- 08 Jan, 2016 11 commits
-
-
David Howells authored
Remove KEY_FLAG_TRUSTED as it's no longer meaningful. Given this, we no longer need to pass the key flags through to restrict_link(). Further, we can now get rid of keyring_restrict_trusted_only() also. Signed-off-by:David Howells <dhowells@redhat.com>
-
David Howells authored
Move the point at which a key is determined to be trustworthy to __key_link() so that we use the contents of the keyring being linked in to to determine whether the key being linked in is trusted or not. What is 'trusted' then becomes a matter of what's in the keyring. Currently, the test is done when the key is parsed, but given that at that point we can only sensibly refer to the contents of the system trusted keyring, we can only use that as the basis for working out the trustworthiness of a new key. With this change, a trusted keyring is a set of keys that once the trusted-only flag is set cannot be added to except by verification through one of the contained keys. Further, adding a key into a trusted keyring, whilst it might grant trustworthiness in the context of that keyring, does not automatically grant trustworthiness in the context of a second keyring to which it could be secondarily linked. To accomplish this, the authentication data associated with the key source must now be retained. For an X.509 cert, this means the contents of the AuthorityKeyIdentifier and the signature data. Signed-off-by: -
David Howells authored
Generalise x509_request_asymmetric_key(). It doesn't really have any dependencies on X.509 features as it uses generalised IDs and the public_key structs that contain data extracted from X.509. Signed-off-by: -
David Howells authored
Move the X.509 trust validation code out to its own file so that it can be generalised. Signed-off-by: -
David Howells authored
Point to the public_key_signature struct from the pkcs7_signed_info struct rather than embedding it. This makes it easier to have it take an arbitrary number of MPIs in future. We also save a copy of the digest in the signature without sharing the memory with the crypto layer metadata. This means we can use public_key_free() to get rid of the signature record. Signed-off-by: -
David Howells authored
Extract the signature digest for an X.509 certificate earlier, at the end of x509_cert_parse() rather than leaving it to the callers thereof. Further, immediately after that, check the signature on self-signed certificates, also rather in the callers of x509_cert_parse(). This we need to determine whether or not the X.509 cert requires crypto that we don't support before we do the above two steps. We note in the x509_certificate struct the following bits of information: (1) Whether the signature is self-signed (even if we can't check the signature due to missing crypto). (2) Whether the key held in the certificate needs unsupported crypto to be used. We may get a PKCS#7 message with X.509 certs that we can't make use of - we just ignore them and give ENOPKG at the end it we couldn't verify anything if at least one of these unusable certs are in the chain of trust. (3) Whether the signature held in the certificate needs unsupported crypto to be checked. We can still use the key held in this certificate, even if we can't check the signature on it - if it is held in the system trusted keyring, for instance. We just can't add it to a ring of trusted keys or follow it further up the chain of trust. Making these checks earlier allows x509_check_signature() to be removed and replaced with direct calls to public_key_verify_signature(). Signed-off-by: -
David Howells authored
Retain the key verification data (ie. the struct public_key_signature) including the digest and the key identifiers. Note that this means that we need to take a separate copy of the digest in x509_get_sig_params() rather than lumping it in with the crypto layer data. Signed-off-by: -
David Howells authored
Add key identifier pointers to public_key_signature struct so that they can be used to retain the identifier of the key to be used to verify the signature in both PKCS#7 and X.509. Signed-off-by: -
David Howells authored
Allow authentication data to be stored in an asymmetric key in the 4th element of the key payload and provide a way for it to be destroyed. For the public key subtype, this will be a public_key_signature struct. Signed-off-by: -
David Howells authored
Add a facility whereby proposed new links to be added to a keyring can be vetted, permitting them to be rejected if necessary. This can be used to block public keys from which the signature cannot be verified or for which the signature verification fails. It could also be used to provide blacklisting. This affects operations like add_key(), KEYCTL_LINK and KEYCTL_INSTANTIATE. To this end: (1) A function pointer is added to the key struct that, if set, points to the vetting function. This is called as: int (*restrict_link)(struct key *keyring, const struct key_type *key_type, unsigned long key_flags, const union key_payload *key_payload), where 'keyring' will be the keyring being added to, key_type and key_payload will describe the key being added and key_flags[*] can be AND'ed with KEY_FLAG_TRUSTED. [*] This parameter will be removed in a later patch