[PATCH] IMA: Use the system trusted keyrings instead of .ima_mok (update)

From: Mimi Zohar
Date: Wed Apr 06 2016 - 00:11:23 EST

Next message: Ming Lei: "Re: [PATCH 01/27] block: bio: introduce 4 helpers for cleanup"
Previous message: Guennadi Liakhovetski: "Re: [PATCH RFC v2 1/2] media: platform: transfer format translations to soc_mediabus"
Next in thread: David Howells: "Re: [PATCH] IMA: Use the system trusted keyrings instead of .ima_mok (update)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi David,

Please feel free to squash this patch with yours of the same name (12/12).

Just replace the .ima_mok keyring with the .secondary_trusted_keys.

Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
---
include/keys/system_keyring.h | 4 +--
security/integrity/digsig.c | 9 ++----
security/integrity/ima/Kconfig | 61 +++++++++++-----------------------------
security/integrity/ima/Makefile | 2 +-
security/integrity/ima/ima_mok.c | 4 +--
5 files changed, 24 insertions(+), 56 deletions(-)

diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 87eeea4..fbd4647 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -33,7 +33,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
#endif

-#ifdef CONFIG_IMA_MOK_KEYRING
+#ifdef CONFIG_IMA_BLACKLIST_KEYRING
extern struct key *ima_blacklist_keyring;

static inline struct key *get_ima_blacklist_keyring(void)
@@ -45,7 +45,7 @@ static inline struct key *get_ima_blacklist_keyring(void)
{
return NULL;
}
-#endif /* CONFIG_IMA_MOK_KEYRING */
+#endif /* CONFIG_IMA_BLACKLIST_KEYRING */

#endif /* _KEYS_SYSTEM_KEYRING_H */
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index ef2f911..4304372 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -42,12 +42,10 @@ static bool init_keyring __initdata = true;
static bool init_keyring __initdata;
#endif

-#if defined(CONFIG_IMA_KEYRINGS_ADD_IF_SIGNED_BY_BUILTIN)
-#define restrict_link_to_ima restrict_link_by_builtin_trusted
-#elif defined(CONFIG_IMA_KEYRINGS_ADD_IF_SIGNED_BY_BUILTIN_OR_SECONDARY)
+#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
#else
-#define restrict_link_to_ima restrict_link_reject
+#define restrict_link_to_ima restrict_link_by_builtin_trusted
#endif

int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
@@ -94,8 +92,7 @@ int __init integrity_init_keyring(const unsigned int id)
KEY_USR_VIEW | KEY_USR_READ |
KEY_USR_WRITE | KEY_USR_SEARCH),
KEY_ALLOC_NOT_IN_QUOTA,
- restrict_link_to_ima,
- NULL);
+ restrict_link_to_ima, NULL);
if (IS_ERR(keyring[id])) {
err = PTR_ERR(keyring[id]);
pr_info("Can't allocate %s keyring (%d)\n",
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 90a65fb..aab9b0a 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -155,61 +155,32 @@ config IMA_TRUSTED_KEYRING

