should be detached - so we need to supply it. */
198
-
if (pkcs7_supply_detached_data(pkcs7, data, len) < 0) {
131
+
if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) {
199
132
pr_err("PKCS#7 signature with non-detached data\n");
200
133
ret = -EBADMSG;
201
134
goto error;
···
205
138
if (ret < 0)
206
139
goto error;
207
140
208
-
ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
209
-
if (ret < 0)
141
+
if (!trusted_keys) {
142
+
trusted_keys = builtin_trusted_keys;
143
+
} else if (trusted_keys == (void *)1UL) {
144
+
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
145
+
trusted_keys = secondary_trusted_keys;
146
+
#else
147
+
trusted_keys = builtin_trusted_keys;
148
+
#endif
149
+
}
150
+
ret = pkcs7_validate_trust(pkcs7, trusted_keys);
151
+
if (ret < 0) {
152
+
if (ret == -ENOKEY)
153
+
pr_err("PKCS#7 signature not signed with a trusted key\n");
210
154
goto error;
155
+
}
211
156
212
-
if (!trusted) {
213
-
pr_err("PKCS#7 signature not signed with a trusted key\n");
214
-
ret = -ENOKEY;
157
+
if (view_content) {
158
+
size_t asn1hdrlen;
159
+
160
+
ret = pkcs7_get_content_data(pkcs7, &data, &len, &asn1hdrlen);
161
+
if (ret < 0) {
162
+
if (ret == -ENODATA)
163
+
pr_devel("PKCS#7 message does not contain data\n");
164
+
goto error;
165
+
}
166
+
167
+
ret = view_content(ctx, data, len, asn1hdrlen);
215
168
}
216
169
217
170
error:
···
239
152
pr_devel("<==%s() = %d\n", __func__, ret);
240
153
return ret;
241
154
}
242
-
EXPORT_SYMBOL_GPL(system_verify_data);
155
+
EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
243
156
244
157
#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
+3
-3
crypto/asymmetric_keys/Kconfig
+3
-3
crypto/asymmetric_keys/Kconfig
···
1
1
menuconfig ASYMMETRIC_KEY_TYPE
2
-
tristate "Asymmetric (public-key cryptographic) key type"
2
+
bool "Asymmetric (public-key cryptographic) key type"
3
3
depends on KEYS
4
4
help
5
5
This option provides support for a key type that holds the data for
···
40
40
41
41
config PKCS7_TEST_KEY
42
42
tristate "PKCS#7 testing key type"
43
-
depends on PKCS7_MESSAGE_PARSER
44
-
select SYSTEM_TRUSTED_KEYRING
43
+
depends on SYSTEM_DATA_VERIFICATION
45
44
help
46
45
This option provides a type of key that can be loaded up from a
47
46
PKCS#7 message - provided the message is signed by a trusted key. If
···
53
54
config SIGNED_PE_FILE_VERIFICATION
54
55
bool "Support for PE file signature verification"
55
56
depends on PKCS7_MESSAGE_PARSER=y
57
+
depends on SYSTEM_DATA_VERIFICATION
56
58
select ASN1
57
59
select OID_REGISTRY
58
60
help
+4
-1
crypto/asymmetric_keys/Makefile
+4
-1
crypto/asymmetric_keys/Makefile
+2
crypto/asymmetric_keys/asymmetric_keys.h
+2
crypto/asymmetric_keys/asymmetric_keys.h
+94
-2
crypto/asymmetric_keys/asymmetric_type.c
+94
-2
crypto/asymmetric_keys/asymmetric_type.c
···
35
35
static DECLARE_RWSEM(asymmetric_key_parsers_sem);
36
36
37
37
/**
38
+
* find_asymmetric_key - Find a key by ID.
39
+
* @keyring: The keys to search.
40
+
* @id_0: The first ID to look for or NULL.
41
+
* @id_1: The second ID to look for or NULL.
42
+
* @partial: Use partial match if true, exact if false.
43
+
*
44
+
* Find a key in the given keyring by identifier. The preferred identifier is
45
+
* the id_0 and the fallback identifier is the id_1. If both are given, the
46
+
* lookup is by the former, but the latter must also match.
47
+
*/
48
+
struct key *find_asymmetric_key(struct key *keyring,
49
+
const struct asymmetric_key_id *id_0,
50
+
const struct asymmetric_key_id *id_1,
51
+
bool partial)
52
+
{
53
+
struct key *key;
54
+
key_ref_t ref;
55
+
const char *lookup;
56
+
char *req, *p;
57
+
int len;
58
+
59
+
if (id_0) {
60
+
lookup = id_0->data;
61
+
len = id_0->len;
62
+
} else {
63
+
lookup = id_1->data;
64
+
len = id_1->len;
65
+
}
66
+
67
+
/* Construct an identifier "id:<keyid>". */
68
+
p = req = kmalloc(2 + 1 + len * 2 + 1, GFP_KERNEL);
69
+
if (!req)
70
+
return ERR_PTR(-ENOMEM);
71
+
72
+
if (partial) {
73
+
*p++ = 'i';
74
+
*p++ = 'd';
75
+
} else {
76
+
*p++ = 'e';
77
+
*p++ = 'x';
78
+
}
79
+
*p++ = ':';
80
+
p = bin2hex(p, lookup, len);
81
+
*p = 0;
82
+
83
+
pr_debug("Look up: \"%s\"\n", req);
84
+
85
+
ref = keyring_search(make_key_ref(keyring, 1),
86
+
&key_type_asymmetric, req);
87
+
if (IS_ERR(ref))
88
+
pr_debug("Request for key '%s' err %ld\n", req, PTR_ERR(ref));
89
+
kfree(req);
90
+
91
+
if (IS_ERR(ref)) {
92
+
switch (PTR_ERR(ref)) {
93
+
/* Hide some search errors */
94
+
case -EACCES:
95
+
case -ENOTDIR:
96
+
case -EAGAIN:
97
+
return ERR_PTR(-ENOKEY);
98
+
default:
99
+
return ERR_CAST(ref);
100
+
}
101
+
}
102
+
103
+
key = key_ref_to_ptr(ref);
104
+
if (id_0 && id_1) {
105
+
const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
106
+
107
+
if (!kids->id[0]) {
108
+
pr_debug("First ID matches, but second is missing\n");
109
+
goto reject;
110
+
}
111
+
if (!asymmetric_key_id_same(id_1, kids->id[1])) {
112
+
pr_debug("First ID matches, but second does not\n");
113
+
goto reject;
114
+
}
115
+
}
116
+
117
+
pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key));
118
+
return key;
119
+
120
+
reject:
121
+
key_put(key);
122
+
return ERR_PTR(-EKEYREJECTED);
123
+
}
124
+
EXPORT_SYMBOL_GPL(find_asymmetric_key);
125
+
126
+
/**
38
127
* asymmetric_key_generate_id: Construct an asymmetric key ID
39
128
* @val_1: First binary blob
40
129
* @len_1: Length of first binary blob
···
420
331
pr_devel("==>%s()\n", __func__);
421
332
422
333
if (subtype) {
423
-
subtype->destroy(prep->payload.data[asym_crypto]);
334
+
subtype->destroy(prep->payload.data[asym_crypto],
335
+
prep->payload.data[asym_auth]);
424
336
module_put(subtype->owner);
425
337
}
426
338
asymmetric_key_free_kids(kids);
···
436
346
struct asymmetric_key_subtype *subtype = asymmetric_key_subtype(key);
437
347
struct asymmetric_key_ids *kids = key->payload.data[asym_key_ids];
438
348
void *data = key->payload.data[asym_crypto];
349
+
void *auth = key->payload.data[asym_auth];
439
350
440
351
key->payload.data[asym_crypto] = NULL;
441
352
key->payload.data[asym_subtype] = NULL;
442
353
key->payload.data[asym_key_ids] = NULL;
354
+
key->payload.data[asym_auth] = NULL;
443
355
444
356
if (subtype) {
445
-
subtype->destroy(data);
357
+
subtype->destroy(data, auth);
446
358
module_put(subtype->owner);
447
359
}
448
360
+7
-14
crypto/asymmetric_keys/mscode_parser.c
+7
-14
crypto/asymmetric_keys/mscode_parser.c
···
21
21
/*
22
22
* Parse a Microsoft Individual Code Signing blob
23
23
*/
24
-
int mscode_parse(struct pefile_context *ctx)
24
+
int mscode_parse(void *_ctx, const void *content_data, size_t data_len,
25
+
size_t asn1hdrlen)
25
26
{
26
-
const void *content_data;
27
-
size_t data_len;
28
-
int ret;
27
+
struct pefile_context *ctx = _ctx;
29
28
30
-
ret = pkcs7_get_content_data(ctx->pkcs7, &content_data, &data_len, 1);
31
-
32
-
if (ret) {
33
-
pr_debug("PKCS#7 message does not contain data\n");
34
-
return ret;
35
-
}
36
-
29
+
content_data -= asn1hdrlen;
30
+
data_len += asn1hdrlen;
37
31
pr_devel("Data: %zu [%*ph]\n", data_len, (unsigned)(data_len),
38
32
content_data);
39
33
···
123
129
{
124
130
struct pefile_context *ctx = context;
125
131
126
-
ctx->digest = value;
127
-
ctx->digest_len = vlen;
128
-
return 0;
132
+
ctx->digest = kmemdup(value, vlen, GFP_KERNEL);
133
+
return ctx->digest ? 0 : -ENOMEM;
129
134
}
+28
-44
crypto/asymmetric_keys/pkcs7_key_type.c
+28
-44
crypto/asymmetric_keys/pkcs7_key_type.c
···
13
13
#include <linux/key.h>
14
14
#include <linux/err.h>
15
15
#include <linux/module.h>
16
+
#include <linux/verification.h>
16
17
#include <linux/key-type.h>
17
-
#include <keys/asymmetric-type.h>
18
-
#include <crypto/pkcs7.h>
19
18
#include <keys/user-type.h>
20
-
#include <keys/system_keyring.h>
21
-
#include "pkcs7_parser.h"
22
19
23
20
MODULE_LICENSE("GPL");
24
21
MODULE_DESCRIPTION("PKCS#7 testing key type");
···
26
29
"Usage to specify when verifying the PKCS#7 message");
27
30
28
31
/*
32
+
* Retrieve the PKCS#7 message content.
33
+
*/
34
+
static int pkcs7_view_content(void *ctx, const void *data, size_t len,
35
+
size_t asn1hdrlen)
36
+
{
37
+
struct key_preparsed_payload *prep = ctx;
38
+
const void *saved_prep_data;
39
+
size_t saved_prep_datalen;
40
+
int ret;
41
+
42
+
saved_prep_data = prep->data;
43
+
saved_prep_datalen = prep->datalen;
44
+
prep->data = data;
45
+
prep->datalen = len;
46
+
47
+
ret = user_preparse(prep);
48
+
49
+
prep->data = saved_prep_data;
50
+
prep->datalen = saved_prep_datalen;
51
+
return ret;
52
+
}
53
+
54
+
/*
29
55
* Preparse a PKCS#7 wrapped and validated data blob.
30
56
*/
31
57
static int pkcs7_preparse(struct key_preparsed_payload *prep)
32
58
{
33
59
enum key_being_used_for usage = pkcs7_usage;
34
-
struct pkcs7_message *pkcs7;
35
-
const void *data, *saved_prep_data;
36
-
size_t datalen, saved_prep_datalen;
37
-
bool trusted;
38
-
int ret;
39
-
40
-
kenter("");
41
60
42
61
if (usage >= NR__KEY_BEING_USED_FOR) {
43
62
pr_err("Invalid usage type %d\n", usage);
44
63
return -EINVAL;
45
64
}
46
65
47
-
saved_prep_data = prep->data;
48
-
saved_prep_datalen = prep->datalen;
49
-
pkcs7 = pkcs7_parse_message(saved_prep_data, saved_prep_datalen);
50
-
if (IS_ERR(pkcs7)) {
51
-
ret = PTR_ERR(pkcs7);
52
-
goto error;
53
-
}
54
-
55
-
ret = pkcs7_verify(pkcs7, usage);
56
-
if (ret < 0)
57
-
goto error_free;
58
-
59
-
ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
60
-
if (ret < 0)
61
-
goto error_free;
62
-
if (!trusted)
63
-
pr_warn("PKCS#7 message doesn't chain back to a trusted key\n");
64
-
65
-
ret = pkcs7_get_content_data(pkcs7, &data, &datalen, false);
66
-
if (ret < 0)
67
-
goto error_free;
68
-
69
-
prep->data = data;
70
-
prep->datalen = datalen;
71
-
ret = user_preparse(prep);
72
-
prep->data = saved_prep_data;
73
-
prep->datalen = saved_prep_datalen;
74
-
75
-
error_free:
76
-
pkcs7_free_message(pkcs7);
77
-
error:
78
-
kleave(" = %d", ret);
79
-
return ret;
66
+
return verify_pkcs7_signature(NULL, 0,
67
+
prep->data, prep->datalen,
68
+
NULL, usage,
69
+
pkcs7_view_content, prep);
80
70
}
81
71
82
72
/*
+33
-25
crypto/asymmetric_keys/pkcs7_parser.c
+33
-25
crypto/asymmetric_keys/pkcs7_parser.c
···
44
44
static void pkcs7_free_signed_info(struct pkcs7_signed_info *sinfo)
45
45
{
46
46
if (sinfo) {
47
-
kfree(sinfo->sig.s);
48
-
kfree(sinfo->sig.digest);
49
-
kfree(sinfo->signing_cert_id);
47
+
public_key_signature_free(sinfo->sig);
50
48
kfree(sinfo);
51
49
}
52
50
}
···
123
125
ctx->sinfo = kzalloc(sizeof(struct pkcs7_signed_info), GFP_KERNEL);
124
126
if (!ctx->sinfo)
125
127
goto out_no_sinfo;
128
+
ctx->sinfo->sig = kzalloc(sizeof(struct public_key_signature),
129
+
GFP_KERNEL);
130
+
if (!ctx->sinfo->sig)
131
+
goto out_no_sig;
126
132
127
133
ctx->data = (unsigned long)data;
128
134
ctx->ppcerts = &ctx->certs;
···
152
150
ctx->certs = cert->next;
153
151
x509_free_certificate(cert);
154
152
}
153
+
out_no_sig:
155
154
pkcs7_free_signed_info(ctx->sinfo);
156
155
out_no_sinfo:
157
156
pkcs7_free_message(ctx->msg);
···
168
165
* @pkcs7: The preparsed PKCS#7 message to access
169
166
* @_data: Place to return a pointer to the data
170
167
* @_data_len: Place to return the data length
171
-
* @want_wrapper: True if the ASN.1 object header should be included in the data
168
+
* @_headerlen: Size of ASN.1 header not included in _data
172
169
*
173
-
* Get access to the data content of the PKCS#7 message, including, optionally,
174
-
* the header of the ASN.1 object that contains it. Returns -ENODATA if the
175
-
* data object was missing from the message.
170
+
* Get access to the data content of the PKCS#7 message. The size of the
171
+
* header of the ASN.1 object that contains it is also provided and can be used
172
+
* to adjust *_data and *_data_len to get the entire object.
173
+
*
174
+
* Returns -ENODATA if the data object was missing from the message.
176
175
*/
177
176
int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
178
177
const void **_data, size_t *_data_len,
179
-
bool want_wrapper)
178
+
size_t *_headerlen)
180
179
{
181
-
size_t wrapper;
182
-
183
180
if (!pkcs7->data)
184
181
return -ENODATA;
185
182
186
-
wrapper = want_wrapper ? pkcs7->data_hdrlen : 0;
187
-
*_data = pkcs7->data - wrapper;
188
-
*_data_len = pkcs7->data_len + wrapper;
183
+
*_data = pkcs7->data;
184
+
*_data_len = pkcs7->data_len;
185
+
if (_headerlen)
186
+
*_headerlen = pkcs7->data_hdrlen;
189
187
return 0;
190
188
}
191
189
EXPORT_SYMBOL_GPL(pkcs7_get_content_data);
···
222
218
223
219
switch (ctx->last_oid) {
224
220
case OID_md4:
225
-
ctx->sinfo->sig.hash_algo = "md4";
221
+
ctx->sinfo->sig->hash_algo = "md4";
226
222
break;
227
223
case OID_md5:
228
-
ctx->sinfo->sig.hash_algo = "md5";
224
+
ctx->sinfo->sig->hash_algo = "md5";
229
225
break;
230
226
case OID_sha1:
231
-
ctx->sinfo->sig.hash_algo = "sha1";
227
+
ctx->sinfo->sig->hash_algo = "sha1";
232
228
break;
233
229
case OID_sha256:
234
-
ctx->sinfo->sig.hash_algo = "sha256";
230
+
ctx->sinfo->sig->hash_algo = "sha256";
235
231
break;
236
232
case OID_sha384:
237
-
ctx->sinfo->sig.hash_algo = "sha384";
233
+
ctx->sinfo->sig->hash_algo = "sha384";
238
234
break;
239
235
case OID_sha512:
240
-
ctx->sinfo->sig.hash_algo = "sha512";
236
+
ctx->sinfo->sig->hash_algo = "sha512";
241
237
break;
242
238
case OID_sha224:
243
-
ctx->sinfo->sig.hash_algo = "sha224";
239
+
ctx->sinfo->sig->hash_algo = "sha224";
244
240
break;
245
241
default:
246
242
printk("Unsupported digest algo: %u\n", ctx->last_oid);
···
260
256
261
257
switch (ctx->last_oid) {
262
258
case OID_rsaEncryption:
263
-
ctx->sinfo->sig.pkey_algo = "rsa";
259
+
ctx->sinfo->sig->pkey_algo = "rsa";
264
260
break;
265
261
default:
266
262
printk("Unsupported pkey algo: %u\n", ctx->last_oid);
···
620
616
{
621
617
struct pkcs7_parse_context *ctx = context;
622
618
623
-
ctx->sinfo->sig.s = kmemdup(value, vlen, GFP_KERNEL);
624
-
if (!ctx->sinfo->sig.s)
619
+
ctx->sinfo->sig->s = kmemdup(value, vlen, GFP_KERNEL);
620
+
if (!ctx->sinfo->sig->s)
625
621
return -ENOMEM;
626
622
627
-
ctx->sinfo->sig.s_size = vlen;
623
+
ctx->sinfo->sig->s_size = vlen;
628
624
return 0;
629
625
}
630
626
···
660
656
661
657
pr_devel("SINFO KID: %u [%*phN]\n", kid->len, kid->len, kid->data);
662
658
663
-
sinfo->signing_cert_id = kid;
659
+
sinfo->sig->auth_ids[0] = kid;
664
660
sinfo->index = ++ctx->sinfo_index;
665
661
*ctx->ppsinfo = sinfo;
666
662
ctx->ppsinfo = &sinfo->next;
667
663
ctx->sinfo = kzalloc(sizeof(struct pkcs7_signed_info), GFP_KERNEL);
668
664
if (!ctx->sinfo)
665
+
return -ENOMEM;
666
+
ctx->sinfo->sig = kzalloc(sizeof(struct public_key_signature),
667
+
GFP_KERNEL);
668
+
if (!ctx->sinfo->sig)
669
669
return -ENOMEM;
670
670
return 0;
671
671
}
+4
-7
crypto/asymmetric_keys/pkcs7_parser.h
+4
-7
crypto/asymmetric_keys/pkcs7_parser.h
···
22
22
struct pkcs7_signed_info *next;
23
23
struct x509_certificate *signer; /* Signing certificate (in msg->certs) */
24
24
unsigned index;
25
-
bool trusted;
26
25
bool unsupported_crypto; /* T if not usable due to missing crypto */
27
26
28
27
/* Message digest - the digest of the Content Data (or NULL) */
···
40
41
#define sinfo_has_ms_statement_type 5
41
42
time64_t signing_time;
42
43
43
-
/* Issuing cert serial number and issuer's name [PKCS#7 or CMS ver 1]
44
-
* or issuing cert's SKID [CMS ver 3].
45
-
*/
46
-
struct asymmetric_key_id *signing_cert_id;
47
-
48
44
/* Message signature.
49
45
*
50
46
* This contains the generated digest of _either_ the Content Data or
51
47
* the Authenticated Attributes [RFC2315 9.3]. If the latter, one of
52
48
* the attributes contains the digest of the the Content Data within
53
49
* it.
50
+
*
51
+
* THis also contains the issuing cert serial number and issuer's name
52
+
* [PKCS#7 or CMS ver 1] or issuing cert's SKID [CMS ver 3].
