All of lore.kernel.org
 help / color / mirror / Atom feed
From: David Howells <dhowells@redhat.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: "Mickaël Salaün" <mic@linux.microsoft.com>,
	"Mickaël Salaün" <mic@linux.microsoft.com>,
	"Petko Manolov" <petkan@mip-labs.com>,
	"Mimi Zohar" <zohar@linux.vnet.ibm.com>,
	"David Woodhouse" <dwmw2@infradead.org>,
	dhowells@redhat.com, keyrings@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 17/18] certs: Fix blacklist flag type confusion
Date: Wed, 09 Dec 2020 12:16:35 +0000	[thread overview]
Message-ID: <160751619550.1238376.2380930476046994051.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <160751606428.1238376.14935502103503420781.stgit@warthog.procyon.org.uk>

KEY_FLAG_KEEP is not meant to be passed to keyring_alloc() or key_alloc(),
as these only take KEY_ALLOC_* flags.  KEY_FLAG_KEEP has the same value as
KEY_ALLOC_BYPASS_RESTRICTION, but fortunately only key_create_or_update()
uses it.  LSMs using the key_alloc hook don't check that flag.

KEY_FLAG_KEEP is then ignored but fortunately (again) the root user cannot
write to the blacklist keyring, so it is not possible to remove a key/hash
from it.

Fix this by adding a KEY_ALLOC_SET_KEEP flag that tells key_alloc() to set
KEY_FLAG_KEEP on the new key.  blacklist_init() can then, correctly, pass
this to keyring_alloc().

We can also use this in ima_mok_init() rather than setting the flag
manually.

Note that this doesn't fix an observable bug with the current
implementation but it is required to allow addition of new hashes to the
blacklist in the future without making it possible for them to be removed.

Fixes: 734114f8782f ("KEYS: Add a system blacklist keyring")
Reported-by: Mickaël Salaün <mic@linux.microsoft.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Mickaël Salaün <mic@linux.microsoft.com>
cc: Petko Manolov <petkan@mip-labs.com>
cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Woodhouse <dwmw2@infradead.org>
---

 certs/blacklist.c                |    2 +-
 include/linux/key.h              |    1 +
 security/integrity/ima/ima_mok.c |    3 +--
 security/keys/key.c              |    2 ++
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/certs/blacklist.c b/certs/blacklist.c
index a888b934a1cd..029471947838 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -162,7 +162,7 @@ static int __init blacklist_init(void)
 			      KEY_USR_VIEW | KEY_USR_READ |
 			      KEY_USR_SEARCH,
 			      KEY_ALLOC_NOT_IN_QUOTA |
-			      KEY_FLAG_KEEP,
+			      KEY_ALLOC_SET_KEEP,
 			      NULL, NULL);
 	if (IS_ERR(blacklist_keyring))
 		panic("Can't allocate system blacklist keyring\n");
diff --git a/include/linux/key.h b/include/linux/key.h
index 1b0837c975b9..7febc4881363 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -289,6 +289,7 @@ extern struct key *key_alloc(struct key_type *type,
 #define KEY_ALLOC_BUILT_IN		0x0004	/* Key is built into kernel */
 #define KEY_ALLOC_BYPASS_RESTRICTION	0x0008	/* Override the check on restricted keyrings */
 #define KEY_ALLOC_UID_KEYRING		0x0010	/* allocating a user or user session keyring */
+#define KEY_ALLOC_SET_KEEP		0x0020	/* Set the KEEP flag on the key/keyring */
 
 extern void key_revoke(struct key *key);
 extern void key_invalidate(struct key *key);
diff --git a/security/integrity/ima/ima_mok.c b/security/integrity/ima/ima_mok.c
index 36cadadbfba4..ce8871d96f12 100644
--- a/security/integrity/ima/ima_mok.c
+++ b/security/integrity/ima/ima_mok.c
@@ -39,12 +39,11 @@ __init int ima_mok_init(void)
 				KEY_USR_VIEW | KEY_USR_READ |
 				KEY_USR_WRITE | KEY_USR_SEARCH,
 				KEY_ALLOC_NOT_IN_QUOTA,
+				KEY_ALLOC_SET_KEEP,
 				restriction, NULL);
 