This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING

-config IMA_MOK_KEYRING
- bool "Create IMA machine owner blacklist keyrings"
- depends on SYSTEM_TRUSTED_KEYRING
- depends on IMA_TRUSTED_KEYRING
- default n
- help
- This option creates IMA blacklist keyring. This contains all
- revoked IMA keys. It is consulted before any other keyring. If the
- search is successful the requested operation is rejected and error
- is returned to the caller.
-
-choice
- prompt "Allow keys to be added to the ima keyrings by userspace?"
- depends on IMA_APPRAISE
- depends on INTEGRITY_ASYMMETRIC_KEYS
- default IMA_NO_ADD_TO_IMA_KEYRINGS
- help
- This option selects whether keys may be added to the ima keyrings
- using add_key() or KEYCTL_LINK, and, if so, under what restrictions
- the key being added will be placed.
-
-config IMA_KEYRINGS_COMPILE_LOAD_ONLY
- bool "No runtime key addition"
- help
- No keys may be added to the IMA keyrings by userspace in the running
- kernel. Keys may still be added by including X.509 certificates in
- the kernel image at compile time.
-
- Attempts to add to the ima keyrings will be rejected with EPERM.
-
-config IMA_KEYRINGS_ADD_IF_SIGNED_BY_BUILTIN
- bool "Keys may be added at runtime if validly signed by a built-in CA cert"
- depends on SYSTEM_TRUSTED_KEYRING
- select INTEGRITY_TRUSTED_KEYRING
- help
- keys may be added to the IMA keyrings by userspace in the running
- kernel if the keys to be added are validly signed by a CA cert in the
- system built-in trusted keyring.
-
-config IMA_KEYRINGS_ADD_IF_SIGNED_BY_BUILTIN_OR_SECONDARY
- bool "Keys may be added at runtime if validly signed by a built-in or secondary CA cert"
+config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
+ bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
depends on SYSTEM_TRUSTED_KEYRING
depends on SECONDARY_TRUSTED_KEYRING
select INTEGRITY_TRUSTED_KEYRING
+ default n
help
- keys may be added to the IMA keyrings by userspace in the running
- kernel if the keys to be added are validly signed by a CA cert in the
- system built-in or secondary trusted keyrings.
+ Keys may be added to the IMA or IMA blacklist keyrings, if the
+ key is validly signed by a CA cert in the system built-in or
+ secondary trusted keyrings.

Intermediate keys between those the kernel has compiled in and the
IMA keys to be added may be added to the system secondary keyring,
provided they are validly signed by a key already resident in the
built-in or secondary trusted keyrings.

-endchoice
+config IMA_BLACKLIST_KEYRING
+ bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
+ depends on SYSTEM_TRUSTED_KEYRING
+ depends on IMA_TRUSTED_KEYRING
+ default n
+ help
+ This option creates an IMA blacklist keyring, which contains all
+ revoked IMA keys. It is consulted before any other keyring. If
+ the search is successful the requested operation is rejected and
+ an error is returned to the caller.

config IMA_LOAD_X509
bool "Load X509 certificate onto the '.ima' trusted keyring"
diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile
index a8539f9..9aeaeda 100644
--- a/security/integrity/ima/Makefile
+++ b/security/integrity/ima/Makefile
@@ -8,4 +8,4 @@ obj-$(CONFIG_IMA) += ima.o
ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \
ima_policy.o ima_template.o ima_template_lib.o
ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o
-obj-$(CONFIG_IMA_MOK_KEYRING) += ima_mok.o
+obj-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o
diff --git a/security/integrity/ima/ima_mok.c b/security/integrity/ima/ima_mok.c
index 1480f68..74a27995 100644
--- a/security/integrity/ima/ima_mok.c
+++ b/security/integrity/ima/ima_mok.c
@@ -27,7 +27,7 @@ struct key *ima_blacklist_keyring;
*/
__init int ima_mok_init(void)
{
- pr_notice("Allocating IMA blacklist keyrings.\n");
+ pr_notice("Allocating IMA blacklist keyring.\n");

ima_blacklist_keyring = keyring_alloc(".ima_blacklist",
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
@@ -38,7 +38,7 @@ __init int ima_mok_init(void)
restrict_link_by_builtin_trusted, NULL);

if (IS_ERR(ima_blacklist_keyring))
- panic("Can't allocate IMA MOK or blacklist keyrings.");
+ panic("Can't allocate IMA blacklist keyring.");

set_bit(KEY_FLAG_KEEP, &ima_blacklist_keyring->flags);
return 0;
--
2.1.0

Next message: Ming Lei: "Re: [PATCH 01/27] block: bio: introduce 4 helpers for cleanup"
Previous message: Guennadi Liakhovetski: "Re: [PATCH RFC v2 1/2] media: platform: transfer format translations to soc_mediabus"
Next in thread: David Howells: "Re: [PATCH] IMA: Use the system trusted keyrings instead of .ima_mok (update)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]