• David Howells's avatar
    certs: Fix blacklist flag type confusion · 4993e1f9
    David Howells authored
    KEY_FLAG_KEEP is not meant to be passed to keyring_alloc() or key_alloc(),
    as these only take KEY_ALLOC_* flags.  KEY_FLAG_KEEP has the same value as
    KEY_ALLOC_BYPASS_RESTRICTION, but fortunately only key_create_or_update()
    uses it.  LSMs using the key_alloc hook don't check that flag.
    
    KEY_FLAG_KEEP is then ignored but fortunately (again) the root user cannot
    write to the blacklist keyring, so it is not possible to remove a key/hash
    from it.
    
    Fix this by adding a KEY_ALLOC_SET_KEEP flag that tells key_alloc() to set
    KEY_FLAG_KEEP on the new key.  blacklist_init() can then, correctly, pass
    this to keyring_alloc().
    
    We can also use this in ima_mok_init() rather than setting the flag
    manually.
    
    Note that this doesn't fix an observable bug with the current
    implementation but it is required to allow addition of new hashes to the
    blacklist in the future without making it possible for them to be removed.
    
    Fixes: 734114f8 ("KEYS: Add a system blacklist keyring")
    Reported-by: default avatarMickaël Salaün <mic@linux.microsoft.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    cc: Mickaël Salaün <mic@linux.microsoft.com>
    cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
    Cc: David Woodhouse <dwmw2@infradead.org>
    4993e1f9
key.h 15.8 KB