 	if (IS_ERR(ima_blacklist_keyring))
 		panic("Can't allocate IMA blacklist keyring.");
-
-	set_bit(KEY_FLAG_KEEP, &ima_blacklist_keyring->flags);
 	return 0;
 }
 device_initcall(ima_mok_init);
diff --git a/security/keys/key.c b/security/keys/key.c
index e282c6179b21..151ff39b6803 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -303,6 +303,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
 		key->flags |= 1 << KEY_FLAG_BUILTIN;
 	if (flags & KEY_ALLOC_UID_KEYRING)
 		key->flags |= 1 << KEY_FLAG_UID_KEYRING;
+	if (flags & KEY_ALLOC_SET_KEEP)
+		key->flags |= 1 << KEY_FLAG_KEEP;
 
 #ifdef KEY_DEBUGGING
 	key->magic = KEY_DEBUG_MAGIC;



  parent reply	other threads:[~2020-12-09 12:18 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-09 12:14 [PATCH 00/18] keys: Miscellaneous fixes David Howells
2020-12-09 12:14 ` [PATCH 01/18] security: keys: Fix fall-through warnings for Clang David Howells
2020-12-09 12:14 ` [PATCH 02/18] keys: Remove outdated __user annotations David Howells
2020-12-09 12:14 ` [PATCH 03/18] watch_queue: Drop references to /dev/watch_queue David Howells
2020-12-09 12:14 ` [PATCH 04/18] security/keys: use kvfree_sensitive() David Howells
2020-12-09 12:15 ` [PATCH 05/18] KEYS: asymmetric: Fix kerneldoc David Howells
2020-12-09 12:15 ` [PATCH 06/18] security: keys: delete repeated words in comments David Howells
2020-12-09 12:15 ` [PATCH 07/18] KEYS: remove redundant memset David Howells
2020-12-09 19:07   ` Ben Boeckel
2020-12-10  9:21   ` David Howells
2020-12-09 12:15 ` [PATCH 08/18] crypto: asymmetric_keys: fix some comments in pkcs7_parser.h David Howells
2020-12-09 12:15 ` [PATCH 09/18] encrypted-keys: Replace HTTP links with HTTPS ones David Howells
2020-12-09 12:15 ` [PATCH 10/18] PKCS#7: drop function from kernel-doc pkcs7_validate_trust_one David Howells
2020-12-09 12:15 ` [PATCH 11/18] crypto: pkcs7: Use match_string() helper to simplify the code David Howells
2020-12-09 12:15 ` [PATCH 12/18] keys: remove trailing semicolon in macro definition David Howells
2020-12-09 12:16 ` [PATCH 13/18] crypto: public_key: Remove redundant header file from public_key.h David Howells
2020-12-09 12:16 ` [PATCH 14/18] certs/blacklist: fix kernel doc interface issue David Howells
2020-12-09 12:16 ` [PATCH 15/18] certs: Fix blacklisted hexadecimal hash string check David Howells
2020-12-09 12:16 ` [PATCH 16/18] PKCS#7: Fix missing include David Howells
2020-12-09 12:16 ` David Howells [this message]
2020-12-09 12:16 ` [PATCH 18/18] certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID David Howells
2020-12-09 19:12 ` [PATCH 00/18] keys: Miscellaneous fixes Ben Boeckel
2020-12-10  9:30 ` David Howells
2020-12-11  8:17 ` Jarkko Sakkinen
2020-12-11 10:51 ` Jarkko Sakkinen
2020-12-11 10:56   ` Jarkko Sakkinen
2021-02-18 16:24 ` [PATCH 17/18] certs: Fix blacklist flag type confusion David Howells
2021-02-18 19:30   ` Mickaël Salaün
2021-02-18 22:55   ` David Howells
2021-02-19  9:43     ` Mickaël Salaün
2021-02-19  9:31   ` Jarkko Sakkinen
2021-02-19  9:45   ` David Howells
2021-02-19  9:50     ` Mickaël Salaün

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=160751619550.1238376.2380930476046994051.stgit@warthog.procyon.org.uk \
    --to=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mic@linux.microsoft.com \
    --cc=petkan@mip-labs.com \
    --cc=zohar@linux.vnet.ibm.com \
    --subject='Re: [PATCH 17/18] certs: Fix blacklist flag type confusion' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.