From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.0 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_SANE_2 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E74D0C433E0 for ; Fri, 15 May 2020 23:23:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C57FE20756 for ; Fri, 15 May 2020 23:23:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="ua90IXcc"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="ua90IXcc" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726831AbgEOXXM (ORCPT ); Fri, 15 May 2020 19:23:12 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:55706 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726183AbgEOXXM (ORCPT ); Fri, 15 May 2020 19:23:12 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 8BA9C8EE2CA; Fri, 15 May 2020 16:23:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1589584991; bh=ymkONZXFvhdNnpPtY8Q0bGiYA4GZZsgJujtY6WG/iM8=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=ua90IXccRPjdyWtWuPrTnTGBZSrdXEXTzOZQKTMES3saTNghba2ihkHxW7e1tOM/z 0ip+DGhvx3PdZN98a0vF56oMR8TRrhTxA2I4lvxR6mf5RMEYqlPLv5jPs/0bd0qijG zhgtTS/rnBYMSw/ZGX9eLJBWgEXSR/k+z6Jfijxc= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vQ3AgkwYdWPD; Fri, 15 May 2020 16:23:11 -0700 (PDT) Received: from [153.66.254.194] (unknown [50.35.76.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id DACB98EE25D; Fri, 15 May 2020 16:23:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1589584991; bh=ymkONZXFvhdNnpPtY8Q0bGiYA4GZZsgJujtY6WG/iM8=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=ua90IXccRPjdyWtWuPrTnTGBZSrdXEXTzOZQKTMES3saTNghba2ihkHxW7e1tOM/z 0ip+DGhvx3PdZN98a0vF56oMR8TRrhTxA2I4lvxR6mf5RMEYqlPLv5jPs/0bd0qijG zhgtTS/rnBYMSw/ZGX9eLJBWgEXSR/k+z6Jfijxc= Message-ID: <1589584989.30847.20.camel@HansenPartnership.com> Subject: Re: [PATCH v9 0/8] TPM 2.0 trusted keys with attached policy From: James Bottomley To: "Kayaalp, Mehmet" Cc: Jerry Snitselaar , Jarkko Sakkinen , "linux-integrity@vger.kernel.org" , Mimi Zohar , David Woodhouse , "keyrings@vger.kernel.org" , David Howells Date: Fri, 15 May 2020 16:23:09 -0700 In-Reply-To: <1589581169.30847.5.camel@HansenPartnership.com> References: <20200507231147.27025-1-James.Bottomley@HansenPartnership.com> <23639de13874c00e6bb2b816b4db0b586c9a074c.camel@linux.intel.com> <483c4f1af7be41c8d091b11d4484b606ebd319b7.camel@linux.intel.com> <1589514263.5759.25.camel@HansenPartnership.com> <20200515084702.GA3404@linux.intel.com> <20200515191758.ieojyk5xhsx2hzzd@cantor> <1589571278.3653.22.camel@HansenPartnership.com> <1589573417.3653.28.camel@HansenPartnership.com> <56688CD4-A4A5-4D98-8724-6CBA10C7E1CE@unh.edu> <1589581169.30847.5.camel@HansenPartnership.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On Fri, 2020-05-15 at 15:19 -0700, James Bottomley wrote: > On Fri, 2020-05-15 at 21:03 +0000, Kayaalp, Mehmet wrote: > > > On May 15, 2020, at 4:10 PM, James Bottomley > > se > > > npartnership.com> wrote: > > > > > > I think that means the solution is not to run the smoke test > > > under sudo but to do sudo -s and then run it. > > > > > > James > > > > How about "sudo -i": > > > > https://askubuntu.com/questions/376199/sudo-su-vs-sudo-i-vs-sudo- > > bin-bash-when-does-it-matter-which-is-used > > Actually, no that doesn't work either: > > jejb@testdeb> sudo -i keyctl list @s > 1 key in keyring: > 1041514063: ---lswrv 1000 65534 keyring: _uid.1000 > > I suspect this might be a very subtle bug to do with when you get a > new session keyring. It turns out to be incredibly subtle, but I'm not sure if it's a bug or not. the util-linux sudo like commands have special pam profiles /etc/pam.d/su-l /etc/pam.d/runuser-l These special profiles call pam_keyinit.so with flags to install a new session keyring. sudo doesn't have this, so it never, on its own, even when called with -i or -s, installs a new session keyring. This does strike me as a bizarre oversight which leads directly to this weird keyctl pipe behaviour. I'm also not sure the keyctl pipe behaviour is correct: why should keyctl pipe deny access to root to read a key just because it's in a different session keyring? It defintely seems intentional, because if I create a key as a non root user and try to print it by id as root I get EPERM. The weirdest behaviour, though seems to be keyctl: keyctl add ... @u will add to the session keyrings of the actual uid regardless of what session keyring the creator actually has, which is why keyctl add ... @u works under sudo but you get EPERM back trying to pipe it by id. James