54
53
*/
55
-
struct public_key_signature sig;
54
+
struct public_key_signature *sig;
56
55
};
57
56
58
57
struct pkcs7_message {
+14
-29
crypto/asymmetric_keys/pkcs7_trust.c
+14
-29
crypto/asymmetric_keys/pkcs7_trust.c
···
27
27
struct pkcs7_signed_info *sinfo,
28
28
struct key *trust_keyring)
29
29
{
30
-
struct public_key_signature *sig = &sinfo->sig;
30
+
struct public_key_signature *sig = sinfo->sig;
31
31
struct x509_certificate *x509, *last = NULL, *p;
32
32
struct key *key;
33
-
bool trusted;
34
33
int ret;
35
34
36
35
kenter(",%u,", sinfo->index);
···
41
42
42
43
for (x509 = sinfo->signer; x509; x509 = x509->signer) {
43
44
if (x509->seen) {
44
-
if (x509->verified) {
45
-
trusted = x509->trusted;
45
+
if (x509->verified)
46
46
goto verified;
47
-
}
48
47
kleave(" = -ENOKEY [cached]");
49
48
return -ENOKEY;
50
49
}
···
51
54
/* Look to see if this certificate is present in the trusted
52
55
* keys.
53
56
*/
54
-
key = x509_request_asymmetric_key(trust_keyring,
55
-
x509->id, x509->skid,
56
-
false);
57
+
key = find_asymmetric_key(trust_keyring,
58
+
x509->id, x509->skid, false);
57
59
if (!IS_ERR(key)) {
58
60
/* One of the X.509 certificates in the PKCS#7 message
59
61
* is apparently the same as one we already trust.
···
76
80
77
81
might_sleep();
78
82
last = x509;
79
-
sig = &last->sig;
83
+
sig = last->sig;
80
84
}
81
85
82
86
/* No match - see if the root certificate has a signer amongst the
83
87
* trusted keys.
84
88
*/
85
-
if (last && (last->akid_id || last->akid_skid)) {
86
-
key = x509_request_asymmetric_key(trust_keyring,
87
-
last->akid_id,
88
-
last->akid_skid,
89
-
false);
89
+
if (last && (last->sig->auth_ids[0] || last->sig->auth_ids[1])) {
90
+
key = find_asymmetric_key(trust_keyring,
91
+
last->sig->auth_ids[0],
92
+
last->sig->auth_ids[1],
93
+
false);
90
94
if (!IS_ERR(key)) {
91
95
x509 = last;
92
96
pr_devel("sinfo %u: Root cert %u signer is key %x\n",
···
100
104
/* As a last resort, see if we have a trusted public key that matches
101
105
* the signed info directly.
102
106
*/
103
-
key = x509_request_asymmetric_key(trust_keyring,
104
-
sinfo->signing_cert_id,
105
-
NULL,
106
-
false);
107
+
key = find_asymmetric_key(trust_keyring,
108
+
sinfo->sig->auth_ids[0], NULL, false);
107
109
if (!IS_ERR(key)) {
108
110
pr_devel("sinfo %u: Direct signer is key %x\n",
109
111
sinfo->index, key_serial(key));
···
116
122
117
123
matched:
118
124
ret = verify_signature(key, sig);
119
-
trusted = test_bit(KEY_FLAG_TRUSTED, &key->flags);
120
125
key_put(key);
121
126
if (ret < 0) {
122
127
if (ret == -ENOMEM)
···
127
134
verified:
128
135
if (x509) {
129
136
x509->verified = true;
130
-
for (p = sinfo->signer; p != x509; p = p->signer) {
137
+
for (p = sinfo->signer; p != x509; p = p->signer)
131
138
p->verified = true;
132
-
p->trusted = trusted;
133
-
}
134
139
}
135
-
sinfo->trusted = trusted;
136
140
kleave(" = 0");
137
141
return 0;
138
142
}
···
138
148
* pkcs7_validate_trust - Validate PKCS#7 trust chain
139
149
* @pkcs7: The PKCS#7 certificate to validate
140
150
* @trust_keyring: Signing certificates to use as starting points
141
-
* @_trusted: Set to true if trustworth, false otherwise
142
151
*
143
152
* Validate that the certificate chain inside the PKCS#7 message intersects
144
153
* keys we already know and trust.
···
159
170
* May also return -ENOMEM.
160
171
*/
161
172
int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
162
-
struct key *trust_keyring,
163
-
bool *_trusted)
173
+
struct key *trust_keyring)
164
174
{
165
175
struct pkcs7_signed_info *sinfo;
166
176
struct x509_certificate *p;
167
177
int cached_ret = -ENOKEY;
168
178
int ret;
169
-
170
-
*_trusted = false;
171
179
172
180
for (p = pkcs7->certs; p; p = p->next)
173
181
p->seen = false;
···
179
193
cached_ret = -ENOPKG;
180
194
continue;
181
195
case 0:
182
-
*_trusted |= sinfo->trusted;
183
196
cached_ret = 0;
184
197
continue;
185
198
default:
+46
-61
crypto/asymmetric_keys/pkcs7_verify.c
+46
-61
crypto/asymmetric_keys/pkcs7_verify.c
···
25
25
static int pkcs7_digest(struct pkcs7_message *pkcs7,
26
26
struct pkcs7_signed_info *sinfo)
27
27
{
28
+
struct public_key_signature *sig = sinfo->sig;
28
29
struct crypto_shash *tfm;
29
30
struct shash_desc *desc;
30
-
size_t digest_size, desc_size;
31
-
void *digest;
31
+
size_t desc_size;
32
32
int ret;
33
33
34
-
kenter(",%u,%s", sinfo->index, sinfo->sig.hash_algo);
34
+
kenter(",%u,%s", sinfo->index, sinfo->sig->hash_algo);
35
35
36
-
if (!sinfo->sig.hash_algo)
36
+
if (!sinfo->sig->hash_algo)
37
37
return -ENOPKG;
38
38
39
39
/* Allocate the hashing algorithm we're going to need and find out how
40
40
* big the hash operational data will be.
41
41
*/
42
-
tfm = crypto_alloc_shash(sinfo->sig.hash_algo, 0, 0);
42
+
tfm = crypto_alloc_shash(sinfo->sig->hash_algo, 0, 0);
43
43
if (IS_ERR(tfm))
44
44
return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm);
45
45
46
46
desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
47
-
sinfo->sig.digest_size = digest_size = crypto_shash_digestsize(tfm);
47
+
sig->digest_size = crypto_shash_digestsize(tfm);
48
48
49
49
ret = -ENOMEM;
50
-
digest = kzalloc(ALIGN(digest_size, __alignof__(*desc)) + desc_size,
51
-
GFP_KERNEL);
52
-
if (!digest)
50
+
sig->digest = kmalloc(sig->digest_size, GFP_KERNEL);
51
+
if (!sig->digest)
53
52
goto error_no_desc;
54
53
55
-
desc = PTR_ALIGN(digest + digest_size, __alignof__(*desc));
54
+
desc = kzalloc(desc_size, GFP_KERNEL);
55
+
if (!desc)
56
+
goto error_no_desc;
57
+
56
58
desc->tfm = tfm;
57
59
desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
58
60
···
62
60
ret = crypto_shash_init(desc);
63
61
if (ret < 0)
64
62
goto error;
65
-
ret = crypto_shash_finup(desc, pkcs7->data, pkcs7->data_len, digest);
63
+
ret = crypto_shash_finup(desc, pkcs7->data, pkcs7->data_len,
64
+
sig->digest);
66
65
if (ret < 0)
67
66
goto error;
68
-
pr_devel("MsgDigest = [%*ph]\n", 8, digest);
67
+
pr_devel("MsgDigest = [%*ph]\n", 8, sig->digest);
69
68
70
69
/* However, if there are authenticated attributes, there must be a
71
70
* message digest attribute amongst them which corresponds to the
···
81
78
goto error;
82
79
}
83
80
84
-
if (sinfo->msgdigest_len != sinfo->sig.digest_size) {
81
+
if (sinfo->msgdigest_len != sig->digest_size) {
85
82
pr_debug("Sig %u: Invalid digest size (%u)\n",
86
83
sinfo->index, sinfo->msgdigest_len);
87
84
ret = -EBADMSG;
88
85
goto error;
89
86
}
90
87
91
-
if (memcmp(digest, sinfo->msgdigest, sinfo->msgdigest_len) != 0) {
88
+
if (memcmp(sig->digest, sinfo->msgdigest,
89
+
sinfo->msgdigest_len) != 0) {
92
90
pr_debug("Sig %u: Message digest doesn't match\n",
93
91
sinfo->index);
94
92
ret = -EKEYREJECTED;
···
101
97
* convert the attributes from a CONT.0 into a SET before we
102
98
* hash it.
103
99
*/
104
-
memset(digest, 0, sinfo->sig.digest_size);
100
+
memset(sig->digest, 0, sig->digest_size);
105
101
106
102
ret = crypto_shash_init(desc);
107
103
if (ret < 0)
···
111
107
if (ret < 0)
112
108
goto error;
113
109
ret = crypto_shash_finup(desc, sinfo->authattrs,
114
-
sinfo->authattrs_len, digest);
110
+
sinfo->authattrs_len, sig->digest);
115
111
if (ret < 0)
116
112
goto error;
117
-
pr_devel("AADigest = [%*ph]\n", 8, digest);
113
+
pr_devel("AADigest = [%*ph]\n", 8, sig->digest);
118
114
}
119
115
120
-
sinfo->sig.digest = digest;
121
-
digest = NULL;
122
-
123
116
error:
124
-
kfree(digest);
117
+
kfree(desc);
125
118
error_no_desc:
126
119
crypto_free_shash(tfm);
127
120
kleave(" = %d", ret);
···
145
144
* PKCS#7 message - but I can't be 100% sure of that. It's
146
145
* possible this will need element-by-element comparison.
147
146
*/
148
-
if (!asymmetric_key_id_same(x509->id, sinfo->signing_cert_id))
147
+
if (!asymmetric_key_id_same(x509->id, sinfo->sig->auth_ids[0]))
149
148
continue;
150
149
pr_devel("Sig %u: Found cert serial match X.509[%u]\n",
151
150
sinfo->index, certix);
152
151
153
-
if (x509->pub->pkey_algo != sinfo->sig.pkey_algo) {
152
+
if (x509->pub->pkey_algo != sinfo->sig->pkey_algo) {
154
153
pr_warn("Sig %u: X.509 algo and PKCS#7 sig algo don't match\n",
155
154
sinfo->index);
156
155
continue;
···
165
164
*/
166
165
pr_debug("Sig %u: Issuing X.509 cert not found (#%*phN)\n",
167
166
sinfo->index,
168
-
sinfo->signing_cert_id->len, sinfo->signing_cert_id->data);
167
+
sinfo->sig->auth_ids[0]->len, sinfo->sig->auth_ids[0]->data);
169
168
return 0;
170
169
}
171
170
···
175
174
static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
176
175
struct pkcs7_signed_info *sinfo)
177
176
{
177
+
struct public_key_signature *sig;
178
178
struct x509_certificate *x509 = sinfo->signer, *p;
179
179
struct asymmetric_key_id *auth;
180
180
int ret;
···
190
188
x509->subject,
191
189
x509->raw_serial_size, x509->raw_serial);
192
190
x509->seen = true;
193
-
ret = x509_get_sig_params(x509);
194
-
if (ret < 0)
195
-
goto maybe_missing_crypto_in_x509;
191
+
if (x509->unsupported_key)
192
+
goto unsupported_crypto_in_x509;
196
193
197
194
pr_debug("- issuer %s\n", x509->issuer);
198
-
if (x509->akid_id)
195
+
sig = x509->sig;
196
+
if (sig->auth_ids[0])
199
197
pr_debug("- authkeyid.id %*phN\n",
200
-
x509->akid_id->len, x509->akid_id->data);
201
-
if (x509->akid_skid)
198
+
sig->auth_ids[0]->len, sig->auth_ids[0]->data);
199
+
if (sig->auth_ids[1])
202
200
pr_debug("- authkeyid.skid %*phN\n",
203
-
x509->akid_skid->len, x509->akid_skid->data);
201
+
sig->auth_ids[1]->len, sig->auth_ids[1]->data);
204
202
205
-
if ((!x509->akid_id && !x509->akid_skid) ||
206
-
strcmp(x509->subject, x509->issuer) == 0) {
203
+
if (x509->self_signed) {
207
204
/* If there's no authority certificate specified, then
208
205
* the certificate must be self-signed and is the root
209
206
* of the chain. Likewise if the cert is its own
210
207
* authority.
211
208
*/
212
-
pr_debug("- no auth?\n");
213
-
if (x509->raw_subject_size != x509->raw_issuer_size ||
214
-
memcmp(x509->raw_subject, x509->raw_issuer,
215
-
x509->raw_issuer_size) != 0)
216
-
return 0;
217
-
218
-
ret = x509_check_signature(x509->pub, x509);
219
-
if (ret < 0)
220
-
goto maybe_missing_crypto_in_x509;
209
+
if (x509->unsupported_sig)
210
+
goto unsupported_crypto_in_x509;
221
211
x509->signer = x509;
222
212
pr_debug("- self-signed\n");
223
213
return 0;
···
218
224
/* Look through the X.509 certificates in the PKCS#7 message's
219
225
* list to see if the next one is there.
220
226
*/
221
-
auth = x509->akid_id;
227
+
auth = sig->auth_ids[0];
222
228
if (auth) {
223
229
pr_debug("- want %*phN\n", auth->len, auth->data);
224
230
for (p = pkcs7->certs; p; p = p->next) {
···
228
234
goto found_issuer_check_skid;
229
235
}
230
236
} else {
231
-
auth = x509->akid_skid;
237
+
auth = sig->auth_ids[1];
232
238
pr_debug("- want %*phN\n", auth->len, auth->data);
233
239
for (p = pkcs7->certs; p; p = p->next) {
234
240
if (!p->skid)
···
248
254
/* We matched issuer + serialNumber, but if there's an
249
255
* authKeyId.keyId, that must match the CA subjKeyId also.
250
256
*/
251
-
if (x509->akid_skid &&
252
-
!asymmetric_key_id_same(p->skid, x509->akid_skid)) {
257
+
if (sig->auth_ids[1] &&
258
+
!asymmetric_key_id_same(p->skid, sig->auth_ids[1])) {
253
259
pr_warn("Sig %u: X.509 chain contains auth-skid nonmatch (%u->%u)\n",
254
260
sinfo->index, x509->index, p->index);
255
261
return -EKEYREJECTED;
···
261
267
sinfo->index);
262
268
return 0;
263
269
}
264
-
ret = x509_check_signature(p->pub, x509);
270
+
ret = public_key_verify_signature(p->pub, p->sig);
265
271
if (ret < 0)
266
272
return ret;
267
273
x509->signer = p;
···
273
279
might_sleep();
274
280
}
275
281
276
-
maybe_missing_crypto_in_x509:
282
+
unsupported_crypto_in_x509:
277
283
/* Just prune the certificate chain at this point if we lack some
278
284
* crypto module to go further. Note, however, we don't want to set
279
-
* sinfo->missing_crypto as the signed info block may still be
285
+
* sinfo->unsupported_crypto as the signed info block may still be
280
286
* validatable against an X.509 cert lower in the chain that we have a
281
287
* trusted copy of.
282
288
*/
283
-
if (ret == -ENOPKG)
284
-
return 0;
285
-
return ret;
289
+
return 0;
286
290
}
287
291
288
292
/*
···
324
332
}
325
333
326
334
/* Verify the PKCS#7 binary against the key */
327
-
ret = public_key_verify_signature(sinfo->signer->pub, &sinfo->sig);
335
+
ret = public_key_verify_signature(sinfo->signer->pub, sinfo->sig);
328
336
if (ret < 0)
329
337
return ret;
330
338
···
367
375
enum key_being_used_for usage)
368
376
{
369
377
struct pkcs7_signed_info *sinfo;
370
-
struct x509_certificate *x509;
371
378
int enopkg = -ENOPKG;
372
-
int ret, n;
379
+
int ret;
373
380
374
381
kenter("");
375
382
···
408
417
break;
409
418
default:
410
419
return -EINVAL;
411
-
}
412
-
413
-
for (n = 0, x509 = pkcs7->certs; x509; x509 = x509->next, n++) {
414
-
ret = x509_get_sig_params(x509);
415
-
if (ret < 0)
416
-
return ret;
417
420
}
418
421
419
422
for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
+14
-6
crypto/asymmetric_keys/public_key.c
+14
-6
crypto/asymmetric_keys/public_key.c
···
39
39
/*
40
40
* Destroy a public key algorithm key.
41
41
*/
42
-
void public_key_destroy(void *payload)
42
+
void public_key_free(struct public_key *key)
43
43
{
44
-
struct public_key *key = payload;
45
-
46
-
if (key)
44
+
if (key) {
47
45
kfree(key->key);
48
-
kfree(key);
46
+
kfree(key);
47
+
}
49
48
}
50
-
EXPORT_SYMBOL_GPL(public_key_destroy);
49
+
EXPORT_SYMBOL_GPL(public_key_free);
50
+
51
+
/*
52
+
* Destroy a public key algorithm key.
53
+
*/
54
+
static void public_key_destroy(void *payload0, void *payload3)
55
+
{
56
+
public_key_free(payload0);
57
+
public_key_signature_free(payload3);
58
+
}
51
59
52
60
struct public_key_completion {
53
61
struct completion completion;
+108
crypto/asymmetric_keys/restrict.c
+108
crypto/asymmetric_keys/restrict.c
···
1
+
/* Instantiate a public key crypto key from an X.509 Certificate
2
+
*
3
+
* Copyright (C) 2012, 2016 Red Hat, Inc. All Rights Reserved.
4
+
* Written by David Howells (dhowells@redhat.com)
5
+
*
6
+
* This program is free software; you can redistribute it and/or
7
+
* modify it under the terms of the GNU General Public Licence
8
+
* as published by the Free Software Foundation; either version
9
+
* 2 of the Licence, or (at your option) any later version.
10
+
*/
11
+
12
+
#define pr_fmt(fmt) "ASYM: "fmt
13
+
#include <linux/module.h>
14
+
#include <linux/kernel.h>
15
+
#include <linux/err.h>
16
+
#include <crypto/public_key.h>
17
+
#include "asymmetric_keys.h"
18
+
19
+
static bool use_builtin_keys;
20
+
static struct asymmetric_key_id *ca_keyid;
21
+
22
+
#ifndef MODULE
23
+
static struct {
24
+
struct asymmetric_key_id id;
25
+
unsigned char data[10];
26
+
} cakey;
27
+
28
+
static int __init ca_keys_setup(char *str)
29
+
{
30
+
if (!str) /* default system keyring */
31
+
return 1;
32
+
33
+
if (strncmp(str, "id:", 3) == 0) {
34
+
struct asymmetric_key_id *p = &cakey.id;
35
+
size_t hexlen = (strlen(str) - 3) / 2;
36
+
int ret;
37
+
38
+
if (hexlen == 0 || hexlen > sizeof(cakey.data)) {
39
+
pr_err("Missing or invalid ca_keys id\n");
40
+
return 1;
41
+
}
42
+
43
+
ret = __asymmetric_key_hex_to_key_id(str + 3, p, hexlen);
44
+
if (ret < 0)
45
+
pr_err("Unparsable ca_keys id hex string\n");
46
+
else
47
+
ca_keyid = p; /* owner key 'id:xxxxxx' */
48
+
} else if (strcmp(str, "builtin") == 0) {
49
+
use_builtin_keys = true;
50
+
}
51
+
52
+
return 1;
53
+
}
54
+
__setup("ca_keys=", ca_keys_setup);
55
+
#endif
56
+
57
+
/**
58
+
* restrict_link_by_signature - Restrict additions to a ring of public keys
59
+
* @trust_keyring: A ring of keys that can be used to vouch for the new cert.
60
+
* @type: The type of key being added.
61
+
* @payload: The payload of the new key.
62
+
*
63
+
* Check the new certificate against the ones in the trust keyring. If one of
64
+
* those is the signing key and validates the new certificate, then mark the
65
+
* new certificate as being trusted.
66
+
*
67
+
* Returns 0 if the new certificate was accepted, -ENOKEY if we couldn't find a
68
+
* matching parent certificate in the trusted list, -EKEYREJECTED if the
69
+
* signature check fails or the key is blacklisted and some other error if
70
+
* there is a matching certificate but the signature check cannot be performed.
71
+
*/
72
+
int restrict_link_by_signature(struct key *trust_keyring,
73
+
const struct key_type *type,
74
+
const union key_payload *payload)
75
+
{
76
+
const struct public_key_signature *sig;
77
+
struct key *key;
78
+
int ret;
79
+
80
+
pr_devel("==>%s()\n", __func__);
81
+
82
+
if (!trust_keyring)
83
+
return -ENOKEY;
84
+
85
+
if (type != &key_type_asymmetric)
86
+
return -EOPNOTSUPP;
87
+
88
+
sig = payload->data[asym_auth];
89
+
if (!sig->auth_ids[0] && !sig->auth_ids[1])
90
+
return 0;
91
+
92
+
if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid))
93
+
return -EPERM;
94
+
95
+
/* See if we have a key that signed this one. */
96
+
key = find_asymmetric_key(trust_keyring,
97
+
sig->auth_ids[0], sig->auth_ids[1],
98
+
false);
99
+
if (IS_ERR(key))
100
+
return -ENOKEY;
101
+
102
+
if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags))
103
+
ret = -ENOKEY;
104
+
else
105
+
ret = verify_signature(key, sig);
106
+
key_put(key);
107
+
return ret;
108
+
}
+18
crypto/asymmetric_keys/signature.c
+18
crypto/asymmetric_keys/signature.c
···
15
15
#include <keys/asymmetric-subtype.h>
16
16
#include <linux/export.h>
17
17
#include <linux/err.h>
18
+
#include <linux/slab.h>
18
19
#include <crypto/public_key.h>
19
20
#include "asymmetric_keys.h"
21
+
22
+
/*
23
+
* Destroy a public key signature.