when KEY_FLAG_TRUSTED is removed. The function should return 0 to allow the link to take place or an error (typically -ENOKEY, -ENOPKG or -EKEYREJECTED) to reject the link. The pointer should not be set directly, but rather should be set through keyring_alloc(). Note that if called during add_key(), preparse is called before this method, but a key isn't actually allocated until after this function is called. (2) KEY_ALLOC_BYPASS_RESTRICTION is added. This can be passed to key_create_or_update() or key_instantiate_and_link() to bypass the restriction check. (3) KEY_FLAG_TRUSTED_ONLY is removed. The entire contents of a keyring with this restriction emplaced can be considered 'trustworthy' by virtue of being in the keyring when that keyring is consulted. (4) key_alloc() and keyring_alloc() take an extra argument that will be used to set restrict_link in the new key. This ensures that the pointer is set before the key is published, thus preventing a window of unrestrictedness. Normally this argument will be NULL. (5) As a temporary affair, keyring_restrict_trusted_only() is added. It should be passed to keyring_alloc() as the extra argument instead of setting KEY_FLAG_TRUSTED_ONLY on a keyring. This will be replaced in a later patch with functions that look in the appropriate places for authoritative keys. Signed-off-by: -
David Howells authored
Add KEY_ALLOC_BUILT_IN to convey that a key should have KEY_FLAG_BUILTIN set rather than setting it after the fact. Signed-off-by:
-
- 07 Jan, 2016 3 commits
-
-
David Howells authored
Make the determination of the trustworthiness of a key dependent on whether a key that can verify it is present in the ring of trusted keys rather than whether or not the verifying key has KEY_FLAG_TRUSTED set. verify_pkcs7_signature() will return -ENOKEY if the PKCS#7 message trust chain cannot be verified. Signed-off-by: -
David Howells authored
Generalise system_verify_data() to provide access to internal content through a callback. This allows all the PKCS#7 stuff to be hidden inside this function and removed from the PE file parser and the PKCS#7 test key. If external content is not required, NULL should be passed as data to the function. If the callback is not required, that can be set to NULL. The function is now called verify_pkcs7_signature() to contrast with verify_pefile_signature() and the definitions of both have been moved into linux/verification.h along with the key_being_used_for enum. Signed-off-by: -
David Howells authored
Trust for a self-signed certificate can normally only be determined by whether we obtained it from a trusted location (ie. it was built into the kernel at compile time), so there's not really any point in checking it - we could verify that the signature is valid, but it doesn't really tell us anything if the signature checks out. However, there's a bug in the code determining whether a certificate is self-signed or not - if they have neither AKID nor SKID then we just assume that the cert is self-signed, which may not be true. Given this, remove the code that treats self-signed certs specially when it comes to evaluating trustability and attempt to evaluate them as ordinary signed certificates. We then expect self-signed certificates to fail the trustability check and be marked as untrustworthy in x509_key_preparse(). Note that there is the possibility of the trustability check on a self-signed cert then succeeding. This is most likely to happen when a duplicate of the certificate is already on the trust keyring - in which case it shouldn't be a problem. Signed-off-by:
-
- 06 Jan, 2016 1 commit
-
-
David Howells authored
Partially revert commit 41c89b64: Author: Petko Manolov <petkan@mip-labs.com> Date: Wed Dec 2 17:47:55 2015 +0200 IMA: create machine owner and blacklist keyrings The problem is that prep->trusted is a simple boolean and the additional x509_validate_trust() call doesn't therefore distinguish levels of trustedness, but is just OR'd with the result of validation against the system trusted keyring. However, setting the trusted flag means that this key may be added to *any* trusted-only keyring - including the system trusted keyring. Whilst I appreciate what the patch is trying to do, I don't think this is quite the right solution. Signed-off-by:
-
- 26 Dec, 2015 3 commits
-
-
-
-
James Morris authored
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next
-
- 24 Dec, 2015 10 commits
-
-
Sasha Levin authored
Commit "IMA: policy can now be updated multiple times" assumed that the policy would be updated at least once. If there are zero updates, the temporary list head object will get added to the policy list, and later dereferenced as an IMA policy object, which means that invalid memory will be accessed. Changelog: - Move list_empty() test to ima_release_policy(), before audit msg - Mimi Signed-off-by:
Sasha Levin <sasha.levin@oracle.com> Signed-off-by:
Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Vladis Dronov authored
Any process is able to send netlink messages with invalid types. Make the warning rate-limited to prevent too much log spam. The warning is supposed to help to find misbehaving programs, so print the triggering command name and pid. Reported-by:
Florian Weimer <fweimer@redhat.com> Signed-off-by:
