From: mathew.j.martineau@linux.intel.com (Mat Martineau)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v12 06/10] KEYS: Consistent ordering for __key_link_begin and restrict check
Date: Thu, 16 Mar 2017 17:47:02 -0700 (PDT) [thread overview]
Message-ID: <alpine.OSX.2.20.1703161654010.36452@suhwanki-mobl.amr.corp.intel.com> (raw)
In-Reply-To: <23615.1489659445@warthog.procyon.org.uk>
On Thu, 16 Mar 2017, David Howells wrote:
> Mat Martineau <mathew.j.martineau@linux.intel.com> wrote:
>
>> The keyring restrict callback was sometimes called before
>> __key_link_begin and sometimes after, which meant that the keyring
>> semaphores were not always held during the restrict callback.
>>
>> If the semaphores are consistently acquired before checking link
>> restrictions, keyring contents cannot be changed after the restrict
>> check is complete but before the evaluated key is linked to the keyring.
>
> I'm still not entirely sure that this gains us anything. At the point we did
> the restriction check, the key was validated. Yes, the keyring can be
> modified between then and the actual link, thereby rendering the chain broken
> - but this is true after the link also. The whole point is that it was valid
> at the time of asking.
>
> Mainly I have an aversion to doing things under a lock when I can do it
> outside of the lock.
Restriction methods can consider the contents of the keyring being linked
to, and they can't really be thought of as enforcing invariants on the
contents of the keyring without this patch.
This locking change had more concrete consequences before
KEYCTL_RESTRICT_KEYRING, when you could add the first cert to an empty
keyring without a signature check and all later additions would verify
signatures based on certificates already in the keyring. It would have
been possible to add multiple certs (that hadn't signed each other) to an
empty keyring if the keys were both checked before they were linked.
In the current iteration of the patch set, it comes down to enforcing
invariants (as I mentioned above) and consistency in lock/check ordering
across different code paths. Restriction functions (present or future)
can't offer a consistency or security guarantee about the state of the
keyring if the contents of the keyring can change between the check and
the link. I share your locking aversion, but think this is a case where
a lock is needed.
> Btw, do you check for cycles anywhere? For example, if I create two keyrings,
> A and B, and can I then set restrictions such that A is restricted by B and B
> is restricted by A?
I don't check for cycles yet, but the references held by the restrictions
could be a problem. I'm not sure how to address it yet, I could clear the
restriction info when a keyring is revoked/dead/etc or I could check when
restrictions are created.
--
Mat Martineau
Intel OTC
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-03-17 0:47 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-09 20:23 [PATCH v12 00/10] Make keyring link restrictions accessible from userspace Mat Martineau
2017-03-09 20:23 ` [PATCH v12 01/10] KEYS: Use a typedef for restrict_link function pointers Mat Martineau
2017-03-09 20:23 ` [PATCH v12 02/10] KEYS: Split role of the keyring pointer for keyring restrict functions Mat Martineau
2017-03-09 20:23 ` [PATCH v12 03/10] KEYS: Add a key restriction struct Mat Martineau
2017-03-09 20:23 ` [PATCH v12 04/10] KEYS: Use structure to capture key restriction function and data Mat Martineau
2017-03-09 20:23 ` [PATCH v12 05/10] KEYS: Add an optional lookup_restriction hook to key_type Mat Martineau
2017-03-09 20:23 ` [PATCH v12 06/10] KEYS: Consistent ordering for __key_link_begin and restrict check Mat Martineau
2017-03-09 20:23 ` [PATCH v12 07/10] KEYS: Add KEYCTL_RESTRICT_KEYRING Mat Martineau
2017-03-09 20:23 ` [PATCH v12 08/10] KEYS: Add a lookup_restriction function for the asymmetric key type Mat Martineau
2017-03-09 20:23 ` [PATCH v12 09/10] KEYS: Restrict asymmetric key linkage using a specific keychain Mat Martineau
2017-03-09 20:23 ` [PATCH v12 10/10] KEYS: Keyring asymmetric key restrict method with chaining Mat Martineau
2017-03-16 10:00 ` [PATCH v12 02/10] KEYS: Split role of the keyring pointer for keyring restrict functions David Howells
2017-03-16 10:09 ` [PATCH v12 05/10] KEYS: Add an optional lookup_restriction hook to key_type David Howells
2017-03-16 23:02 ` Mat Martineau
2017-03-16 10:17 ` [PATCH v12 06/10] KEYS: Consistent ordering for __key_link_begin and restrict check David Howells
2017-03-17 0:47 ` Mat Martineau [this message]
2017-03-17 7:43 ` David Howells
2017-03-17 22:35 ` Mat Martineau
2017-03-18 8:10 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.OSX.2.20.1703161654010.36452@suhwanki-mobl.amr.corp.intel.com \
--to=mathew.j.martineau@linux.intel.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.