24
+
*/
25
+
void public_key_signature_free(struct public_key_signature *sig)
26
+
{
27
+
int i;
28
+
29
+
if (sig) {
30
+
for (i = 0; i < ARRAY_SIZE(sig->auth_ids); i++)
31
+
kfree(sig->auth_ids[i]);
32
+
kfree(sig->s);
33
+
kfree(sig->digest);
34
+
kfree(sig);
35
+
}
36
+
}
37
+
EXPORT_SYMBOL_GPL(public_key_signature_free);
20
38
21
39
/**
22
40
* verify_signature - Initiate the use of an asymmetric key to verify a signature
+9
-31
crypto/asymmetric_keys/verify_pefile.c
+9
-31
crypto/asymmetric_keys/verify_pefile.c
···
16
16
#include <linux/err.h>
17
17
#include <linux/pe.h>
18
18
#include <linux/asn1.h>
19
-
#include <crypto/pkcs7.h>
19
+
#include <linux/verification.h>
20
20
#include <crypto/hash.h>
21
21
#include "verify_pefile.h"
22
22
···
392
392
* verify_pefile_signature - Verify the signature on a PE binary image
393
393
* @pebuf: Buffer containing the PE binary image
394
394
* @pelen: Length of the binary image
395
-
* @trust_keyring: Signing certificates to use as starting points
395
+
* @trust_keys: Signing certificate(s) to use as starting points
396
396
* @usage: The use to which the key is being put.
397
-
* @_trusted: Set to true if trustworth, false otherwise
398
397
*
399
398
* Validate that the certificate chain inside the PKCS#7 message inside the PE
400
399
* binary image intersects keys we already know and trust.
···
417
418
* May also return -ENOMEM.
418
419
*/
419
420
int verify_pefile_signature(const void *pebuf, unsigned pelen,
420
-
struct key *trusted_keyring,
421
-
enum key_being_used_for usage,
422
-
bool *_trusted)
421
+
struct key *trusted_keys,
422
+
enum key_being_used_for usage)
423
423
{
424
-
struct pkcs7_message *pkcs7;
425
424
struct pefile_context ctx;
426
-
const void *data;
427
-
size_t datalen;
428
425
int ret;
429
426
430
427
kenter("");
···
434
439
if (ret < 0)
435
440
return ret;
436
441
437
-
pkcs7 = pkcs7_parse_message(pebuf + ctx.sig_offset, ctx.sig_len);
438
-
if (IS_ERR(pkcs7))
439
-
return PTR_ERR(pkcs7);
440
-
ctx.pkcs7 = pkcs7;
441
-
442
-
ret = pkcs7_get_content_data(ctx.pkcs7, &data, &datalen, false);
443
-
if (ret < 0 || datalen == 0) {
444
-
pr_devel("PKCS#7 message does not contain data\n");
445
-
ret = -EBADMSG;
446
-
goto error;
447
-
}
448
-
449
-
ret = mscode_parse(&ctx);
442
+
ret = verify_pkcs7_signature(NULL, 0,
443
+
pebuf + ctx.sig_offset, ctx.sig_len,
444
+
trusted_keys, usage,
445
+
mscode_parse, &ctx);
450
446
if (ret < 0)
451
447
goto error;
452
448
···
448
462
* contents.
449
463
*/
450
464
ret = pefile_digest_pe(pebuf, pelen, &ctx);
451
-
if (ret < 0)
452
-
goto error;
453
-
454
-
ret = pkcs7_verify(pkcs7, usage);
455
-
if (ret < 0)
456
-
goto error;
457
-
458
-
ret = pkcs7_validate_trust(pkcs7, trusted_keyring, _trusted);
459
465
460
466
error:
461
-
pkcs7_free_message(ctx.pkcs7);
467
+
kfree(ctx.digest);
462
468
return ret;
463
469
}
+2
-3
crypto/asymmetric_keys/verify_pefile.h
+2
-3
crypto/asymmetric_keys/verify_pefile.h
···
9
9
* 2 of the Licence, or (at your option) any later version.
10
10
*/
11
11
12
-
#include <linux/verify_pefile.h>
13
12
#include <crypto/pkcs7.h>
14
13
#include <crypto/hash_info.h>
15
14
···
22
23
unsigned sig_offset;
23
24
unsigned sig_len;
24
25
const struct section_header *secs;
25
-
struct pkcs7_message *pkcs7;
26
26
27
27
/* PKCS#7 MS Individual Code Signing content */
28
28
const void *digest; /* Digest */
···
37
39
/*
38
40
* mscode_parser.c
39
41
*/
40
-
extern int mscode_parse(struct pefile_context *ctx);
42
+
extern int mscode_parse(void *_ctx, const void *content_data, size_t data_len,
43
+
size_t asn1hdrlen);
+31
-21
crypto/asymmetric_keys/x509_cert_parser.c
+31
-21
crypto/asymmetric_keys/x509_cert_parser.c
···
47
47
void x509_free_certificate(struct x509_certificate *cert)
48
48
{
49
49
if (cert) {
50
-
public_key_destroy(cert->pub);
50
+
public_key_free(cert->pub);
51
+
public_key_signature_free(cert->sig);
51
52
kfree(cert->issuer);
52
53
kfree(cert->subject);
53
54
kfree(cert->id);
54
55
kfree(cert->skid);
55
-
kfree(cert->akid_id);
56
-
kfree(cert->akid_skid);
57
-
kfree(cert->sig.digest);
58
-
kfree(cert->sig.s);
59
56
kfree(cert);
60
57
}
61
58
}
···
74
77
goto error_no_cert;
75
78
cert->pub = kzalloc(sizeof(struct public_key), GFP_KERNEL);
76
79
if (!cert->pub)
80
+
goto error_no_ctx;
81
+
cert->sig = kzalloc(sizeof(struct public_key_signature), GFP_KERNEL);
82
+
if (!cert->sig)
77
83
goto error_no_ctx;
78
84
ctx = kzalloc(sizeof(struct x509_parse_context), GFP_KERNEL);
79
85
if (!ctx)
···
108
108
109
109
cert->pub->keylen = ctx->key_size;
110
110
111
+
/* Grab the signature bits */
112
+
ret = x509_get_sig_params(cert);
113
+
if (ret < 0)
114
+
goto error_decode;
115
+
111
116
/* Generate cert issuer + serial number key ID */
112
117
kid = asymmetric_key_generate_id(cert->raw_serial,
113
118
cert->raw_serial_size,
···
123
118
goto error_decode;
124
119
}
125
120
cert->id = kid;
121
+
122
+
/* Detect self-signed certificates */
123
+
ret = x509_check_for_self_signed(cert);
124
+
if (ret < 0)
125
+
goto error_decode;
126
126
127
127
kfree(ctx);
128
128
return cert;
···
198
188
return -ENOPKG; /* Unsupported combination */
199
189
200
190
case OID_md4WithRSAEncryption:
201
-
ctx->cert->sig.hash_algo = "md4";
202
-
ctx->cert->sig.pkey_algo = "rsa";
191
+
ctx->cert->sig->hash_algo = "md4";
192
+
ctx->cert->sig->pkey_algo = "rsa";
203
193
break;
204
194
205
195
case OID_sha1WithRSAEncryption:
206
-
ctx->cert->sig.hash_algo = "sha1";
207
-
ctx->cert->sig.pkey_algo = "rsa";
196
+
ctx->cert->sig->hash_algo = "sha1";
197
+
ctx->cert->sig->pkey_algo = "rsa";
208
198
break;
209
199
210
200
case OID_sha256WithRSAEncryption:
211
-
ctx->cert->sig.hash_algo = "sha256";
212
-
ctx->cert->sig.pkey_algo = "rsa";
201
+
ctx->cert->sig->hash_algo = "sha256";
202
+
ctx->cert->sig->pkey_algo = "rsa";
213
203
break;
214
204
215
205
case OID_sha384WithRSAEncryption:
216
-
ctx->cert->sig.hash_algo = "sha384";
217
-
ctx->cert->sig.pkey_algo = "rsa";
206
+
ctx->cert->sig->hash_algo = "sha384";
207
+
ctx->cert->sig->pkey_algo = "rsa";
218
208
break;
219
209
220
210
case OID_sha512WithRSAEncryption:
221
-
ctx->cert->sig.hash_algo = "sha512";
222
-
ctx->cert->sig.pkey_algo = "rsa";
211
+
ctx->cert->sig->hash_algo = "sha512";
212
+
ctx->cert->sig->pkey_algo = "rsa";
223
213
break;
224
214
225
215
case OID_sha224WithRSAEncryption:
226
-
ctx->cert->sig.hash_algo = "sha224";
227
-
ctx->cert->sig.pkey_algo = "rsa";
216
+
ctx->cert->sig->hash_algo = "sha224";
217
+
ctx->cert->sig->pkey_algo = "rsa";
228
218
break;
229
219
}
230
220
···
582
572
583
573
pr_debug("AKID: keyid: %*phN\n", (int)vlen, value);
584
574
585
-
if (ctx->cert->akid_skid)
575
+
if (ctx->cert->sig->auth_ids[1])
586
576
return 0;
587
577
588
578
kid = asymmetric_key_generate_id(value, vlen, "", 0);
589
579
if (IS_ERR(kid))
590
580
return PTR_ERR(kid);
591
581
pr_debug("authkeyid %*phN\n", kid->len, kid->data);
592
-
ctx->cert->akid_skid = kid;
582
+
ctx->cert->sig->auth_ids[1] = kid;
593
583
return 0;
594
584
}
595
585
···
621
611
622
612
pr_debug("AKID: serial: %*phN\n", (int)vlen, value);
623
613
624
-
if (!ctx->akid_raw_issuer || ctx->cert->akid_id)
614
+
if (!ctx->akid_raw_issuer || ctx->cert->sig->auth_ids[0])
625
615
return 0;
626
616
627
617
kid = asymmetric_key_generate_id(value,
···
632
622
return PTR_ERR(kid);
633
623
634
624
pr_debug("authkeyid %*phN\n", kid->len, kid->data);
635
-
ctx->cert->akid_id = kid;
625
+
ctx->cert->sig->auth_ids[0] = kid;
636
626
return 0;
637
627
}
+5
-7
crypto/asymmetric_keys/x509_parser.h
+5
-7
crypto/asymmetric_keys/x509_parser.h
···
17
17
struct x509_certificate *next;
18
18
struct x509_certificate *signer; /* Certificate that signed this one */
19
19
struct public_key *pub; /* Public key details */
20
-
struct public_key_signature sig; /* Signature parameters */
20
+
struct public_key_signature *sig; /* Signature parameters */
21
21
char *issuer; /* Name of certificate issuer */
22
22
char *subject; /* Name of certificate subject */
23
23
struct asymmetric_key_id *id; /* Issuer + Serial number */
24
24
struct asymmetric_key_id *skid; /* Subject + subjectKeyId (optional) */
25
-
struct asymmetric_key_id *akid_id; /* CA AuthKeyId matching ->id (optional) */
26
-
struct asymmetric_key_id *akid_skid; /* CA AuthKeyId matching ->skid (optional) */
27
25
time64_t valid_from;
28
26
time64_t valid_to;
29
27
const void *tbs; /* Signed data */
···
39
41
unsigned index;
40
42
bool seen; /* Infinite recursion prevention */
41
43
bool verified;
42
-
bool trusted;
43
-
bool unsupported_crypto; /* T if can't be verified due to missing crypto */
44
+
bool self_signed; /* T if self-signed (check unsupported_sig too) */
45
+
bool unsupported_key; /* T if key uses unsupported crypto */
46
+
bool unsupported_sig; /* T if signature uses unsupported crypto */
44
47
};
45
48
46
49
/*
···
57
58
* x509_public_key.c
58
59
*/
59
60
extern int x509_get_sig_params(struct x509_certificate *cert);
60
-
extern int x509_check_signature(const struct public_key *pub,
61
-
struct x509_certificate *cert);
61
+
extern int x509_check_for_self_signed(struct x509_certificate *cert);
+82
-215
crypto/asymmetric_keys/x509_public_key.c
+82
-215
crypto/asymmetric_keys/x509_public_key.c
···
20
20
#include "asymmetric_keys.h"
21
21
#include "x509_parser.h"
22
22
23
-
static bool use_builtin_keys;
24
-
static struct asymmetric_key_id *ca_keyid;
25
-
26
-
#ifndef MODULE
27
-
static struct {
28
-
struct asymmetric_key_id id;
29
-
unsigned char data[10];
30
-
} cakey;
31
-
32
-
static int __init ca_keys_setup(char *str)
33
-
{
34
-
if (!str) /* default system keyring */
35
-
return 1;
36
-
37
-
if (strncmp(str, "id:", 3) == 0) {
38
-
struct asymmetric_key_id *p = &cakey.id;
39
-
size_t hexlen = (strlen(str) - 3) / 2;
40
-
int ret;
41
-
42
-
if (hexlen == 0 || hexlen > sizeof(cakey.data)) {
43
-
pr_err("Missing or invalid ca_keys id\n");
44
-
return 1;
45
-
}
46
-
47
-
ret = __asymmetric_key_hex_to_key_id(str + 3, p, hexlen);
48
-
if (ret < 0)
49
-
pr_err("Unparsable ca_keys id hex string\n");
50
-
else
51
-
ca_keyid = p; /* owner key 'id:xxxxxx' */
52
-
} else if (strcmp(str, "builtin") == 0) {
53
-
use_builtin_keys = true;
54
-
}
55
-
56
-
return 1;
57
-
}
58
-
__setup("ca_keys=", ca_keys_setup);
59
-
#endif
60
-
61
-
/**
62
-
* x509_request_asymmetric_key - Request a key by X.509 certificate params.
63
-
* @keyring: The keys to search.
64
-
* @id: The issuer & serialNumber to look for or NULL.
65
-
* @skid: The subjectKeyIdentifier to look for or NULL.
66
-
* @partial: Use partial match if true, exact if false.
67
-
*
68
-
* Find a key in the given keyring by identifier. The preferred identifier is
69
-
* the issuer + serialNumber and the fallback identifier is the
70
-
* subjectKeyIdentifier. If both are given, the lookup is by the former, but
71
-
* the latter must also match.
72
-
*/
73
-
struct key *x509_request_asymmetric_key(struct key *keyring,
74
-
const struct asymmetric_key_id *id,
75
-
const struct asymmetric_key_id *skid,
76
-
bool partial)
77
-
{
78
-
struct key *key;
79
-
key_ref_t ref;
80
-
const char *lookup;
81
-
char *req, *p;
82
-
int len;
83
-
84
-
if (id) {
85
-
lookup = id->data;
86
-
len = id->len;
87
-
} else {
88
-
lookup = skid->data;
89
-
len = skid->len;
90
-
}
91
-
92
-
/* Construct an identifier "id:<keyid>". */
93
-
p = req = kmalloc(2 + 1 + len * 2 + 1, GFP_KERNEL);
94
-
if (!req)
95
-
return ERR_PTR(-ENOMEM);
96
-
97
-
if (partial) {
98
-
*p++ = 'i';
99
-
*p++ = 'd';
100
-
} else {
101
-
*p++ = 'e';
102
-
*p++ = 'x';
103
-
}
104
-
*p++ = ':';
105
-
p = bin2hex(p, lookup, len);
106
-
*p = 0;
107
-
108
-
pr_debug("Look up: \"%s\"\n", req);
109
-
110
-
ref = keyring_search(make_key_ref(keyring, 1),
111
-
&key_type_asymmetric, req);
112
-
if (IS_ERR(ref))
113
-
pr_debug("Request for key '%s' err %ld\n", req, PTR_ERR(ref));
114
-
kfree(req);
115
-
116
-
if (IS_ERR(ref)) {
117
-
switch (PTR_ERR(ref)) {
118
-
/* Hide some search errors */
119
-
case -EACCES:
120
-
case -ENOTDIR:
121
-
case -EAGAIN:
122
-
return ERR_PTR(-ENOKEY);
123
-
default:
124
-
return ERR_CAST(ref);
125
-
}
126
-
}
127
-
128
-
key = key_ref_to_ptr(ref);
129
-
if (id && skid) {
130
-
const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
131
-
if (!kids->id[1]) {
132
-
pr_debug("issuer+serial match, but expected SKID missing\n");
133
-
goto reject;
134
-
}
135
-
if (!asymmetric_key_id_same(skid, kids->id[1])) {
136
-
pr_debug("issuer+serial match, but SKID does not\n");
137
-
goto reject;
138
-
}
139
-
}
140
-
141
-
pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key));
142
-
return key;
143
-
144
-
reject:
145
-
key_put(key);
146
-
return ERR_PTR(-EKEYREJECTED);
147
-
}
148
-
EXPORT_SYMBOL_GPL(x509_request_asymmetric_key);
149
-
150
23
/*
151
24
* Set up the signature parameters in an X.509 certificate. This involves
152
25
* digesting the signed data and extracting the signature.
153
26
*/
154
27
int x509_get_sig_params(struct x509_certificate *cert)
155
28
{
29
+
struct public_key_signature *sig = cert->sig;
156
30
struct crypto_shash *tfm;
157
31
struct shash_desc *desc;
158
-
size_t digest_size, desc_size;
159
-
void *digest;
32
+
size_t desc_size;
160
33
int ret;
161
34
162
35
pr_devel("==>%s()\n", __func__);
163
36
164
-
if (cert->unsupported_crypto)
165
-
return -ENOPKG;
166
-
if (cert->sig.s)
167
-
return 0;
37
+
if (!cert->pub->pkey_algo)
38
+
cert->unsupported_key = true;
168
39
169
-
cert->sig.s = kmemdup(cert->raw_sig, cert->raw_sig_size,
170
-
GFP_KERNEL);
171
-
if (!cert->sig.s)
40
+
if (!sig->pkey_algo)
41
+
cert->unsupported_sig = true;
42
+
43
+
/* We check the hash if we can - even if we can't then verify it */
44
+
if (!sig->hash_algo) {
45
+
cert->unsupported_sig = true;
46
+
return 0;
47
+
}
48
+
49
+
sig->s = kmemdup(cert->raw_sig, cert->raw_sig_size, GFP_KERNEL);
50
+
if (!sig->s)
172
51
return -ENOMEM;
173
52
174
-
cert->sig.s_size = cert->raw_sig_size;
53
+
sig->s_size = cert->raw_sig_size;
175
54
176
55
/* Allocate the hashing algorithm we're going to need and find out how
177
56
* big the hash operational data will be.
178
57
*/
179
-
tfm = crypto_alloc_shash(cert->sig.hash_algo, 0, 0);
58
+
tfm = crypto_alloc_shash(sig->hash_algo, 0, 0);
180
59
if (IS_ERR(tfm)) {
181
60
if (PTR_ERR(tfm) == -ENOENT) {
182
-
cert->unsupported_crypto = true;
183
-
return -ENOPKG;
61
+
cert->unsupported_sig = true;
62
+
return 0;
184
63
}
185
64
return PTR_ERR(tfm);
186
65
}
187
66
188
67
desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
189
-
digest_size = crypto_shash_digestsize(tfm);
68
+
sig->digest_size = crypto_shash_digestsize(tfm);
190
69
191
-
/* We allocate the hash operational data storage on the end of the
192
-
* digest storage space.
193
-
*/
194
70
ret = -ENOMEM;
195
-
digest = kzalloc(ALIGN(digest_size, __alignof__(*desc)) + desc_size,
196
-
GFP_KERNEL);
197
-
if (!digest)
71
+
sig->digest = kmalloc(sig->digest_size, GFP_KERNEL);
72
+
if (!sig->digest)
198
73
goto error;
199
74
200
-
cert->sig.digest = digest;
201
-
cert->sig.digest_size = digest_size;
75
+
desc = kzalloc(desc_size, GFP_KERNEL);
76
+
if (!desc)
77
+
goto error;
202
78
203
-
desc = PTR_ALIGN(digest + digest_size, __alignof__(*desc));
204
79
desc->tfm = tfm;
205
80
desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
206
81
207
82
ret = crypto_shash_init(desc);
208
83
if (ret < 0)
209
-
goto error;
84
+
goto error_2;
210
85
might_sleep();
211
-
ret = crypto_shash_finup(desc, cert->tbs, cert->tbs_size, digest);
86
+
ret = crypto_shash_finup(desc, cert->tbs, cert->tbs_size, sig->digest);
87
+
88
+
error_2:
89
+
kfree(desc);
212
90
error:
213
91
crypto_free_shash(tfm);
214
92
pr_devel("<==%s() = %d\n", __func__, ret);
215
93
return ret;
216
94
}
217
-
EXPORT_SYMBOL_GPL(x509_get_sig_params);
218
95
219
96
/*
220
-
* Check the signature on a certificate using the provided public key
97
+
* Check for self-signedness in an X.509 cert and if found, check the signature
98
+
* immediately if we can.
