[PATCH 05/20] integrity: provide builtin 'trusted' keyrings

From: Dmitry Kasatkin
Date: Wed Apr 23 2014 - 09:42:55 EST


Provide creation of trusted keyrings, which require all keys
added to the keyrings be signed by an existing trusted key
on the system trusted keyring.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@xxxxxxxxxxx>
---
security/integrity/Kconfig | 4 ++++
security/integrity/digsig.c | 31 +++++++++++++++++++++++++++++++
security/integrity/integrity.h | 10 ++++++++++
3 files changed, 45 insertions(+)

diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index b16c9cd..89f226a 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -47,6 +47,10 @@ config INTEGRITY_AUDIT
be enabled by specifying 'integrity_audit=1' on the kernel
command line.

+config INTEGRITY_TRUSTED_KEYRING
+ def_bool n
+ depends on IMA_TRUSTED_KEYRING || EVM_TRUSTED_KEYRING
+
source security/integrity/ima/Kconfig
source security/integrity/evm/Kconfig

diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index b4af4eb..45adc07 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -13,7 +13,9 @@
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

#include <linux/err.h>
+#include <linux/sched.h>
#include <linux/rbtree.h>
+#include <linux/cred.h>
#include <linux/key-type.h>
#include <linux/digsig.h>

@@ -56,3 +58,32 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,

return -EOPNOTSUPP;
}
+
+#ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING
+int integrity_init_keyring(const unsigned int id)
+{
+ const struct cred *cred = current_cred();
+ const struct user_struct *user = cred->user;
+
+ pr_notice("initialize trusted keyring: %s\n", keyring_name[id]);
+
+ /* this function relies that init_root_keyring() was executed
+ * in 'keys' subsystem, which is initialized before integrity
+ */
+
+ keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
+ KGIDT_INIT(0), cred,
+ ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW | KEY_USR_READ),
+ KEY_ALLOC_NOT_IN_QUOTA, user->uid_keyring);
+ if (IS_ERR(keyring[id])) {
+ long rc = PTR_ERR(keyring[id]);
+ pr_err("Can't allocate %s keyring (%ld)\n",
+ keyring_name[id], rc);
+ keyring[id] = NULL;
+ return rc;
+ }
+ set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
+ return 0;
+}
+#endif
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 2fb5e53..dd26ad0 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -137,6 +137,7 @@ static inline int integrity_digsig_verify(const unsigned int id,
#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
int asymmetric_verify(struct key *keyring, const char *sig,
int siglen, const char *data, int datalen);
+
#else
static inline int asymmetric_verify(struct key *keyring, const char *sig,
int siglen, const char *data, int datalen)
@@ -145,6 +146,15 @@ static inline int asymmetric_verify(struct key *keyring, const char *sig,
}
#endif

+#ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING
+int integrity_init_keyring(const unsigned int id);
+#else
+static inline int integrity_init_keyring(const unsigned int id)
+{
+ return 0;
+}
+#endif
+
#ifdef CONFIG_INTEGRITY_AUDIT
/* declarations */
void integrity_audit_msg(int audit_msgno, struct inode *inode,
--
1.8.3.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/