221
99
*/
222
-
int x509_check_signature(const struct public_key *pub,
223
-
struct x509_certificate *cert)
100
+
int x509_check_for_self_signed(struct x509_certificate *cert)
224
101
{
225
-
int ret;
102
+
int ret = 0;
226
103
227
104
pr_devel("==>%s()\n", __func__);
228
105
229
-
ret = x509_get_sig_params(cert);
230
-
if (ret < 0)
231
-
return ret;
106
+
if (cert->raw_subject_size != cert->raw_issuer_size ||
107
+
memcmp(cert->raw_subject, cert->raw_issuer,
108
+
cert->raw_issuer_size) != 0)
109
+
goto not_self_signed;
232
110
233
-
ret = public_key_verify_signature(pub, &cert->sig);
234
-
if (ret == -ENOPKG)
235
-
cert->unsupported_crypto = true;
236
-
pr_debug("Cert Verification: %d\n", ret);
237
-
return ret;
238
-
}
239
-
EXPORT_SYMBOL_GPL(x509_check_signature);
111
+
if (cert->sig->auth_ids[0] || cert->sig->auth_ids[1]) {
112
+
/* If the AKID is present it may have one or two parts. If
113
+
* both are supplied, both must match.
114
+
*/
115
+
bool a = asymmetric_key_id_same(cert->skid, cert->sig->auth_ids[1]);
116
+
bool b = asymmetric_key_id_same(cert->id, cert->sig->auth_ids[0]);
240
117
241
-
/*
242
-
* Check the new certificate against the ones in the trust keyring. If one of
243
-
* those is the signing key and validates the new certificate, then mark the
244
-
* new certificate as being trusted.
245
-
*
246
-
* Return 0 if the new certificate was successfully validated, 1 if we couldn't
247
-
* find a matching parent certificate in the trusted list and an error if there
248
-
* is a matching certificate but the signature check fails.
249
-
*/
250
-
static int x509_validate_trust(struct x509_certificate *cert,
251
-
struct key *trust_keyring)
252
-
{
253
-
struct key *key;
254
-
int ret = 1;
118
+
if (!a && !b)
119
+
goto not_self_signed;
255
120
256
-
if (!trust_keyring)
257
-
return -EOPNOTSUPP;
258
-
259
-
if (ca_keyid && !asymmetric_key_id_partial(cert->akid_skid, ca_keyid))
260
-
return -EPERM;
261
-
262
-
key = x509_request_asymmetric_key(trust_keyring,
263
-
cert->akid_id, cert->akid_skid,
264
-
false);
265
-
if (!IS_ERR(key)) {
266
-
if (!use_builtin_keys
267
-
|| test_bit(KEY_FLAG_BUILTIN, &key->flags))
268
-
ret = x509_check_signature(key->payload.data[asym_crypto],
269
-
cert);
270
-
key_put(key);
121
+
ret = -EKEYREJECTED;
122
+
if (((a && !b) || (b && !a)) &&
123
+
cert->sig->auth_ids[0] && cert->sig->auth_ids[1])
124
+
goto out;
271
125
}
126
+
127
+
ret = -EKEYREJECTED;
128
+
if (cert->pub->pkey_algo != cert->sig->pkey_algo)
129
+
goto out;
130
+
131
+
ret = public_key_verify_signature(cert->pub, cert->sig);
132
+
if (ret < 0) {
133
+
if (ret == -ENOPKG) {
134
+
cert->unsupported_sig = true;
135
+
ret = 0;
136
+
}
137
+
goto out;
138
+
}
139
+
140
+
pr_devel("Cert Self-signature verified");
141
+
cert->self_signed = true;
142
+
143
+
out:
144
+
pr_devel("<==%s() = %d\n", __func__, ret);
272
145
return ret;
146
+
147
+
not_self_signed:
148
+
pr_devel("<==%s() = 0 [not]\n", __func__);
149
+
return 0;
273
150
}
274
151
275
152
/*
···
168
291
pr_devel("Cert Issuer: %s\n", cert->issuer);
169
292
pr_devel("Cert Subject: %s\n", cert->subject);
170
293
171
-
if (!cert->pub->pkey_algo ||
172
-
!cert->sig.pkey_algo ||
173
-
!cert->sig.hash_algo) {
294
+
if (cert->unsupported_key) {
174
295
ret = -ENOPKG;
175
296
goto error_free_cert;
176
297
}
177
298
178
299
pr_devel("Cert Key Algo: %s\n", cert->pub->pkey_algo);
179
300
pr_devel("Cert Valid period: %lld-%lld\n", cert->valid_from, cert->valid_to);
180
-
pr_devel("Cert Signature: %s + %s\n",
181
-
cert->sig.pkey_algo,
182
-
cert->sig.hash_algo);
183
301
184
302
cert->pub->id_type = "X509";
185
303
186
-
/* Check the signature on the key if it appears to be self-signed */
187
-
if ((!cert->akid_skid && !cert->akid_id) ||
188
-
asymmetric_key_id_same(cert->skid, cert->akid_skid) ||
189
-
asymmetric_key_id_same(cert->id, cert->akid_id)) {
190
-
ret = x509_check_signature(cert->pub, cert); /* self-signed */
191
-
if (ret < 0)
192
-
goto error_free_cert;
193
-
} else if (!prep->trusted) {
194
-
ret = x509_validate_trust(cert, get_system_trusted_keyring());
195
-
if (ret)
196
-
ret = x509_validate_trust(cert, get_ima_mok_keyring());
197
-
if (!ret)
198
-
prep->trusted = 1;
304
+
if (cert->unsupported_sig) {
305
+
public_key_signature_free(cert->sig);
306
+
cert->sig = NULL;
307
+
} else {
308
+
pr_devel("Cert Signature: %s + %s\n",
309
+
cert->sig->pkey_algo, cert->sig->hash_algo);
199
310
}
200
311
201
312
/* Propose a description */
···
218
353
prep->payload.data[asym_subtype] = &public_key_subtype;
219
354
prep->payload.data[asym_key_ids] = kids;
220
355
prep->payload.data[asym_crypto] = cert->pub;
356
+
prep->payload.data[asym_auth] = cert->sig;
221
357
prep->description = desc;
222
358
prep->quotalen = 100;
223
359
···
226
360
cert->pub = NULL;
227
361
cert->id = NULL;
228
362
cert->skid = NULL;
363
+
cert->sig = NULL;
229
364
desc = NULL;
230
365
ret = 0;
231
366
+1
-1
fs/cifs/cifsacl.c
+1
-1
fs/cifs/cifsacl.c
···
360
360
GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
361
361
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
362
362
KEY_USR_VIEW | KEY_USR_READ,
363
-
KEY_ALLOC_NOT_IN_QUOTA, NULL);
363
+
KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
364
364
if (IS_ERR(keyring)) {
365
365
ret = PTR_ERR(keyring);
366
366
goto failed_put_cred;
+21
-8
fs/exec.c
+21
-8
fs/exec.c
···
850
850
if (ret)
851
851
return ret;
852
852
853
+
ret = deny_write_access(file);
854
+
if (ret)
855
+
return ret;
856
+
853
857
i_size = i_size_read(file_inode(file));
854
-
if (max_size > 0 && i_size > max_size)
855
-
return -EFBIG;
856
-
if (i_size <= 0)
857
-
return -EINVAL;
858
+
if (max_size > 0 && i_size > max_size) {
859
+
ret = -EFBIG;
860
+
goto out;
861
+
}
862
+
if (i_size <= 0) {
863
+
ret = -EINVAL;
864
+
goto out;
865
+
}
858
866
859
867
*buf = vmalloc(i_size);
860
-
if (!*buf)
861
-
return -ENOMEM;
868
+
if (!*buf) {
869
+
ret = -ENOMEM;
870
+
goto out;
871
+
}
862
872
863
873
pos = 0;
864
874
while (pos < i_size) {
···
886
876
887
877
if (pos != i_size) {
888
878
ret = -EIO;
889
-
goto out;
879
+
goto out_free;
890
880
}
891
881
892
882
ret = security_kernel_post_read_file(file, *buf, i_size, id);
893
883
if (!ret)
894
884
*size = pos;
895
885
896
-
out:
886
+
out_free:
897
887
if (ret < 0) {
898
888
vfree(*buf);
899
889
*buf = NULL;
900
890
}
891
+
892
+
out:
893
+
allow_write_access(file);
901
894
return ret;
902
895
}
903
896
EXPORT_SYMBOL_GPL(kernel_read_file);
+2
fs/namei.c
+2
fs/namei.c
···
3627
3627
switch (mode & S_IFMT) {
3628
3628
case 0: case S_IFREG:
3629
3629
error = vfs_create(path.dentry->d_inode,dentry,mode,true);
3630
+
if (!error)
3631
+
ima_post_path_mknod(dentry);
3630
3632
break;
3631
3633
case S_IFCHR: case S_IFBLK:
3632
3634
error = vfs_mknod(path.dentry->d_inode,dentry,mode,
+1
-1
fs/nfs/nfs4idmap.c
+1
-1
fs/nfs/nfs4idmap.c
···
201
201
GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
202
202
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
203
203
KEY_USR_VIEW | KEY_USR_READ,
204
-
KEY_ALLOC_NOT_IN_QUOTA, NULL);
204
+
KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
205
205
if (IS_ERR(keyring)) {
206
206
ret = PTR_ERR(keyring);
207
207
goto failed_put_cred;
+3
-3
include/crypto/pkcs7.h
+3
-3
include/crypto/pkcs7.h
···
12
12
#ifndef _CRYPTO_PKCS7_H
13
13
#define _CRYPTO_PKCS7_H
14
14
15
+
#include <linux/verification.h>
15
16
#include <crypto/public_key.h>
16
17
17
18
struct key;
···
27
26
28
27
extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
29
28
const void **_data, size_t *_datalen,
30
-
bool want_wrapper);
29
+
size_t *_headerlen);
31
30
32
31
/*
33
32
* pkcs7_trust.c
34
33
*/
35
34
extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
36
-
struct key *trust_keyring,
37
-
bool *_trusted);
35
+
struct key *trust_keyring);
38
36
39
37
/*
40
38
* pkcs7_verify.c
+12
-21
include/crypto/public_key.h
+12
-21
include/crypto/public_key.h
···
15
15
#define _LINUX_PUBLIC_KEY_H
16
16
17
17
/*
18
-
* The use to which an asymmetric key is being put.
19
-
*/
20
-
enum key_being_used_for {
21
-
VERIFYING_MODULE_SIGNATURE,
22
-
VERIFYING_FIRMWARE_SIGNATURE,
23
-
VERIFYING_KEXEC_PE_SIGNATURE,
24
-
VERIFYING_KEY_SIGNATURE,
25
-
VERIFYING_KEY_SELF_SIGNATURE,
26
-
VERIFYING_UNSPECIFIED_SIGNATURE,
27
-
NR__KEY_BEING_USED_FOR
28
-
};
29
-
extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR];
30
-
31
-
/*
32
18
* Cryptographic data for the public-key subtype of the asymmetric key type.
33
19
*
34
20
* Note that this may include private part of the key as well as the public
···
27
41
const char *pkey_algo;
28
42
};
29
43
30
-
extern void public_key_destroy(void *payload);
44
+
extern void public_key_free(struct public_key *key);
31
45
32
46
/*
33
47
* Public key cryptography signature data
34
48
*/
35
49
struct public_key_signature {
50
+
struct asymmetric_key_id *auth_ids[2];
36
51
u8 *s; /* Signature */
37
52
u32 s_size; /* Number of bytes in signature */
38
53
u8 *digest;
···
42
55
const char *hash_algo;
43
56
};
44
57
58
+
extern void public_key_signature_free(struct public_key_signature *sig);
59
+
45
60
extern struct asymmetric_key_subtype public_key_subtype;
61
+
46
62
struct key;
63
+
struct key_type;
64
+
union key_payload;
65
+
66
+
extern int restrict_link_by_signature(struct key *trust_keyring,
67
+
const struct key_type *type,
68
+
const union key_payload *payload);
69
+
47
70
extern int verify_signature(const struct key *key,
48
71
const struct public_key_signature *sig);
49
-
50
-
struct asymmetric_key_id;
51
-
extern struct key *x509_request_asymmetric_key(struct key *keyring,
52
-
const struct asymmetric_key_id *id,
53
-
const struct asymmetric_key_id *skid,
54
-
bool partial);
55
72
56
73
int public_key_verify_signature(const struct public_key *pkey,
57
74
const struct public_key_signature *sig);
+1
-1
include/keys/asymmetric-subtype.h
+1
-1
include/keys/asymmetric-subtype.h
···
32
32
void (*describe)(const struct key *key, struct seq_file *m);
33
33
34
34
/* Destroy a key of this subtype */
35
-
void (*destroy)(void *payload);
35
+
void (*destroy)(void *payload_crypto, void *payload_auth);
36
36
37
37
/* Verify the signature on a key of this subtype (optional) */
38
38
int (*verify_signature)(const struct key *key,
+10
-3
include/keys/asymmetric-type.h
+10
-3
include/keys/asymmetric-type.h
···
15
15
#define _KEYS_ASYMMETRIC_TYPE_H
16
16
17
17
#include <linux/key-type.h>
18
+
#include <linux/verification.h>
18
19
19
20
extern struct key_type key_type_asymmetric;
20
21
···
24
23
* follows:
25
24
*/
26
25
enum asymmetric_payload_bits {
27
-
asym_crypto,
28
-
asym_subtype,
29
-
asym_key_ids,
26
+
asym_crypto, /* The data representing the key */
27
+
asym_subtype, /* Pointer to an asymmetric_key_subtype struct */
28
+
asym_key_ids, /* Pointer to an asymmetric_key_ids struct */
29
+
asym_auth /* The key's authorisation (signature, parent key ID) */
30
30
};
31
31
32
32
/*
···
75
73
{
76
74
return key->payload.data[asym_key_ids];
77
75
}
76
+
77
+
extern struct key *find_asymmetric_key(struct key *keyring,
78
+
const struct asymmetric_key_id *id_0,
79
+
const struct asymmetric_key_id *id_1,
80
+
bool partial);
78
81
79
82
/*
80
83
* The payload is at the discretion of the subtype.
+15
-26
include/keys/system_keyring.h
+15
-26
include/keys/system_keyring.h
···
12
12
#ifndef _KEYS_SYSTEM_KEYRING_H
13
13
#define _KEYS_SYSTEM_KEYRING_H
14
14
15
+
#include <linux/key.h>
16
+
15
17
#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
16
18
17
-
#include <linux/key.h>
18
-
#include <crypto/public_key.h>
19
+
extern int restrict_link_by_builtin_trusted(struct key *keyring,
20
+
const struct key_type *type,
21
+
const union key_payload *payload);
19
22
20
-
extern struct key *system_trusted_keyring;
21
-
static inline struct key *get_system_trusted_keyring(void)
22
-
{
23
-
return system_trusted_keyring;
24
-
}
25
23
#else
26
-
static inline struct key *get_system_trusted_keyring(void)
27
-
{
28
-
return NULL;
29
-
}
24
+
#define restrict_link_by_builtin_trusted restrict_link_reject
30
25
#endif
31
26
32
-
#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
33
-
extern int system_verify_data(const void *data, unsigned long len,
34
-
const void *raw_pkcs7, size_t pkcs7_len,
35
-
enum key_being_used_for usage);
27
+
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
28
+
extern int restrict_link_by_builtin_and_secondary_trusted(
29
+
struct key *keyring,
30
+
const struct key_type *type,
31
+
const union key_payload *payload);
32
+
#else
33
+
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
36
34
#endif
37
35
38
-
#ifdef CONFIG_IMA_MOK_KEYRING
39
-
extern struct key *ima_mok_keyring;
36
+
#ifdef CONFIG_IMA_BLACKLIST_KEYRING
40
37
extern struct key *ima_blacklist_keyring;
41
38
42
-
static inline struct key *get_ima_mok_keyring(void)
43
-
{
44
-
return ima_mok_keyring;
45
-
}
46
39
static inline struct key *get_ima_blacklist_keyring(void)
47
40
{
48
41
return ima_blacklist_keyring;
49
42
}
50
43
#else
51
-
static inline struct key *get_ima_mok_keyring(void)
52
-
{
53
-
return NULL;
54
-
}
55
44
static inline struct key *get_ima_blacklist_keyring(void)
56
45
{
57
46
return NULL;
58
47
}
59
-
#endif /* CONFIG_IMA_MOK_KEYRING */
48
+
#endif /* CONFIG_IMA_BLACKLIST_KEYRING */
60
49
61
50
62
51
#endif /* _KEYS_SYSTEM_KEYRING_H */
+25
-6
include/linux/fs.h
+25
-6
include/linux/fs.h
···
2634
2634
#endif
2635
2635
extern int do_pipe_flags(int *, int);
2636
2636
2637
+
#define __kernel_read_file_id(id) \
2638
+
id(UNKNOWN, unknown) \
2639
+
id(FIRMWARE, firmware) \
2640
+
id(MODULE, kernel-module) \
2641
+
id(KEXEC_IMAGE, kexec-image) \
2642
+
id(KEXEC_INITRAMFS, kexec-initramfs) \
2643
+
id(POLICY, security-policy) \
2644
+
id(MAX_ID, )
2645
+
2646
+
#define __fid_enumify(ENUM, dummy) READING_ ## ENUM,
2647
+
#define __fid_stringify(dummy, str) #str,
2648
+
2637
2649
enum kernel_read_file_id {
2638
-
READING_FIRMWARE = 1,
2639
-
READING_MODULE,
2640
-
READING_KEXEC_IMAGE,
2641
-
READING_KEXEC_INITRAMFS,
2642
-
READING_POLICY,
2643
-
READING_MAX_ID
2650
+
__kernel_read_file_id(__fid_enumify)
2644
2651
};
2652
+
2653
+
static const char * const kernel_read_file_str[] = {
2654
+
__kernel_read_file_id(__fid_stringify)
2655
+
};
2656
+
2657
+
static inline const char *kernel_read_file_id_str(enum kernel_read_file_id id)
2658
+
{
2659
+
if (id < 0 || id >= READING_MAX_ID)
2660
+
return kernel_read_file_str[READING_UNKNOWN];
2661
+
2662
+
return kernel_read_file_str[id];
2663
+
}
2645
2664
2646
2665
extern int kernel_read(struct file *, loff_t, char *, unsigned long);
2647
2666
extern int kernel_read_file(struct file *, void **, loff_t *, loff_t,
+6
include/linux/ima.h
+6
include/linux/ima.h
···
21
21
extern int ima_read_file(struct file *file, enum kernel_read_file_id id);
22
22
extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
23
23
enum kernel_read_file_id id);
24
+
extern void ima_post_path_mknod(struct dentry *dentry);
24
25
25
26
#else
26
27
static inline int ima_bprm_check(struct linux_binprm *bprm)
···
53
52
enum kernel_read_file_id id)
54
53
{
55
54
return 0;
55
+
}
56
+
57
+
static inline void ima_post_path_mknod(struct dentry *dentry)
58
+
{
59
+
return;
56
60
}
57
61
58
62
#endif /* CONFIG_IMA */
-1
include/linux/key-type.h
-1
include/linux/key-type.h
+33
-11
include/linux/key.h
+33
-11
include/linux/key.h
···
173
173
#define KEY_FLAG_NEGATIVE 5 /* set if key is negative */
174
174
#define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */
175
175
#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */
176
-
#define KEY_FLAG_TRUSTED 8 /* set if key is trusted */
177
-
#define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */
178
-
#define KEY_FLAG_BUILTIN 10 /* set if key is builtin */
179
-
#define KEY_FLAG_ROOT_CAN_INVAL 11 /* set if key can be invalidated by root without permission */
180
-
#define KEY_FLAG_KEEP 12 /* set if key should not be removed */
176
+
#define KEY_FLAG_BUILTIN 8 /* set if key is built in to the kernel */
177
+
#define KEY_FLAG_ROOT_CAN_INVAL 9 /* set if key can be invalidated by root without permission */
178
+
#define KEY_FLAG_KEEP 10 /* set if key should not be removed */
181
179
182
180
/* the key type and key description string
183
181
* - the desc is used to match a key against search criteria
···
203
205
};
204
206
int reject_error;
205
207
};
208
+
209
+
/* This is set on a keyring to restrict the addition of a link to a key
210
+
* to it. If this method isn't provided then it is assumed that the
211
+
* keyring is open to any addition. It is ignored for non-keyring
212
+
* keys.
213
+
*
214
+
* This is intended for use with rings of trusted keys whereby addition
215
+
* to the keyring needs to be controlled. KEY_ALLOC_BYPASS_RESTRICTION
216
+
* overrides this, allowing the kernel to add extra keys without
217
+
* restriction.
218
+
*/
219
+
int (*restrict_link)(struct key *keyring,
220
+
const struct key_type *type,
221
+
const union key_payload *payload);
206
222
};
207
223
208
224
extern struct key *key_alloc(struct key_type *type,
···
224
212
kuid_t uid, kgid_t gid,
225
213
const struct cred *cred,
226
214
key_perm_t perm,
227
-
unsigned long flags);
215
+
unsigned long flags,
216
+
int (*restrict_link)(struct key *,
217
+
const struct key_type *,
218
+
const union key_payload *));
228
219
229
220
230
-
#define KEY_ALLOC_IN_QUOTA 0x0000 /* add to quota, reject if would overrun */
231
-
#define KEY_ALLOC_QUOTA_OVERRUN 0x0001 /* add to quota, permit even if overrun */
232
-
#define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */
233
-
#define KEY_ALLOC_TRUSTED 0x0004 /* Key should be flagged as trusted */
234
-
#define KEY_ALLOC_BUILT_IN 0x0008 /* Key is built into kernel */
221
+
#define KEY_ALLOC_IN_QUOTA 0x0000 /* add to quota, reject if would overrun */
222
+
#define KEY_ALLOC_QUOTA_OVERRUN 0x0001 /* add to quota, permit even if overrun */
223
+
#define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */
224
+
#define KEY_ALLOC_BUILT_IN 0x0004 /* Key is built into kernel */
225
+
#define KEY_ALLOC_BYPASS_RESTRICTION 0x0008 /* Override the check on restricted keyrings */
235
226
236
227
extern void key_revoke(struct key *key);
237
228
extern void key_invalidate(struct key *key);
···
303
288
const struct cred *cred,
304
289
key_perm_t perm,
305
290
unsigned long flags,
291
+
int (*restrict_link)(struct key *,
292
+
const struct key_type *,
293
+
const union key_payload *),
306
294
struct key *dest);
295
+
296
+
extern int restrict_link_reject(struct key *keyring,
297
+
const struct key_type *type,
298
+
const union key_payload *payload);
307
299
308
300
extern int keyring_clear(struct key *keyring);
309
301
+5
-1
include/linux/lsm_hooks.h
+5
-1
include/linux/lsm_hooks.h
···
1805
1805
struct list_head tun_dev_attach_queue;
1806
1806
struct list_head tun_dev_attach;
1807
1807
struct list_head tun_dev_open;
1808
-
struct list_head skb_owned_by;
1809
1808
#endif /* CONFIG_SECURITY_NETWORK */
1810
1809
#ifdef CONFIG_SECURITY_NETWORK_XFRM
1811
1810
struct list_head xfrm_policy_alloc_security;
···
1892
1893
extern void __init yama_add_hooks(void);
1893
1894
#else
1894
1895
static inline void __init yama_add_hooks(void) { }
1896
+
#endif
1897
+
#ifdef CONFIG_SECURITY_LOADPIN
1898
+
void __init loadpin_add_hooks(void);
1899
+
#else
1900
+
static inline void loadpin_add_hooks(void) { };
1895
1901
#endif
1896
1902
1897
1903
#endif /* ! __LINUX_LSM_HOOKS_H */
+6
include/linux/string_helpers.h
+6
include/linux/string_helpers.h
···
3
3
4
4
#include <linux/types.h>
5
5
6
+
struct file;
7
+
6
8
/* Descriptions of the types of units to
7
9
* print in */
8
10
enum string_size_units {
···
69
67
{
70
68
return string_escape_str(src, dst, sz, ESCAPE_ANY_NP, only);
71
69
}
70
+
71
+
char *kstrdup_quotable(const char *src, gfp_t gfp);
72
+
char *kstrdup_quotable_cmdline(struct task_struct *task, gfp_t gfp);
73
+
char *kstrdup_quotable_file(struct file *file, gfp_t gfp);
72
74
73
75
#endif
+49
include/linux/verification.h
+49
include/linux/verification.h
···
1
+
/* Signature verification
2
+
*
3
+
* Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
4
+
* Written by David Howells (dhowells@redhat.com)
5
+
*
6
+
* This program is free software; you can redistribute it and/or
7
+
* modify it under the terms of the GNU General Public Licence
8
+
* as published by the Free Software Foundation; either version
9
+
* 2 of the Licence, or (at your option) any later version.
10
+
*/
11
+
12
+
#ifndef _LINUX_VERIFICATION_H
13
+
#define _LINUX_VERIFICATION_H
14
+
15
+
/*
16
+
* The use to which an asymmetric key is being put.
17
+
*/
18
+
enum key_being_used_for {
19
+
VERIFYING_MODULE_SIGNATURE,
20
+
VERIFYING_FIRMWARE_SIGNATURE,
21
+
VERIFYING_KEXEC_PE_SIGNATURE,
22
+
VERIFYING_KEY_SIGNATURE,
23
+
VERIFYING_KEY_SELF_SIGNATURE,
24
+
VERIFYING_UNSPECIFIED_SIGNATURE,
25
+
NR__KEY_BEING_USED_FOR
26
+
};
27
+
extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR];
28
+
29
+
#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
30
+
31
+
struct key;
32
+
33
+
extern int verify_pkcs7_signature(const void *data, size_t len,
34
+
const void *raw_pkcs7, size_t pkcs7_len,
35
+
struct key *trusted_keys,
36
+
enum key_being_used_for usage,
37
+
int (*view_content)(void *ctx,
38
+
const void *data, size_t len,
39
+
size_t asn1hdrlen),
40
+
void *ctx);
41
+
42
+
#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
43
+
extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
44
+
struct key *trusted_keys,
45
+
enum key_being_used_for usage);
46
+
#endif
47
+
48
+
#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
49
+
#endif /* _LINUX_VERIFY_PEFILE_H */
-22
include/linux/verify_pefile.h
-22
include/linux/verify_pefile.h
···
1
-
/* Signed PE file verification
2
-
*
3
-
* Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
4
-
* Written by David Howells (dhowells@redhat.com)
5
-
*
6
-
* This program is free software; you can redistribute it and/or
7
-
* modify it under the terms of the GNU General Public Licence
8
-
* as published by the Free Software Foundation; either version
9
-
* 2 of the Licence, or (at your option) any later version.
10
-
*/
11
-
12
-
#ifndef _LINUX_VERIFY_PEFILE_H
13
-
#define _LINUX_VERIFY_PEFILE_H
14
-
15
-
#include <crypto/public_key.h>
16
-
17
-
extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
18
-
struct key *trusted_keyring,
19
-
enum key_being_used_for usage,
20
-
bool *_trusted);
21
-
22
-
#endif /* _LINUX_VERIFY_PEFILE_H */
+10
include/uapi/linux/keyctl.h
+10
include/uapi/linux/keyctl.h
···
12
12
#ifndef _LINUX_KEYCTL_H
13
13
#define _LINUX_KEYCTL_H
14
14
15
+
#include <linux/types.h>
16
+
15
17
/* special process keyring shortcut IDs */
16
18
#define KEY_SPEC_THREAD_KEYRING -1 /* - key ID for thread-specific keyring */
17
19
#define KEY_SPEC_PROCESS_KEYRING -2 /* - key ID for process-specific keyring */
···
59
57
#define KEYCTL_INSTANTIATE_IOV 20 /* instantiate a partially constructed key */
60
58
#define KEYCTL_INVALIDATE 21 /* invalidate a key */
61
59
#define KEYCTL_GET_PERSISTENT 22 /* get a user's persistent keyring */
60
+
#define KEYCTL_DH_COMPUTE 23 /* Compute Diffie-Hellman values */
61
+
62
+
/* keyctl structures */
63
+
struct keyctl_dh_params {
64
+
__s32 private;
65
+
__s32 prime;
66
+
__s32 base;
67
+
};
62
68
63
69
#endif /* _LINUX_KEYCTL_H */
+4
-3
kernel/module_signing.c
+4
-3
kernel/module_signing.c
···
12
12
#include <linux/kernel.h>
13
13
#include <linux/errno.h>
14
14
#include <linux/string.h>
15
-
#include <keys/system_keyring.h>
15
+
#include <linux/verification.h>
16
16
#include <crypto/public_key.h>
17
17
#include "module-internal.h"
18
18
···
80
80
return -EBADMSG;
81
81
}
82
82
83
-
return system_verify_data(mod, modlen, mod + modlen, sig_len,
84
-
VERIFYING_MODULE_SIGNATURE);
83
+
return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
84
+
NULL, VERIFYING_MODULE_SIGNATURE,
85
+
NULL, NULL);
85
86
}
+1
-1
kernel/seccomp.c
+1
-1
kernel/seccomp.c
···
915
915
916
916
fprog = filter->prog->orig_prog;
917
917
if (!fprog) {
918
-
/* This must be a new non-cBPF filter, since we save every
918
+
/* This must be a new non-cBPF filter, since we save
919
919
* every cBPF filter's orig_prog above when
920
920
* CONFIG_CHECKPOINT_RESTORE is enabled.
921
921
*/
+92
lib/string_helpers.c
+92
lib/string_helpers.c
···
10
10
#include <linux/export.h>
11
11
#include <linux/ctype.h>
12
12
#include <linux/errno.h>
13
+
#include <linux/fs.h>
14
+
#include <linux/limits.h>
15
+
#include <linux/mm.h>
16
+
#include <linux/slab.h>
13
17
#include <linux/string.h>
14
18
#include <linux/string_helpers.h>
15
19
···
538
534
return p - dst;
539
535
}
540
536
EXPORT_SYMBOL(string_escape_mem);
537
+
538
+
/*
539
+
* Return an allocated string that has been escaped of special characters
540
+
* and double quotes, making it safe to log in quotes.
541
+
*/
542
+
char *kstrdup_quotable(const char *src, gfp_t gfp)
543
+
{
544
+
size_t slen, dlen;
545
+
char *dst;
546
+
const int flags = ESCAPE_HEX;
547
+
const char esc[] = "\f\n\r\t\v\a\e\\\"";
548
+
549
+
if (!src)
550
+
return NULL;
551
+
slen = strlen(src);
552
+
553
+
dlen = string_escape_mem(src, slen, NULL, 0, flags, esc);
554
+
dst = kmalloc(dlen + 1, gfp);
555
+
if (!dst)
556
+
return NULL;
557
+
558
+
WARN_ON(string_escape_mem(src, slen, dst, dlen, flags, esc) != dlen);
559
+
dst[dlen] = '\0';
560
+
561
+
return dst;
562
+
}
563
+
EXPORT_SYMBOL_GPL(kstrdup_quotable);
564
+
565
+
/*
566
+
* Returns allocated NULL-terminated string containing process
567
+
* command line, with inter-argument NULLs replaced with spaces,
568
+
* and other special characters escaped.
569
+
*/
570
+
char *kstrdup_quotable_cmdline(struct task_struct *task, gfp_t gfp)
571
+
{
572
+
char *buffer, *quoted;
573
+
int i, res;
574
+
575
+
buffer = kmalloc(PAGE_SIZE, GFP_TEMPORARY);
576
+
if (!buffer)
577
+
return NULL;
578
+
579
+
res = get_cmdline(task, buffer, PAGE_SIZE - 1);
580
+
buffer[res] = '\0';
581
+
582
+
/* Collapse trailing NULLs, leave res pointing to last non-NULL. */
583
+
while (--res >= 0 && buffer[res] == '\0')
584
+
;
585
+
586
+
/* Replace inter-argument NULLs. */
587
+
for (i = 0; i <= res; i++)
588
+
if (buffer[i] == '\0')
589
+
buffer[i] = ' ';
590
+
591
+
/* Make sure result is printable. */
592
+
quoted = kstrdup_quotable(buffer, gfp);
593
+
kfree(buffer);
594
+
return quoted;
595
+
}
596
+
EXPORT_SYMBOL_GPL(kstrdup_quotable_cmdline);
597
+
598
+
/*
599
+
* Returns allocated NULL-terminated string containing pathname,
600
+
* with special characters escaped, able to be safely logged. If
601
+
* there is an error, the leading character will be "<".
602
+
*/
603
+
char *kstrdup_quotable_file(struct file *file, gfp_t gfp)
604
+
{
605
+
char *temp, *pathname;
606
+
607
+
if (!file)
608
+
return kstrdup("<unknown>", gfp);
609
+
610
+
/* We add 11 spaces for ' (deleted)' to be appended */
611
+
temp = kmalloc(PATH_MAX + 11, GFP_TEMPORARY);
612
+
if (!temp)
613
+
return kstrdup("<no_memory>", gfp);
614
+
615
+
pathname = file_path(file, temp, PATH_MAX + 11);
616
+
if (IS_ERR(pathname))
617
+
pathname = kstrdup("<too_long>", gfp);
618
+
else
619
+
pathname = kstrdup_quotable(pathname, gfp);
620
+
621
+
kfree(temp);
622
+
return pathname;
623
+
}
624
+
EXPORT_SYMBOL_GPL(kstrdup_quotable_file);
+1
-1
net/dns_resolver/dns_key.c
+1
-1
net/dns_resolver/dns_key.c
···
281
281
GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
282
282
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
283
283
KEY_USR_VIEW | KEY_USR_READ,
284
-
KEY_ALLOC_NOT_IN_QUOTA, NULL);
284
+
KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
285
285
if (IS_ERR(keyring)) {
286
286
ret = PTR_ERR(keyring);
287
287
goto failed_put_cred;
+1
-1
net/netlabel/netlabel_kapi.c
+1
-1
net/netlabel/netlabel_kapi.c
+2
-2
net/rxrpc/ar-key.c
+2
-2
net/rxrpc/ar-key.c
···
965
965
966
966
key = key_alloc(&key_type_rxrpc, "x",
967
967
GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, 0,
968
-
KEY_ALLOC_NOT_IN_QUOTA);
968
+
KEY_ALLOC_NOT_IN_QUOTA, NULL);
969
969
if (IS_ERR(key)) {
970
970
_leave(" = -ENOMEM [alloc %ld]", PTR_ERR(key));
971
971
return -ENOMEM;
···
1012
1012
1013
1013
key = key_alloc(&key_type_rxrpc, keyname,
1014
1014
GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
1015
-
KEY_POS_SEARCH, KEY_ALLOC_NOT_IN_QUOTA);
1015
+
KEY_POS_SEARCH, KEY_ALLOC_NOT_IN_QUOTA, NULL);
1016
1016
if (IS_ERR(key))
1017
1017
return key;
1018
1018
+1
security/Kconfig
+1
security/Kconfig
+2
security/Makefile
+2
security/Makefile
···
8
8
subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
9
9
subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
10
10
subdir-$(CONFIG_SECURITY_YAMA) += yama
11
+
subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
11
12
12
13
# always enable default capabilities
13
14
obj-y += commoncap.o
···
23
22
obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/
24
23
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
25
24
obj-$(CONFIG_SECURITY_YAMA) += yama/
25
+
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
26
26
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
27
27
28
28
# Object integrity file lists
-1
security/integrity/Kconfig
-1
security/integrity/Kconfig
+11
-4
security/integrity/digsig.c
+11
-4
security/integrity/digsig.c
···
18
18
#include <linux/cred.h>
19
19
#include <linux/key-type.h>
20
20
#include <linux/digsig.h>
21
+
#include <crypto/public_key.h>
22
+
#include <keys/system_keyring.h>
21
23
22
24
#include "integrity.h"
23
25
···
40
38
static bool init_keyring __initdata = true;
41
39
#else
42
40
static bool init_keyring __initdata;
41
+
#endif
42
+
43
+
#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
44
+
#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
45
+
#else
46
+
#define restrict_link_to_ima restrict_link_by_builtin_trusted
43
47
#endif
44
48
45
49
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
···
91
83
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
92
84
KEY_USR_VIEW | KEY_USR_READ |
93
85
KEY_USR_WRITE | KEY_USR_SEARCH),
94
-
KEY_ALLOC_NOT_IN_QUOTA, NULL);
95
-
if (!IS_ERR(keyring[id]))
96
-
set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
97
-
else {
86
+
KEY_ALLOC_NOT_IN_QUOTA,
87
+
restrict_link_to_ima, NULL);
88
+
if (IS_ERR(keyring[id])) {
98
89
err = PTR_ERR(keyring[id]);
99
90
pr_info("Can't allocate %s keyring (%d)\n",
100
91
keyring_name[id], err);
+23
-13
security/integrity/ima/Kconfig
+23
-13
security/integrity/ima/Kconfig
···
155
155
156
156
This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
157
157
158
-
config IMA_MOK_KEYRING
159
-
bool "Create IMA machine owner keys (MOK) and blacklist keyrings"
158
+
config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
159
+
bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
160
+
depends on SYSTEM_TRUSTED_KEYRING
161
+
depends on SECONDARY_TRUSTED_KEYRING
162
+
depends on INTEGRITY_ASYMMETRIC_KEYS
163
+
select INTEGRITY_TRUSTED_KEYRING
164
+
default n
165
+
help
166
+
Keys may be added to the IMA or IMA blacklist keyrings, if the
167
+
key is validly signed by a CA cert in the system built-in or
168
+
secondary trusted keyrings.
169
+
170
+
Intermediate keys between those the kernel has compiled in and the
171
+
IMA keys to be added may be added to the system secondary keyring,
172
+
provided they are validly signed by a key already resident in the
173
+
built-in or secondary trusted keyrings.
174
+
175
+
config IMA_BLACKLIST_KEYRING
176
+
bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
160
177
depends on SYSTEM_TRUSTED_KEYRING
161
178
depends on IMA_TRUSTED_KEYRING
162
179
default n
163
180
help
164
-
This option creates IMA MOK and blacklist keyrings. IMA MOK is an
165
-
intermediate keyring that sits between .system and .ima keyrings,
166
-
effectively forming a simple CA hierarchy. To successfully import a
167
-
key into .ima_mok it must be signed by a key which CA is in .system
168
-
keyring. On turn any key that needs to go in .ima keyring must be
169
-
signed by CA in either .system or .ima_mok keyrings. IMA MOK is empty
170
-
at kernel boot.
171
-
172
-
IMA blacklist keyring contains all revoked IMA keys. It is consulted
173
-
before any other keyring. If the search is successful the requested
174
-
operation is rejected and error is returned to the caller.
181
+
This option creates an IMA blacklist keyring, which contains all
182
+
revoked IMA keys. It is consulted before any other keyring. If
183
+
the search is successful the requested operation is rejected and
184
+
an error is returned to the caller.
175
185
176
186
config IMA_LOAD_X509
177
187
bool "Load X509 certificate onto the '.ima' trusted keyring"
+1
-1
security/integrity/ima/Makefile
+1
-1
security/integrity/ima/Makefile
+6
-1
security/integrity/ima/ima_appraise.c
+6
-1
security/integrity/ima/ima_appraise.c
···
275
275
xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
276
276
if (!ima_fix_xattr(dentry, iint))
277
277
status = INTEGRITY_PASS;
278
+
} else if ((inode->i_size == 0) &&
279
+
(iint->flags & IMA_NEW_FILE) &&
280
+
(xattr_value &&
281
+
xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {
282
+
status = INTEGRITY_PASS;
278
283
}
279
284
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
280
285
op, cause, rc, 0);
···
333
328
if (iint) {
334
329
iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
335
330
IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
336
-
IMA_ACTION_FLAGS);
331
+
IMA_ACTION_RULE_FLAGS);
337
332
if (must_appraise)
338
333
iint->flags |= IMA_APPRAISE;
339
334
}
+24
-1
security/integrity/ima/ima_main.c
+24
-1
security/integrity/ima/ima_main.c
···
246
246
ima_audit_measurement(iint, pathname);
247
247
248
248
out_digsig:
249
-
if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG))
249
+
if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) &&
250
+
!(iint->flags & IMA_NEW_FILE))
250
251
rc = -EACCES;
251
252
kfree(xattr_value);
252
253
out_free:
···
315
314
FILE_CHECK, opened);
316
315
}
317
316
EXPORT_SYMBOL_GPL(ima_file_check);
317
+
318
+
/**
319
+
* ima_post_path_mknod - mark as a new inode
320
+
* @dentry: newly created dentry
321
+
*
322
+
* Mark files created via the mknodat syscall as new, so that the
323
+
* file data can be written later.
324
+
*/
325
+
void ima_post_path_mknod(struct dentry *dentry)
326
+
{
327
+
struct integrity_iint_cache *iint;
328
+
struct inode *inode = dentry->d_inode;
329
+
int must_appraise;
330
+
331
+
must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
332
+
if (!must_appraise)
333
+
return;
334
+
335
+
iint = integrity_inode_get(inode);
336
+
if (iint)
337
+
iint->flags |= IMA_NEW_FILE;
338
+
}
318
339
319
340
/**
320
341
* ima_read_file - pre-measure/appraise hook decision based on policy
+7
-16
security/integrity/ima/ima_mok.c
+7
-16
security/integrity/ima/ima_mok.c
···
17
17
#include <linux/cred.h>
18
18
#include <linux/err.h>
19
19
#include <linux/init.h>
20
-
#include <keys/asymmetric-type.h>
20
+
#include <keys/system_keyring.h>
21
21
22
22
23
-
struct key *ima_mok_keyring;
24
23
struct key *ima_blacklist_keyring;
25
24
26
25
/*
27
-
* Allocate the IMA MOK and blacklist keyrings
26
+
* Allocate the IMA blacklist keyring
28
27
*/
29
28
__init int ima_mok_init(void)
30
29
{
31
-
pr_notice("Allocating IMA MOK and blacklist keyrings.\n");
32
-
33
-
ima_mok_keyring = keyring_alloc(".ima_mok",
34
-
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
35
-
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
36
-
KEY_USR_VIEW | KEY_USR_READ |
37
-
KEY_USR_WRITE | KEY_USR_SEARCH,
38
-
KEY_ALLOC_NOT_IN_QUOTA, NULL);
30
+
pr_notice("Allocating IMA blacklist keyring.\n");
39
31
40
32
ima_blacklist_keyring = keyring_alloc(".ima_blacklist",
41
33
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
42
34
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
43
35
KEY_USR_VIEW | KEY_USR_READ |
44
36
KEY_USR_WRITE | KEY_USR_SEARCH,
45
-
KEY_ALLOC_NOT_IN_QUOTA, NULL);
37
+
KEY_ALLOC_NOT_IN_QUOTA,
38
+
restrict_link_by_builtin_trusted, NULL);
46
39
47
-
if (IS_ERR(ima_mok_keyring) || IS_ERR(ima_blacklist_keyring))
48
-
panic("Can't allocate IMA MOK or blacklist keyrings.");
49
-
set_bit(KEY_FLAG_TRUSTED_ONLY, &ima_mok_keyring->flags);
40
+
if (IS_ERR(ima_blacklist_keyring))
41
+
panic("Can't allocate IMA blacklist keyring.");
50
42
51
-
set_bit(KEY_FLAG_TRUSTED_ONLY, &ima_blacklist_keyring->flags);
52
43
set_bit(KEY_FLAG_KEEP, &ima_blacklist_keyring->flags);
53
44
return 0;
54
45
}
+1
security/integrity/integrity.h
+1
security/integrity/integrity.h
+15
security/keys/Kconfig
+15
security/keys/Kconfig
···
41
41
bool "Large payload keys"
42
42
depends on KEYS
43
43
depends on TMPFS
44
+
select CRYPTO
45
+
select CRYPTO_AES
46
+
select CRYPTO_ECB
47
+
select CRYPTO_RNG
44
48
help
45
49
This option provides support for holding large keys within the kernel
46
50
(for example Kerberos ticket caches). The data may be stored out to
···
85
81
Userspace only ever sees/stores encrypted blobs.
86
82
87
83
If you are unsure as to whether this is required, answer N.
84
+
85
+
config KEY_DH_OPERATIONS
86
+
bool "Diffie-Hellman operations on retained keys"
87
+
depends on KEYS
88
+
select MPILIB
89
+
help
90
+
This option provides support for calculating Diffie-Hellman
91
+
public keys and shared secrets using values stored as keys
92
+
in the kernel.
93
+
94
+
If you are unsure as to whether this is required, answer N.
+1
security/keys/Makefile
+1
security/keys/Makefile
+181
-19
security/keys/big_key.c
+181
-19
security/keys/big_key.c
···
14
14
#include <linux/file.h>
15
15
#include <linux/shmem_fs.h>
16
16
#include <linux/err.h>
17
+
#include <linux/scatterlist.h>
17
18
#include <keys/user-type.h>
18
19
#include <keys/big_key-type.h>
20
+
#include <crypto/rng.h>
19
21
20
22
/*
21
23
* Layout of key payload words.
···
30
28
};
31
29
32
30
/*
31
+
* Crypto operation with big_key data
32
+
*/
33
+
enum big_key_op {
34
+
BIG_KEY_ENC,
35
+
BIG_KEY_DEC,
36
+
};
37
+
38
+
/*
33
39
* If the data is under this limit, there's no point creating a shm file to
34
40
* hold it as the permanently resident metadata for the shmem fs will be at
35
41
* least as large as the data.
36
42
*/
37
43
#define BIG_KEY_FILE_THRESHOLD (sizeof(struct inode) + sizeof(struct dentry))
44
+
45
+
/*
46
+
* Key size for big_key data encryption
47
+
*/
48
+
#define ENC_KEY_SIZE 16
38
49
39
50
/*
40
51
* big_key defined keys take an arbitrary string as the description and an
···
65
50
};
66
51
67
52
/*
53
+
* Crypto names for big_key data encryption
54
+
*/
55
+
static const char big_key_rng_name[] = "stdrng";
56
+
static const char big_key_alg_name[] = "ecb(aes)";
57
+
58
+
/*
59
+
* Crypto algorithms for big_key data encryption
60
+
*/
61
+
static struct crypto_rng *big_key_rng;
62
+
static struct crypto_blkcipher *big_key_blkcipher;
63
+
64
+
/*
65
+
* Generate random key to encrypt big_key data
66
+
*/
67
+
static inline int big_key_gen_enckey(u8 *key)
68
+
{
69
+
return crypto_rng_get_bytes(big_key_rng, key, ENC_KEY_SIZE);
70
+
}
71
+
72
+
/*
73
+
* Encrypt/decrypt big_key data
74
+
*/
75
+
static int big_key_crypt(enum big_key_op op, u8 *data, size_t datalen, u8 *key)
76
+
{
77
+
int ret = -EINVAL;
78
+
struct scatterlist sgio;
79
+
struct blkcipher_desc desc;
80
+
81
+
if (crypto_blkcipher_setkey(big_key_blkcipher, key, ENC_KEY_SIZE)) {
82
+
ret = -EAGAIN;
83
+
goto error;
84
+
}
85
+
86
+
desc.flags = 0;
87
+
desc.tfm = big_key_blkcipher;
88
+
89
+
sg_init_one(&sgio, data, datalen);
90
+
91
+
if (op == BIG_KEY_ENC)
92
+
ret = crypto_blkcipher_encrypt(&desc, &sgio, &sgio, datalen);
93
+
else
94
+
ret = crypto_blkcipher_decrypt(&desc, &sgio, &sgio, datalen);
95
+
96
+
error:
97
+
return ret;
98
+
}
99
+
100
+
/*
68
101
* Preparse a big key
69
102
*/
70
103
int big_key_preparse(struct key_preparsed_payload *prep)
71
104
{
72
105
struct path *path = (struct path *)&prep->payload.data[big_key_path];
73
106
struct file *file;
107
+
u8 *enckey;
108
+
u8 *data = NULL;
74
109
ssize_t written;
75
110
size_t datalen = prep->datalen;
76
111
int ret;
···
138
73
/* Create a shmem file to store the data in. This will permit the data
139
74
* to be swapped out if needed.
140
75
*
141
-
* TODO: Encrypt the stored data with a temporary key.
76
+
* File content is stored encrypted with randomly generated key.
142
77
*/
143
-
file = shmem_kernel_file_setup("", datalen, 0);
144
-
if (IS_ERR(file)) {
145
-
ret = PTR_ERR(file);
78
+
size_t enclen = ALIGN(datalen, crypto_blkcipher_blocksize(big_key_blkcipher));
79
+
80
+
/* prepare aligned data to encrypt */
81
+
data = kmalloc(enclen, GFP_KERNEL);
82
+
if (!data)
83
+
return -ENOMEM;
84
+
85
+
memcpy(data, prep->data, datalen);
86
+
memset(data + datalen, 0x00, enclen - datalen);
87
+
88
+
/* generate random key */
89
+
enckey = kmalloc(ENC_KEY_SIZE, GFP_KERNEL);
90
+
if (!enckey) {
91
+
ret = -ENOMEM;
146
92
goto error;
147
93
}
148
94
149
-
written = kernel_write(file, prep->data, prep->datalen, 0);
150
-
if (written != datalen) {
95
+
ret = big_key_gen_enckey(enckey);
96
+
if (ret)
97
+
goto err_enckey;
98
+
99
+
/* encrypt aligned data */
100
+
ret = big_key_crypt(BIG_KEY_ENC, data, enclen, enckey);
101
+
if (ret)
102
+
goto err_enckey;
103
+
104
+
/* save aligned data to file */
105
+
file = shmem_kernel_file_setup("", enclen, 0);
106
+
if (IS_ERR(file)) {
107
+
ret = PTR_ERR(file);
108
+
goto err_enckey;
109
+
}
110
+
111
+
written = kernel_write(file, data, enclen, 0);
112
+
if (written != enclen) {
151
113
ret = written;
152
114
if (written >= 0)
153
115
ret = -ENOMEM;
···
184
92
/* Pin the mount and dentry to the key so that we can open it again
185
93
* later
186
94
*/
95
+
prep->payload.data[big_key_data] = enckey;
187
96
*path = file->f_path;
188
97
path_get(path);
189
98
fput(file);
99
+
kfree(data);
190
100
} else {
191
101
/* Just store the data in a buffer */
192
102
void *data = kmalloc(datalen, GFP_KERNEL);
103
+
193
104
if (!data)
194
105
return -ENOMEM;
195
106
···
203
108
204
109
err_fput:
205
110
fput(file);
111
+
err_enckey:
112
+
kfree(enckey);
206
113
error:
114
+
kfree(data);
207
115
return ret;
208
116
}
209
117
···
217
119
{
218
120
if (prep->datalen > BIG_KEY_FILE_THRESHOLD) {
219
121
struct path *path = (struct path *)&prep->payload.data[big_key_path];
122
+
220
123
path_put(path);
221
-
} else {
222
-
kfree(prep->payload.data[big_key_data]);
223
124
}
125
+
kfree(prep->payload.data[big_key_data]);
224
126
}
225
127
226
128
/*
···
245
147
{
246
148
size_t datalen = (size_t)key->payload.data[big_key_len];
247
149
248
-
if (datalen) {
150
+
if (datalen > BIG_KEY_FILE_THRESHOLD) {
249
151
struct path *path = (struct path *)&key->payload.data[big_key_path];
152
+
250
153
path_put(path);
251
154
path->mnt = NULL;
252
155
path->dentry = NULL;
253
-
} else {
254
-
kfree(key->payload.data[big_key_data]);
255
-
key->payload.data[big_key_data] = NULL;
256
156
}
157
+
kfree(key->payload.data[big_key_data]);
158
+
key->payload.data[big_key_data] = NULL;
257
159
}
258
160
259
161
/*
···
286
188
if (datalen > BIG_KEY_FILE_THRESHOLD) {
287
189
struct path *path = (struct path *)&key->payload.data[big_key_path];
288
190
struct file *file;
289
-
loff_t pos;
191
+
u8 *data;
192
+
u8 *enckey = (u8 *)key->payload.data[big_key_data];
193
+
size_t enclen = ALIGN(datalen, crypto_blkcipher_blocksize(big_key_blkcipher));
194
+
195
+
data = kmalloc(enclen, GFP_KERNEL);
196
+
if (!data)
197
+
return -ENOMEM;
290
198
291
199
file = dentry_open(path, O_RDONLY, current_cred());
292
-
if (IS_ERR(file))
293
-
return PTR_ERR(file);
200
+
if (IS_ERR(file)) {
201
+
ret = PTR_ERR(file);
202
+
goto error;
203
+
}
294
204
295
-
pos = 0;
296
-
ret = vfs_read(file, buffer, datalen, &pos);
297
-
fput(file);
298
-
if (ret >= 0 && ret != datalen)
205
+
/* read file to kernel and decrypt */
206
+
ret = kernel_read(file, 0, data, enclen);
207
+
if (ret >= 0 && ret != enclen) {
299
208
ret = -EIO;
209
+
goto err_fput;
210
+
}
211
+
212
+
ret = big_key_crypt(BIG_KEY_DEC, data, enclen, enckey);
213
+
if (ret)
214
+
goto err_fput;
215
+
216
+
ret = datalen;
217
+
218
+
/* copy decrypted data to user */
219
+
if (copy_to_user(buffer, data, datalen) != 0)
220
+
ret = -EFAULT;
221
+
222
+
err_fput:
223
+
fput(file);
224
+
error:
225
+
kfree(data);
300
226
} else {
301
227
ret = datalen;
302
228
if (copy_to_user(buffer, key->payload.data[big_key_data],
···
331
209
return ret;
332
210
}
333
211
212
+
/*
213
+
* Register key type
214
+
*/
334
215
static int __init big_key_init(void)
335
216
{
336
217
return register_key_type(&key_type_big_key);
337
218
}
219
+
220
+
/*
221
+
* Initialize big_key crypto and RNG algorithms
222
+
*/
223
+
static int __init big_key_crypto_init(void)
224
+
{
225
+
int ret = -EINVAL;
226
+
227
+
/* init RNG */
228
+
big_key_rng = crypto_alloc_rng(big_key_rng_name, 0, 0);
229
+
if (IS_ERR(big_key_rng)) {
230
+
big_key_rng = NULL;
231
+
return -EFAULT;
232
+
}
233
+
234
+
/* seed RNG */
235
+
ret = crypto_rng_reset(big_key_rng, NULL, crypto_rng_seedsize(big_key_rng));
236
+
if (ret)
237
+
goto error;
238
+
239
+
/* init block cipher */
240
+
big_key_blkcipher = crypto_alloc_blkcipher(big_key_alg_name, 0, 0);
241
+
if (IS_ERR(big_key_blkcipher)) {
242
+
big_key_blkcipher = NULL;
243
+
ret = -EFAULT;
244
+
goto error;
245
+
}
246
+
247
+
return 0;
248
+
249
+
error:
250
+
crypto_free_rng(big_key_rng);
251
+
big_key_rng = NULL;
252
+
return ret;
253
+
}
254
+
338
255
device_initcall(big_key_init);
256
+
late_initcall(big_key_crypto_init);
+4
security/keys/compat.c
+4
security/keys/compat.c
+160
security/keys/dh.c
+160
security/keys/dh.c
···
1
+
/* Crypto operations using stored keys
2
+
*
3
+
* Copyright (c) 2016, Intel Corporation
4
+
*
5
+
* This program is free software; you can redistribute it and/or
6
+
* modify it under the terms of the GNU General Public License
7
+
* as published by the Free Software Foundation; either version
8
+
* 2 of the License, or (at your option) any later version.
9
+
*/
10
+
11
+
#include <linux/mpi.h>
12
+
#include <linux/slab.h>
13
+
#include <linux/uaccess.h>
14
+
#include <keys/user-type.h>
15
+
#include "internal.h"
16
+
17
+
/*
18
+
* Public key or shared secret generation function [RFC2631 sec 2.1.1]
19
+
*
20
+
* ya = g^xa mod p;
21
+
* or
22
+
* ZZ = yb^xa mod p;
23
+
*
24
+
* where xa is the local private key, ya is the local public key, g is
25
+
* the generator, p is the prime, yb is the remote public key, and ZZ
26
+
* is the shared secret.
27
+
*
28
+
* Both are the same calculation, so g or yb are the "base" and ya or
29
+
* ZZ are the "result".
30
+
*/
31
+
static int do_dh(MPI result, MPI base, MPI xa, MPI p)
32
+
{
33
+
return mpi_powm(result, base, xa, p);
34
+
}
35
+
36
+
static ssize_t mpi_from_key(key_serial_t keyid, size_t maxlen, MPI *mpi)
37
+
{
38
+
struct key *key;
39
+
key_ref_t key_ref;
40
+
long status;
41
+
ssize_t ret;
42
+
43
+
key_ref = lookup_user_key(keyid, 0, KEY_NEED_READ);
44
+
if (IS_ERR(key_ref)) {
45
+
ret = -ENOKEY;
46
+
goto error;
47
+
}
48
+
49
+
key = key_ref_to_ptr(key_ref);
50
+
51
+
ret = -EOPNOTSUPP;
52
+
if (key->type == &key_type_user) {
53
+
down_read(&key->sem);
54
+
status = key_validate(key);
55
+
if (status == 0) {
56
+
const struct user_key_payload *payload;
57
+
58
+
payload = user_key_payload(key);
59
+
60
+
if (maxlen == 0) {
61
+
*mpi = NULL;
62
+
ret = payload->datalen;
63
+
} else if (payload->datalen <= maxlen) {
64
+
*mpi = mpi_read_raw_data(payload->data,
65
+
payload->datalen);
66
+
if (*mpi)
67
+
ret = payload->datalen;
68
+
} else {
69
+
ret = -EINVAL;
70
+
}
71
+
}
72
+
up_read(&key->sem);
73
+
}
74
+
75
+
key_put(key);
76
+
error:
77
+
return ret;
78
+
}
79
+
80
+
long keyctl_dh_compute(struct keyctl_dh_params __user *params,
81
+
char __user *buffer, size_t buflen)
82
+
{
83
+
long ret;
84
+
MPI base, private, prime, result;
85
+
unsigned nbytes;
86
+
struct keyctl_dh_params pcopy;
87
+
uint8_t *kbuf;
88
+
ssize_t keylen;
89
+
size_t resultlen;
90
+
91
+
if (!params || (!buffer && buflen)) {
92
+
ret = -EINVAL;
93
+
goto out;
94
+
}
95
+
if (copy_from_user(&pcopy, params, sizeof(pcopy)) != 0) {
96
+
ret = -EFAULT;
97
+
goto out;
98
+
}
99
+
100
+
keylen = mpi_from_key(pcopy.prime, buflen, &prime);
101
+
if (keylen < 0 || !prime) {
102
+
/* buflen == 0 may be used to query the required buffer size,
103
+
* which is the prime key length.
104
+
*/
105
+
ret = keylen;
106
+
goto out;
107
+
}
108
+
109
+
/* The result is never longer than the prime */
110
+
resultlen = keylen;
111
+
112
+
keylen = mpi_from_key(pcopy.base, SIZE_MAX, &base);
113
+
if (keylen < 0 || !base) {
114
+
ret = keylen;
115
+
goto error1;
116
+
}
117
+
118
+
keylen = mpi_from_key(pcopy.private, SIZE_MAX, &private);
119
+
if (keylen < 0 || !private) {
120
+
ret = keylen;
121
+
goto error2;
122
+
}
123
+
124
+
result = mpi_alloc(0);
125
+
if (!result) {
126
+
ret = -ENOMEM;
127
+
goto error3;
128
+
}
129
+
130
+
kbuf = kmalloc(resultlen, GFP_KERNEL);
131
+
if (!kbuf) {
132
+
ret = -ENOMEM;
133
+
goto error4;
134
+
}
135
+
136
+
ret = do_dh(result, base, private, prime);
137
+
if (ret)
138
+
goto error5;
139
+
140
+
ret = mpi_read_buffer(result, kbuf, resultlen, &nbytes, NULL);
141
+
if (ret != 0)
142
+
goto error5;
143
+
144
+
ret = nbytes;
145
+
if (copy_to_user(buffer, kbuf, nbytes) != 0)
146
+
ret = -EFAULT;
147
+
148
+
error5:
149
+
kfree(kbuf);
150
+
error4:
151
+
mpi_free(result);
152
+
error3:
153
+
mpi_free(private);
154
+
error2:
155
+
mpi_free(base);
156
+
error1:
157
+
mpi_free(prime);
158
+
out:
159
+
return ret;
160
+
}
+12
security/keys/internal.h
+12
security/keys/internal.h
···
15
15
#include <linux/sched.h>
16
16
#include <linux/key-type.h>
17
17
#include <linux/task_work.h>
18
+
#include <linux/keyctl.h>
18
19
19
20
struct iovec;
20
21
···
253
252
extern unsigned persistent_keyring_expiry;
254
253
#else
255
254
static inline long keyctl_get_persistent(uid_t uid, key_serial_t destring)
255
+
{
256
+
return -EOPNOTSUPP;
257
+
}
258
+
#endif
259
+
260
+
#ifdef CONFIG_KEY_DH_OPERATIONS
261
+
extern long keyctl_dh_compute(struct keyctl_dh_params __user *, char __user *,
262
+
size_t);
263
+
#else
264
+
static inline long keyctl_dh_compute(struct keyctl_dh_params __user *params,
265
+
char __user *buffer, size_t buflen)
256
266
{
257
267
return -EOPNOTSUPP;
258
268
}
+32
-10
security/keys/key.c
+32
-10
security/keys/key.c
···
201
201
* @cred: The credentials specifying UID namespace.
202
202
* @perm: The permissions mask of the new key.
203
203
* @flags: Flags specifying quota properties.
204
+
* @restrict_link: Optional link restriction method for new keyrings.
204
205
*
205
206
* Allocate a key of the specified type with the attributes given. The key is
206
207
* returned in an uninstantiated state and the caller needs to instantiate the
···
224
223
*/
225
224
struct key *key_alloc(struct key_type *type, const char *desc,
226
225
kuid_t uid, kgid_t gid, const struct cred *cred,
227
-
key_perm_t perm, unsigned long flags)
226
+
key_perm_t perm, unsigned long flags,
227
+
int (*restrict_link)(struct key *,
228
+
const struct key_type *,
229
+
const union key_payload *))
228
230
{
229
231
struct key_user *user = NULL;
230
232
struct key *key;
···
295
291
key->uid = uid;
296
292
key->gid = gid;
297
293
key->perm = perm;
294
+
key->restrict_link = restrict_link;
298
295
299
296
if (!(flags & KEY_ALLOC_NOT_IN_QUOTA))
300
297
key->flags |= 1 << KEY_FLAG_IN_QUOTA;
301
-
if (flags & KEY_ALLOC_TRUSTED)
302
-
key->flags |= 1 << KEY_FLAG_TRUSTED;
303
298
if (flags & KEY_ALLOC_BUILT_IN)
304
299
key->flags |= 1 << KEY_FLAG_BUILTIN;
305
300
···
499
496
}
500
497
501
498
if (keyring) {
499
+
if (keyring->restrict_link) {
500
+
ret = keyring->restrict_link(keyring, key->type,
501
+
&prep.payload);
502
+
if (ret < 0)
503
+
goto error;
504
+
}
502
505
ret = __key_link_begin(keyring, &key->index_key, &edit);
503
506
if (ret < 0)
504
507
goto error;
···
560
551
awaken = 0;
561
552
ret = -EBUSY;
562
553
563
-
if (keyring)
554
+
if (keyring) {
555
+
if (keyring->restrict_link)
556
+
return -EPERM;
557
+
564
558
link_ret = __key_link_begin(keyring, &key->index_key, &edit);
559
+
}
565
560
566
561
mutex_lock(&key_construction_mutex);
567
562
···
806
793
struct key *keyring, *key = NULL;
807
794
key_ref_t key_ref;
808
795
int ret;
796
+
int (*restrict_link)(struct key *,
797
+
const struct key_type *,
798
+
const union key_payload *) = NULL;
809
799
810
800
/* look up the key type to see if it's one of the registered kernel
811
801
* types */
···
827
811
828
812
key_check(keyring);
829
813
814
+
key_ref = ERR_PTR(-EPERM);
815
+
if (!(flags & KEY_ALLOC_BYPASS_RESTRICTION))
816
+
restrict_link = keyring->restrict_link;
817
+
830
818
key_ref = ERR_PTR(-ENOTDIR);
831
819
if (keyring->type != &key_type_keyring)
832
820
goto error_put_type;
···
839
819
prep.data = payload;
840
820
prep.datalen = plen;
841
821
prep.quotalen = index_key.type->def_datalen;
842
-
prep.trusted = flags & KEY_ALLOC_TRUSTED;
843
822
prep.expiry = TIME_T_MAX;
844
823
if (index_key.type->preparse) {
845
824
ret = index_key.type->preparse(&prep);
···
854
835
}
855
836
index_key.desc_len = strlen(index_key.description);
856
837
857
-
key_ref = ERR_PTR(-EPERM);
858
-
if (!prep.trusted && test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags))
859
-
goto error_free_prep;
860
-
flags |= prep.trusted ? KEY_ALLOC_TRUSTED : 0;
838
+
if (restrict_link) {
839
+
ret = restrict_link(keyring, index_key.type, &prep.payload);
840
+
if (ret < 0) {
841
+
key_ref = ERR_PTR(ret);
842
+
goto error_free_prep;
843
+
}
844
+
}
861
845
862
846
ret = __key_link_begin(keyring, &index_key, &edit);
863
847
if (ret < 0) {
···
901
879
902
880
/* allocate a new key */
903
881
key = key_alloc(index_key.type, index_key.description,
904
-
cred->fsuid, cred->fsgid, cred, perm, flags);
882
+
cred->fsuid, cred->fsgid, cred, perm, flags, NULL);
905
883
if (IS_ERR(key)) {
906
884
key_ref = ERR_CAST(key);
907
885
goto error_link_end;
+5
security/keys/keyctl.c
+5
security/keys/keyctl.c
···
1686
1686
case KEYCTL_GET_PERSISTENT:
1687
1687
return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3);
1688
1688
1689
+
case KEYCTL_DH_COMPUTE:
1690
+
return keyctl_dh_compute((struct keyctl_dh_params __user *) arg2,
1691
+
(char __user *) arg3,
1692
+
(size_t) arg4);
1693
+
1689
1694
default:
1690
1695
return -EOPNOTSUPP;
1691
1696
}
+39
-7
security/keys/keyring.c
+39
-7
security/keys/keyring.c
···
491
491
*/
492
492
struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
493
493
const struct cred *cred, key_perm_t perm,
494
-
unsigned long flags, struct key *dest)
494
+
unsigned long flags,
495
+
int (*restrict_link)(struct key *,
496
+
const struct key_type *,
497
+
const union key_payload *),
498
+
struct key *dest)
495
499
{
496
500
struct key *keyring;
497
501
int ret;
498
502
499
503
keyring = key_alloc(&key_type_keyring, description,
500
-
uid, gid, cred, perm, flags);
504
+
uid, gid, cred, perm, flags, restrict_link);
501
505
if (!IS_ERR(keyring)) {
502
506
ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
503
507
if (ret < 0) {
···
513
509
return keyring;
514
510
}
515
511
EXPORT_SYMBOL(keyring_alloc);
512
+
513
+
/**
514
+
* restrict_link_reject - Give -EPERM to restrict link
515
+
* @keyring: The keyring being added to.
516
+
* @type: The type of key being added.
517
+
* @payload: The payload of the key intended to be added.
518
+
*
519
+
* Reject the addition of any links to a keyring. It can be overridden by
520
+
* passing KEY_ALLOC_BYPASS_RESTRICTION to key_instantiate_and_link() when
521
+
* adding a key to a keyring.
522
+
*
523
+
* This is meant to be passed as the restrict_link parameter to
524
+
* keyring_alloc().
525
+
*/
526
+
int restrict_link_reject(struct key *keyring,
527
+
const struct key_type *type,
528
+
const union key_payload *payload)
529
+
{
530
+
return -EPERM;
531
+
}
516
532
517
533
/*
518
534
* By default, we keys found by getting an exact match on their descriptions.
···
1215
1191
up_write(&keyring->sem);
1216
1192
}
1217
1193
1194
+
/*
1195
+
* Check addition of keys to restricted keyrings.
1196
+
*/
1197
+
static int __key_link_check_restriction(struct key *keyring, struct key *key)
1198
+
{
1199
+
if (!keyring->restrict_link)
1200
+
return 0;
1201
+
return keyring->restrict_link(keyring, key->type, &key->payload);
1202
+
}
1203
+
1218
1204
/**
1219
1205
* key_link - Link a key to a keyring
1220
1206
* @keyring: The keyring to make the link in.
···
1255
1221
key_check(keyring);
1256
1222
key_check(key);
1257
1223
1258
-
if (test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags) &&
1259
-
!test_bit(KEY_FLAG_TRUSTED, &key->flags))
1260
-
return -EPERM;
1261
-
1262
1224
ret = __key_link_begin(keyring, &key->index_key, &edit);
1263
1225
if (ret == 0) {
1264
1226
kdebug("begun {%d,%d}", keyring->serial, atomic_read(&keyring->usage));
1265
-
ret = __key_link_check_live_key(keyring, key);
1227
+
ret = __key_link_check_restriction(keyring, key);
1228
+
if (ret == 0)
1229
+
ret = __key_link_check_live_key(keyring, key);
1266
1230
if (ret == 0)
1267
1231
__key_link(key, &edit);
1268
1232
__key_link_end(keyring, &key->index_key, edit);
+2
-2
security/keys/persistent.c
+2
-2
security/keys/persistent.c
···
26
26
current_cred(),
27
27
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
28
28
KEY_USR_VIEW | KEY_USR_READ),
29
-
KEY_ALLOC_NOT_IN_QUOTA, NULL);
29
+
KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
30
30
if (IS_ERR(reg))
31
31
return PTR_ERR(reg);
32
32
···
60
60
uid, INVALID_GID, current_cred(),
61
61
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
62
62
KEY_USR_VIEW | KEY_USR_READ),
63
-
KEY_ALLOC_NOT_IN_QUOTA,
63
+
KEY_ALLOC_NOT_IN_QUOTA, NULL,
64
64
ns->persistent_keyring_register);
65
65
if (IS_ERR(persistent))
66
66
return ERR_CAST(persistent);
+10
-6
security/keys/process_keys.c
+10
-6
security/keys/process_keys.c
···
76
76
if (IS_ERR(uid_keyring)) {
77
77
uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
78
78
cred, user_keyring_perm,
79
-
KEY_ALLOC_IN_QUOTA, NULL);
79
+
KEY_ALLOC_IN_QUOTA,
80
+
NULL, NULL);
80
81
if (IS_ERR(uid_keyring)) {
81
82
ret = PTR_ERR(uid_keyring);
82
83
goto error;
···
93
92
session_keyring =
94
93
keyring_alloc(buf, user->uid, INVALID_GID,
95
94
cred, user_keyring_perm,
96
-
KEY_ALLOC_IN_QUOTA, NULL);
95
+
KEY_ALLOC_IN_QUOTA,
96
+
NULL, NULL);
97
97
if (IS_ERR(session_keyring)) {
98
98
ret = PTR_ERR(session_keyring);
99
99
goto error_release;
···
136
134
137
135
keyring = keyring_alloc("_tid", new->uid, new->gid, new,
138
136
KEY_POS_ALL | KEY_USR_VIEW,
139
-
KEY_ALLOC_QUOTA_OVERRUN, NULL);
137
+
KEY_ALLOC_QUOTA_OVERRUN,
138
+
NULL, NULL);
140
139
if (IS_ERR(keyring))
141
140
return PTR_ERR(keyring);
142
141
···
183
180
184
181
keyring = keyring_alloc("_pid", new->uid, new->gid, new,
185
182
KEY_POS_ALL | KEY_USR_VIEW,
186
-
KEY_ALLOC_QUOTA_OVERRUN, NULL);
183
+
KEY_ALLOC_QUOTA_OVERRUN,
184
+
NULL, NULL);
187
185
if (IS_ERR(keyring))
188
186
return PTR_ERR(keyring);
189
187
···
235
231
236
232
keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred,
237
233
KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
238
-
flags, NULL);
234
+
flags, NULL, NULL);
239
235
if (IS_ERR(keyring))
240
236
return PTR_ERR(keyring);
241
237
} else {
···
789
785
keyring = keyring_alloc(
790
786
name, old->uid, old->gid, old,
791
787
KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_LINK,
792
-
KEY_ALLOC_IN_QUOTA, NULL);
788
+
KEY_ALLOC_IN_QUOTA, NULL, NULL);
793
789
if (IS_ERR(keyring)) {
794
790
ret = PTR_ERR(keyring);
795
791
goto error2;
+2
-2
security/keys/request_key.c
+2
-2
security/keys/request_key.c
···
116
116
cred = get_current_cred();
117
117
keyring = keyring_alloc(desc, cred->fsuid, cred->fsgid, cred,
118
118
KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
119
-
KEY_ALLOC_QUOTA_OVERRUN, NULL);
119
+
KEY_ALLOC_QUOTA_OVERRUN, NULL, NULL);
120
120
put_cred(cred);
121
121
if (IS_ERR(keyring)) {
122
122
ret = PTR_ERR(keyring);
···
355
355
356
356
key = key_alloc(ctx->index_key.type, ctx->index_key.description,
357
357
ctx->cred->fsuid, ctx->cred->fsgid, ctx->cred,
358
-
perm, flags);
358
+
perm, flags, NULL);
359
359
if (IS_ERR(key))
360
360
goto alloc_failed;
361
361
+1
-1
security/keys/request_key_auth.c
+1
-1
security/keys/request_key_auth.c
···
202
202
authkey = key_alloc(&key_type_request_key_auth, desc,
203
203
cred->fsuid, cred->fsgid, cred,
204
204
KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH |
205
-
KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA);
205
+
KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA, NULL);
206
206
if (IS_ERR(authkey)) {
207
207
ret = PTR_ERR(authkey);
208
208
goto error_alloc;
+10
-30
security/keys/user_defined.c
+10
-30
security/keys/user_defined.c
···
96
96
*/
97
97
int user_update(struct key *key, struct key_preparsed_payload *prep)
98
98
{
99
-
struct user_key_payload *upayload, *zap;
100
-
size_t datalen = prep->datalen;
99
+
struct user_key_payload *zap = NULL;
101
100
int ret;
102
101
103
-
ret = -EINVAL;
104
-
if (datalen <= 0 || datalen > 32767 || !prep->data)
105
-
goto error;
106
-
107
-
/* construct a replacement payload */
108
-
ret = -ENOMEM;
109
-
upayload = kmalloc(sizeof(*upayload) + datalen, GFP_KERNEL);
110
-
if (!upayload)
111
-
goto error;
112
-
113
-
upayload->datalen = datalen;
114
-
memcpy(upayload->data, prep->data, datalen);
115
-
116
102
/* check the quota and attach the new data */
117
-
zap = upayload;
103
+
ret = key_payload_reserve(key, prep->datalen);
104
+
if (ret < 0)
105
+
return ret;
118
106
119
-
ret = key_payload_reserve(key, datalen);
120
-
121
-
if (ret == 0) {
122
-
/* attach the new data, displacing the old */
123
-
if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags))
124
-
zap = key->payload.data[0];
125
-
else
126
-
zap = NULL;
127
-
rcu_assign_keypointer(key, upayload);
128
-
key->expiry = 0;
129
-
}
107
+
/* attach the new data, displacing the old */
108
+
key->expiry = prep->expiry;
109
+
if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags))
110
+
zap = rcu_dereference_key(key);
111
+
rcu_assign_keypointer(key, prep->payload.data[0]);
112
+
prep->payload.data[0] = NULL;
130
113
131
114
if (zap)
132
115
kfree_rcu(zap, rcu);
133
-
134
-
error:
135
116
return ret;
136
117
}
137
-
138
118
EXPORT_SYMBOL_GPL(user_update);
139
119
140
120
/*
+19
security/loadpin/Kconfig
+19
security/loadpin/Kconfig
···
1
+
config SECURITY_LOADPIN
2
+
bool "Pin load of kernel files (modules, fw, etc) to one filesystem"
3
+
depends on SECURITY && BLOCK
4
+
help
5
+
Any files read through the kernel file reading interface
6
+
(kernel modules, firmware, kexec images, security policy)
7
+
can be pinned to the first filesystem used for loading. When
8
+
enabled, any files that come from other filesystems will be
9
+
rejected. This is best used on systems without an initrd that
10
+
have a root filesystem backed by a read-only device such as
11
+
dm-verity or a CDROM.
12
+
13
+
config SECURITY_LOADPIN_ENABLED
14
+
bool "Enforce LoadPin at boot"
15
+
depends on SECURITY_LOADPIN
16
+
help
17
+
If selected, LoadPin will enforce pinning at boot. If not
18
+
selected, it can be enabled at boot with the kernel parameter
19
+
"loadpin.enabled=1".
+1
security/loadpin/Makefile
+1
security/loadpin/Makefile
···
1
+
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin.o
+190
security/loadpin/loadpin.c
+190
security/loadpin/loadpin.c
···
1
+
/*
2
+
* Module and Firmware Pinning Security Module
3
+
*
4
+
* Copyright 2011-2016 Google Inc.
5
+
*
6
+
* Author: Kees Cook <keescook@chromium.org>
7
+
*
8
+
* This software is licensed under the terms of the GNU General Public
9
+
* License version 2, as published by the Free Software Foundation, and
10
+
* may be copied, distributed, and modified under those terms.
11
+
*
12
+
* This program is distributed in the hope that it will be useful,
13
+
* but WITHOUT ANY WARRANTY; without even the implied warranty of
14
+
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
+
* GNU General Public License for more details.
16
+
*/
17
+
18
+
#define pr_fmt(fmt) "LoadPin: " fmt
19
+
20
+
#include <linux/module.h>
21
+
#include <linux/fs.h>
22
+
#include <linux/fs_struct.h>
23
+
#include <linux/lsm_hooks.h>
24
+
#include <linux/mount.h>
25
+
#include <linux/path.h>
26
+
#include <linux/sched.h> /* current */
27
+
#include <linux/string_helpers.h>
28
+
29
+
static void report_load(const char *origin, struct file *file, char *operation)
30
+
{
31
+
char *cmdline, *pathname;
32
+
33
+
pathname = kstrdup_quotable_file(file, GFP_KERNEL);
34
+
cmdline = kstrdup_quotable_cmdline(current, GFP_KERNEL);
35
+
36
+
pr_notice("%s %s obj=%s%s%s pid=%d cmdline=%s%s%s\n",
37
+
origin, operation,
38
+
(pathname && pathname[0] != '<') ? "\"" : "",
39
+
pathname,
40
+
(pathname && pathname[0] != '<') ? "\"" : "",
41
+
task_pid_nr(current),
42
+
cmdline ? "\"" : "", cmdline, cmdline ? "\"" : "");
43
+
44
+
kfree(cmdline);
45
+
kfree(pathname);
46
+
}
47
+
48
+
static int enabled = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENABLED);
49
+
static struct super_block *pinned_root;
50
+
static DEFINE_SPINLOCK(pinned_root_spinlock);
51
+
52
+
#ifdef CONFIG_SYSCTL
53
+
static int zero;
54
+
static int one = 1;
55
+
56
+
static struct ctl_path loadpin_sysctl_path[] = {
57
+
{ .procname = "kernel", },
58
+
{ .procname = "loadpin", },
59
+
{ }
60
+
};
61
+
62
+
static struct ctl_table loadpin_sysctl_table[] = {
63
+
{
64
+
.procname = "enabled",
65
+
.data = &enabled,
66
+
.maxlen = sizeof(int),
67
+
.mode = 0644,
68
+
.proc_handler = proc_dointvec_minmax,
69
+
.extra1 = &zero,
70
+
.extra2 = &one,
71
+
},
72
+
{ }
73
+
};
74
+
75
+
/*
76
+
* This must be called after early kernel init, since then the rootdev
77
+
* is available.
78
+
*/
79
+
static void check_pinning_enforcement(struct super_block *mnt_sb)
80
+
{
81
+
bool ro = false;
82
+
83
+
/*
84
+
* If load pinning is not enforced via a read-only block
85
+
* device, allow sysctl to change modes for testing.
86
+
*/
87
+
if (mnt_sb->s_bdev) {
88
+
ro = bdev_read_only(mnt_sb->s_bdev);
89
+
pr_info("dev(%u,%u): %s\n",
90
+
MAJOR(mnt_sb->s_bdev->bd_dev),
91
+
MINOR(mnt_sb->s_bdev->bd_dev),
92
+
ro ? "read-only" : "writable");
93
+
} else
94
+
pr_info("mnt_sb lacks block device, treating as: writable\n");
95
+
96
+
if (!ro) {
97
+
if (!register_sysctl_paths(loadpin_sysctl_path,
98
+
loadpin_sysctl_table))
99
+
pr_notice("sysctl registration failed!\n");
100
+
else
101
+
pr_info("load pinning can be disabled.\n");
102
+
} else
103
+
pr_info("load pinning engaged.\n");
104
+
}
105
+
#else
106
+
static void check_pinning_enforcement(struct super_block *mnt_sb)
107
+
{
108
+
pr_info("load pinning engaged.\n");
109
+
}
110
+
#endif
111
+
112
+
static void loadpin_sb_free_security(struct super_block *mnt_sb)
113
+
{
114
+
/*
115
+
* When unmounting the filesystem we were using for load
116
+
* pinning, we acknowledge the superblock release, but make sure
117
+
* no other modules or firmware can be loaded.
118
+
*/
119
+
if (!IS_ERR_OR_NULL(pinned_root) && mnt_sb == pinned_root) {
120
+
pinned_root = ERR_PTR(-EIO);
121
+
pr_info("umount pinned fs: refusing further loads\n");
122
+
}
123
+
}
124
+
125
+
static int loadpin_read_file(struct file *file, enum kernel_read_file_id id)
126
+
{
127
+
struct super_block *load_root;
128
+
const char *origin = kernel_read_file_id_str(id);
129
+
130
+
/* This handles the older init_module API that has a NULL file. */
131
+
if (!file) {
132
+
if (!enabled) {
133
+
report_load(origin, NULL, "old-api-pinning-ignored");
134
+
return 0;
135
+
}
136
+
137
+
report_load(origin, NULL, "old-api-denied");
138
+
return -EPERM;
139
+
}
140
+
141
+
load_root = file->f_path.mnt->mnt_sb;
142
+
143
+
/* First loaded module/firmware defines the root for all others. */
144
+
spin_lock(&pinned_root_spinlock);
145
+
/*
146
+
* pinned_root is only NULL at startup. Otherwise, it is either
147
+
* a valid reference, or an ERR_PTR.
148
+
*/
149
+
if (!pinned_root) {
150
+
pinned_root = load_root;
151
+
/*
152
+
* Unlock now since it's only pinned_root we care about.
153
+
* In the worst case, we will (correctly) report pinning
154
+
* failures before we have announced that pinning is
155
+
* enabled. This would be purely cosmetic.
156
+
*/
157
+
spin_unlock(&pinned_root_spinlock);
158
+
check_pinning_enforcement(pinned_root);
159
+
report_load(origin, file, "pinned");
160
+
} else {
161
+
spin_unlock(&pinned_root_spinlock);
162
+
}
163
+
164
+
if (IS_ERR_OR_NULL(pinned_root) || load_root != pinned_root) {
165
+
if (unlikely(!enabled)) {
166
+
report_load(origin, file, "pinning-ignored");
167
+
return 0;
168
+
}
169
+
170
+
report_load(origin, file, "denied");
171
+
return -EPERM;
172
+
}
173
+
174
+
return 0;
175
+
}
176
+
177
+
static struct security_hook_list loadpin_hooks[] = {
178
+
LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security),
179
+
LSM_HOOK_INIT(kernel_read_file, loadpin_read_file),
180
+
};
181
+
182
+
void __init loadpin_add_hooks(void)
183
+
{
184
+
pr_info("ready to pin (currently %sabled)", enabled ? "en" : "dis");
185
+
security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks));
186
+
}
187
+
188
+
/* Should not be mutable after boot, so not listed in sysfs (perm == 0). */
189
+
module_param(enabled, int, 0);
190
+
MODULE_PARM_DESC(enabled, "Pin module/firmware loading (default: true)");
+1
-1
security/security.c
+1
-1
security/security.c
···
60
60
*/
61
61
capability_add_hooks();
62
62
yama_add_hooks();
63
+
loadpin_add_hooks();
63
64
64
65
/*
65
66
* Load all the remaining security modules.
···
1849
1848
.tun_dev_attach =
1850
1849
LIST_HEAD_INIT(security_hook_heads.tun_dev_attach),
1851
1850
.tun_dev_open = LIST_HEAD_INIT(security_hook_heads.tun_dev_open),
1852
-
.skb_owned_by = LIST_HEAD_INIT(security_hook_heads.skb_owned_by),
1853
1851
#endif /* CONFIG_SECURITY_NETWORK */
1854
1852
#ifdef CONFIG_SECURITY_NETWORK_XFRM
1855
1853
.xfrm_policy_alloc_security =
+102
-42
security/selinux/hooks.c
+102
-42
security/selinux/hooks.c
···
259
259
260
260
might_sleep_if(may_sleep);
261
261
262
-
if (isec->initialized == LABEL_INVALID) {
262
+
if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
263
263
if (!may_sleep)
264
264
return -ECHILD;
265
265
···
294
294
static struct inode_security_struct *inode_security(struct inode *inode)
295
295
{
296
296
__inode_security_revalidate(inode, NULL, true);
297
+
return inode->i_security;
298
+
}
299
+
300
+
static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301
+
{
302
+
struct inode *inode = d_backing_inode(dentry);
303
+
297
304
return inode->i_security;
298
305
}
299
306
···
694
687
struct superblock_security_struct *sbsec = sb->s_security;
695
688
const char *name = sb->s_type->name;
696
689
struct dentry *root = sbsec->sb->s_root;
697
-
struct inode_security_struct *root_isec = backing_inode_security(root);
690
+
struct inode_security_struct *root_isec;
698
691
u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699
692
u32 defcontext_sid = 0;
700
693
char **mount_options = opts->mnt_opts;
···
736
729
if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
737
730
&& (num_opts == 0))
738
731
goto out;
732
+
733
+
root_isec = backing_inode_security_novalidate(root);
739
734
740
735
/*
741
736
* parse the mount options, check if they are valid sids.
···
1632
1623
1633
1624
/* Check whether a task is allowed to use a capability. */
1634
1625
static int cred_has_capability(const struct cred *cred,
1635
-
int cap, int audit)
1626
+
int cap, int audit, bool initns)
1636
1627
{
1637
1628
struct common_audit_data ad;
1638
1629
struct av_decision avd;
···
1646
1637
1647
1638
switch (CAP_TO_INDEX(cap)) {
1648
1639
case 0:
1649
-
sclass = SECCLASS_CAPABILITY;
1640
+
sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1650
1641
break;
1651
1642
case 1:
1652
-
sclass = SECCLASS_CAPABILITY2;
1643
+
sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1653
1644
break;
1654
1645
default:
1655
1646
printk(KERN_ERR
···
1791
1782
u32 *_new_isid)
1792
1783
{
1793
1784
const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1794
-
const struct inode_security_struct *dsec = inode_security(dir);
1795
1785
const struct task_security_struct *tsec = current_security();
1796
1786
1797
1787
if ((sbsec->flags & SE_SBINITIALIZED) &&
···
1800
1792
tsec->create_sid) {
1801
1793
*_new_isid = tsec->create_sid;
1802
1794
} else {
1795
+
const struct inode_security_struct *dsec = inode_security(dir);
1803
1796
return security_transition_sid(tsec->sid, dsec->sid, tclass,
1804
1797
name, _new_isid);
1805
1798
}
···
2085
2076
u32 sid = task_sid(to);
2086
2077
struct file_security_struct *fsec = file->f_security;
2087
2078
struct dentry *dentry = file->f_path.dentry;
2088
-
struct inode_security_struct *isec = backing_inode_security(dentry);
2079
+
struct inode_security_struct *isec;
2089
2080
struct common_audit_data ad;
2090
2081
int rc;
2091
2082
···
2104
2095
if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2105
2096
return 0;
2106
2097
2098
+
isec = backing_inode_security(dentry);
2107
2099
return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2108
2100
&ad);
2109
2101
}
···
2153
2143
static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2154
2144
int cap, int audit)
2155
2145
{
2156
-
return cred_has_capability(cred, cap, audit);
2146
+
return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2157
2147
}
2158
2148
2159
2149
static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
···
2231
2221
int rc, cap_sys_admin = 0;
2232
2222
2233
2223
rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2234
-
SECURITY_CAP_NOAUDIT);
2224
+
SECURITY_CAP_NOAUDIT, true);
2235
2225
if (rc == 0)
2236
2226
cap_sys_admin = 1;
2237
2227
···
2239
2229
}
2240
2230
2241
2231
/* binprm security operations */
2232
+
2233
+
static u32 ptrace_parent_sid(struct task_struct *task)
2234
+
{
2235
+
u32 sid = 0;
2236
+
struct task_struct *tracer;
2237
+
2238
+
rcu_read_lock();
2239
+
tracer = ptrace_parent(task);
2240
+
if (tracer)
2241
+
sid = task_sid(tracer);
2242
+
rcu_read_unlock();
2243
+
2244
+
return sid;
2245
+
}
2242
2246
2243
2247
static int check_nnp_nosuid(const struct linux_binprm *bprm,
2244
2248
const struct task_security_struct *old_tsec,
···
2375
2351
* changes its SID has the appropriate permit */
2376
2352
if (bprm->unsafe &
2377
2353
(LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2378
-
struct task_struct *tracer;
2379
-
struct task_security_struct *sec;
2380
-
u32 ptsid = 0;
2381
-
2382
-
rcu_read_lock();
2383
-
tracer = ptrace_parent(current);
2384
-
if (likely(tracer != NULL)) {
2385
-
sec = __task_cred(tracer)->security;
2386
-
ptsid = sec->sid;
2387
-
}
2388
-
rcu_read_unlock();
2389
-
2354
+
u32 ptsid = ptrace_parent_sid(current);
2390
2355
if (ptsid != 0) {
2391
2356
rc = avc_has_perm(ptsid, new_tsec->sid,
2392
2357
SECCLASS_PROCESS,
···
3059
3046
const void *value, size_t size, int flags)
3060
3047
{
3061
3048
struct inode *inode = d_backing_inode(dentry);
3062
-
struct inode_security_struct *isec = backing_inode_security(dentry);
3049
+
struct inode_security_struct *isec;
3063
3050
struct superblock_security_struct *sbsec;
3064
3051
struct common_audit_data ad;
3065
3052
u32 newsid, sid = current_sid();
···
3078
3065
ad.type = LSM_AUDIT_DATA_DENTRY;
3079
3066
ad.u.dentry = dentry;
3080
3067
3068
+
isec = backing_inode_security(dentry);
3081
3069
rc = avc_has_perm(sid, isec->sid, isec->sclass,
3082
3070
FILE__RELABELFROM, &ad);
3083
3071
if (rc)
···
3137
3123
int flags)
3138
3124
{
3139
3125
struct inode *inode = d_backing_inode(dentry);
3140
-
struct inode_security_struct *isec = backing_inode_security(dentry);
3126
+
struct inode_security_struct *isec;
3141
3127
u32 newsid;
3142
3128
int rc;
3143
3129
···
3154
3140
return;
3155
3141
}
3156
3142
3143
+
isec = backing_inode_security(dentry);
3157
3144
isec->sclass = inode_mode_to_security_class(inode->i_mode);
3158
3145
isec->sid = newsid;
3159
3146
isec->initialized = LABEL_INITIALIZED;
···
3196
3181
u32 size;
3197
3182
int error;
3198
3183
char *context = NULL;
3199
-
struct inode_security_struct *isec = inode_security(inode);
3184
+
struct inode_security_struct *isec;
3200
3185
3201
3186
if (strcmp(name, XATTR_SELINUX_SUFFIX))
3202
3187
return -EOPNOTSUPP;
···
3214
3199
SECURITY_CAP_NOAUDIT);
3215
3200
if (!error)
3216
3201
error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3217
-
SECURITY_CAP_NOAUDIT);
3202
+
SECURITY_CAP_NOAUDIT, true);
3203
+
isec = inode_security(inode);
3218
3204
if (!error)
3219
3205
error = security_sid_to_context_force(isec->sid, &context,
3220
3206
&size);
···
3236
3220
static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3237
3221
const void *value, size_t size, int flags)
3238
3222
{
3239
-
struct inode_security_struct *isec = inode_security(inode);
3223
+
struct inode_security_struct *isec = inode_security_novalidate(inode);
3240
3224
u32 newsid;
3241
3225
int rc;
3242
3226
···
3325
3309
struct common_audit_data ad;
3326
3310
struct file_security_struct *fsec = file->f_security;
3327
3311
struct inode *inode = file_inode(file);
3328
-
struct inode_security_struct *isec = inode_security(inode);
3312
+
struct inode_security_struct *isec;
3329
3313
struct lsm_ioctlop_audit ioctl;
3330
3314
u32 ssid = cred_sid(cred);
3331
3315
int rc;
···
3349
3333
if (unlikely(IS_PRIVATE(inode)))
3350
3334
return 0;
3351
3335
3336
+
isec = inode_security(inode);
3352
3337
rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3353
3338
requested, driver, xperm, &ad);
3354
3339
out:
···
3391
3374
case KDSKBENT:
3392
3375
case KDSKBSENT:
3393
3376
error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3394
-
SECURITY_CAP_AUDIT);
3377
+
SECURITY_CAP_AUDIT, true);
3395
3378
break;
3396
3379
3397
3380
/* default case assumes that the command will go
···
3480
3463
vma->vm_end <= vma->vm_mm->brk) {
3481
3464
rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3482
3465
} else if (!vma->vm_file &&
3483
-
vma->vm_start <= vma->vm_mm->start_stack &&
3484
-
vma->vm_end >= vma->vm_mm->start_stack) {
3466
+
((vma->vm_start <= vma->vm_mm->start_stack &&
3467
+
vma->vm_end >= vma->vm_mm->start_stack) ||
3468
+
vma_is_stack_for_task(vma, current))) {
3485
3469
rc = current_has_perm(current, PROCESS__EXECSTACK);
3486
3470
} else if (vma->vm_file && vma->anon_vma) {
3487
3471
/*
···
3736
3718
3737
3719
return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3738
3720
SYSTEM__MODULE_REQUEST, &ad);
3721
+
}
3722
+
3723
+
static int selinux_kernel_module_from_file(struct file *file)
3724
+
{
3725
+
struct common_audit_data ad;
3726
+
struct inode_security_struct *isec;
3727
+
struct file_security_struct *fsec;
3728
+
u32 sid = current_sid();
3729
+
int rc;
3730
+
3731
+
/* init_module */
3732
+
if (file == NULL)
3733
+
return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3734
+
SYSTEM__MODULE_LOAD, NULL);
3735
+
3736
+
/* finit_module */
3737
+
3738
+
ad.type = LSM_AUDIT_DATA_PATH;
3739
+
ad.u.path = file->f_path;
3740
+
3741
+
fsec = file->f_security;
3742
+
if (sid != fsec->sid) {
3743
+
rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3744
+
if (rc)
3745
+
return rc;
3746
+
}
3747
+
3748
+
isec = inode_security(file_inode(file));
3749
+
return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3750
+
SYSTEM__MODULE_LOAD, &ad);
3751
+
}
3752
+
3753
+
static int selinux_kernel_read_file(struct file *file,
3754
+
enum kernel_read_file_id id)
3755
+
{
3756
+
int rc = 0;
3757
+
3758
+
switch (id) {
3759
+
case READING_MODULE:
3760
+
rc = selinux_kernel_module_from_file(file);
3761
+
break;
3762
+
default:
3763
+
break;
3764
+
}
3765
+
3766
+
return rc;
3739
3767
}
3740
3768
3741
3769
static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
···
4663
4599
{
4664
4600
u32 peer_secid = SECSID_NULL;
4665
4601
u16 family;
4602
+
struct inode_security_struct *isec;
4666
4603
4667
4604
if (skb && skb->protocol == htons(ETH_P_IP))
4668
4605
family = PF_INET;
···
4674
4609
else
4675
4610
goto out;
4676
4611
4677
-
if (sock && family == PF_UNIX)
4678
-
selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4679
-
else if (skb)
4612
+
if (sock && family == PF_UNIX) {
4613
+
isec = inode_security_novalidate(SOCK_INODE(sock));
4614
+
peer_secid = isec->sid;
4615
+
} else if (skb)
4680
4616
selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4681
4617
4682
4618
out:
···
5742
5676
char *name, void *value, size_t size)
5743
5677
{
5744
5678
struct task_security_struct *tsec;
5745
-
struct task_struct *tracer;
5746
5679
struct cred *new;
5747
5680
u32 sid = 0, ptsid;
5748
5681
int error;
···
5848
5783
5849
5784
/* Check for ptracing, and update the task SID if ok.
5850
5785
Otherwise, leave SID unchanged and fail. */
5851
-
ptsid = 0;
5852
-
rcu_read_lock();
5853
-
tracer = ptrace_parent(p);
5854
-
if (tracer)
5855
-
ptsid = task_sid(tracer);
5856
-
rcu_read_unlock();
5857
-
5858
-
if (tracer) {
5786
+
ptsid = ptrace_parent_sid(p);
5787
+
if (ptsid != 0) {
5859
5788
error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5860
5789
PROCESS__PTRACE, NULL);
5861
5790
if (error)
···
6080
6021
LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6081
6022
LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6082
6023
LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6024
+
LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6083
6025
LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6084
6026
LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6085
6027
LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
+19
-11
security/selinux/include/classmap.h
+19
-11
security/selinux/include/classmap.h
···
12
12
#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
13
13
"write", "associate", "unix_read", "unix_write"
14
14
15
+
#define COMMON_CAP_PERMS "chown", "dac_override", "dac_read_search", \
16
+
"fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", \
17
+
"linux_immutable", "net_bind_service", "net_broadcast", \
18
+
"net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", \
19
+
"sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \
20
+
"sys_boot", "sys_nice", "sys_resource", "sys_time", \
21
+
"sys_tty_config", "mknod", "lease", "audit_write", \
22
+
"audit_control", "setfcap"
23
+
24
+
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
25
+
"wake_alarm", "block_suspend", "audit_read"
26
+
15
27
/*
16
28
* Note: The name for any socket class should be suffixed by "socket",
17
29
* and doesn't contain more than one substr of "socket".
···
44
32
"setsockcreate", NULL } },
45
33
{ "system",
46
34
{ "ipc_info", "syslog_read", "syslog_mod",
47
-
"syslog_console", "module_request", NULL } },
35
+
"syslog_console", "module_request", "module_load", NULL } },
48
36
{ "capability",
49
-
{ "chown", "dac_override", "dac_read_search",
50
-
"fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
51
-
"linux_immutable", "net_bind_service", "net_broadcast",
52
-
"net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
53
-
"sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
54
-
"sys_boot", "sys_nice", "sys_resource", "sys_time",
55
-
"sys_tty_config", "mknod", "lease", "audit_write",
56
-
"audit_control", "setfcap", NULL } },
37
+
{ COMMON_CAP_PERMS, NULL } },
57
38
{ "filesystem",
58
39
{ "mount", "remount", "unmount", "getattr",
59
40
"relabelfrom", "relabelto", "associate", "quotamod",
···
155
150
{ "memprotect", { "mmap_zero", NULL } },
156
151
{ "peer", { "recv", NULL } },
157
152
{ "capability2",
158
-
{ "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend",
159
-
"audit_read", NULL } },
153
+
{ COMMON_CAP2_PERMS, NULL } },
160
154
{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
161
155
{ "tun_socket",
162
156
{ COMMON_SOCK_PERMS, "attach_queue", NULL } },
163
157
{ "binder", { "impersonate", "call", "set_context_mgr", "transfer",
164
158
NULL } },
159
+
{ "cap_userns",
160
+
{ COMMON_CAP_PERMS, NULL } },
161
+
{ "cap2_userns",
162
+
{ COMMON_CAP2_PERMS, NULL } },
165
163
{ NULL }
166
164
};
+1
-1
security/selinux/include/conditional.h
+1
-1
security/selinux/include/conditional.h
+2
-3
security/selinux/include/objsec.h
+2
-3
security/selinux/include/objsec.h
···
38
38
};
39
39
40
40
enum label_initialized {
41
-
LABEL_MISSING, /* not initialized */
42
-
LABEL_INITIALIZED, /* inizialized */
43
-
LABEL_INVALID /* invalid */
41
+
LABEL_INVALID, /* invalid or not initialized */
42
+
LABEL_INITIALIZED /* initialized */
44
43
};
45
44
46
45
struct inode_security_struct {
+3
-3
security/selinux/ss/services.c
+3
-3
security/selinux/ss/services.c
···
2696
2696
return rc;
2697
2697
}
2698
2698
2699
-
int security_get_bool_value(int bool)
2699
+
int security_get_bool_value(int index)
2700
2700
{
2701
2701
int rc;
2702
2702
int len;
···
2705
2705
2706
2706
rc = -EFAULT;
2707
2707
len = policydb.p_bools.nprim;
2708
-
if (bool >= len)
2708
+
if (index >= len)
2709
2709
goto out;
2710
2710
2711
-
rc = policydb.bool_val_to_struct[bool]->state;
2711
+
rc = policydb.bool_val_to_struct[index]->state;
2712
2712
out:
2713
2713
read_unlock(&policy_rwlock);
2714
2714
return rc;
+21
-10
security/yama/yama_lsm.c
+21
-10
security/yama/yama_lsm.c
···
18
18
#include <linux/prctl.h>
19
19
#include <linux/ratelimit.h>
20
20
#include <linux/workqueue.h>
21
+
#include <linux/string_helpers.h>
21
22
22
23
#define YAMA_SCOPE_DISABLED 0
23
24
#define YAMA_SCOPE_RELATIONAL 1
···
41
40
42
41
static void yama_relation_cleanup(struct work_struct *work);
43
42
static DECLARE_WORK(yama_relation_work, yama_relation_cleanup);
43
+
44
+
static void report_access(const char *access, struct task_struct *target,
45
+
struct task_struct *agent)
46
+
{
47
+
char *target_cmd, *agent_cmd;
48
+
49
+
target_cmd = kstrdup_quotable_cmdline(target, GFP_ATOMIC);
50
+
agent_cmd = kstrdup_quotable_cmdline(agent, GFP_ATOMIC);
51
+
52
+
pr_notice_ratelimited(
53
+
"ptrace %s of \"%s\"[%d] was attempted by \"%s\"[%d]\n",
54
+
access, target_cmd, target->pid, agent_cmd, agent->pid);
55
+
56
+
kfree(agent_cmd);
57
+
kfree(target_cmd);
58
+
}
44
59
45
60
/**
46
61
* yama_relation_cleanup - remove invalid entries from the relation list
···
324
307
}
325
308
}
326
309
327
-
if (rc && (mode & PTRACE_MODE_NOAUDIT) == 0) {
328
-
printk_ratelimited(KERN_NOTICE
329
-
"ptrace of pid %d was attempted by: %s (pid %d)\n",
330
-
child->pid, current->comm, current->pid);
331
-
}
310
+
if (rc && (mode & PTRACE_MODE_NOAUDIT) == 0)
311
+
report_access("attach", child, current);
332
312
333
313
return rc;
334
314
}
···
351
337
break;
352
338
}
353
339
354
-
if (rc) {
355
-
printk_ratelimited(KERN_NOTICE
356
-
"ptraceme of pid %d was attempted by: %s (pid %d)\n",
357
-
current->pid, parent->comm, parent->pid);
358
-
}
340
+
if (rc)
341
+
report_access("traceme", current, parent);
359
342
360
343
return rc;
361
344
}