Vladis Dronov <vdronov@redhat.com> [PM: subject line tweak to make checkpatch.pl happy] Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
Andrew Perepechko authored
Make validatetrans decisions available through selinuxfs. "/validatetrans" is added to selinuxfs for this purpose. This functionality is needed by file system servers implemented in userspace or kernelspace without the VFS layer. Writing "$oldcontext $newcontext $tclass $taskcontext" to /validatetrans is expected to return 0 if the transition is allowed and -EPERM otherwise. Signed-off-by:
Andrew Perepechko <anserper@ya.ru> CC: andrew.perepechko@seagate.com Acked-by:
Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by:
-
Andreas Gruenbacher authored
When gfs2 releases the glock of an inode, it must invalidate all information cached for that inode, including the page cache and acls. Use the new security_inode_invalidate_secctx hook to also invalidate security labels in that case. These items will be reread from disk when needed after reacquiring the glock. Signed-off-by:
Andreas Gruenbacher <agruenba@redhat.com> Acked-by:
Bob Peterson <rpeterso@redhat.com> Acked-by:
Steven Whitehouse <swhiteho@redhat.com> Cc: cluster-devel@redhat.com [PM: fixed spelling errors and description line lengths] Signed-off-by:
-
Andreas Gruenbacher authored
When fetching an inode's security label, check if it is still valid, and try reloading it if it is not. Reloading will fail when we are in RCU context which doesn't allow sleeping, or when we can't find a dentry for the inode. (Reloading happens via iop->getxattr which takes a dentry parameter.) When reloading fails, continue using the old, invalid label. Signed-off-by:
-
Andreas Gruenbacher authored
Add a hook to invalidate an inode's security label when the cached information becomes invalid. Add the new hook in selinux: set a flag when a security label becomes invalid. Signed-off-by:
James Morris <james.l.morris@oracle.com> Acked-by:
-
Andreas Gruenbacher authored
Add functions dentry_security and inode_security for accessing inode->i_security. These functions initially don't do much, but they will later be used to revalidate the security labels when necessary. Signed-off-by:
-
Andreas Gruenbacher authored
Make the inode argument of the inode_getsecid hook non-const so that we can use it to revalidate invalid security labels. Signed-off-by:
-
Andreas Gruenbacher authored
Make the inode argument of the inode_getsecurity hook non-const so that we can use it to revalidate invalid security labels. Signed-off-by:
-
Andreas Gruenbacher authored
Signed-off-by:
-
- 20 Dec, 2015 10 commits
-
-
Jarkko Sakkinen authored
TPM2 supports authorization policies, which are essentially combinational logic statements repsenting the conditions where the data can be unsealed based on the TPM state. This patch enables to use authorization policies to seal trusted keys. Two following new options have been added for trusted keys: * 'policydigest=': provide an auth policy digest for sealing. * 'policyhandle=': provide a policy session handle for unsealing. If 'hash=' option is supplied after 'policydigest=' option, this will result an error because the state of the option would become mixed. Signed-off-by:
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by:
Colin Ian King <colin.king@canonical.com> Reviewed-by:
Peter Huewe <peterhuewe@gmx.de>
-
Jarkko Sakkinen authored
Added 'hash=' option for selecting the hash algorithm for add_key() syscall and documentation for it. Added entry for sm3-256 to the following tables in order to support TPM_ALG_SM3_256: * hash_algo_name * hash_digest_size Includes support for the following hash algorithms: * sha1 * sha256 * sha384 * sha512 * sm3-256 Signed-off-by:
-
Jarkko Sakkinen authored
The trusted keys option parsing allows specifying the same option multiple times. The last option value specified is used. This is problematic because: * No gain. * This makes complicated to specify options that are dependent on other options. This patch changes the behavior in a way that option can be specified only once. Reported-by:
James Morris James Morris <jmorris@namei.org> Reviewed-by:
-
Stefan Berger authored
When the TPM response reception is interrupted in the wait_event_interruptable call, the TPM is still busy processing the command and will only deliver the response later. So we have to wait for an outstanding response before sending a new request to avoid trying to put a 2nd request into the CRQ. Also reset the res_len before sending a command so we will end up in that wait_event_interruptable() waiting for the response rather than reading the command packet as a response. The easiest way to trigger the problem is to run the following cd /sys/device/vio/71000004 while :; cat pcrs >/dev/null; done And press Ctrl-C. This will then display an error tpm_ibmvtpm 71000004: tpm_transmit: tpm_recv: error -4 followed by several other errors once interaction with the TPM resumes. tpm_ibmvtpm 71000004: A TPM error (101) occurred attempting to determine the number of PCRS. Signed-off-by:
Stefan Berger <stefanb@linux.vnet.ibm.com> Tested-by:
Hon Ching(Vicky) Lo <honclo@linux.vnet.ibm.com> Reviewed-by:
Ashley Lai <ashley@ashleylai.com> Signed-off-by:
-
Jason Gunthorpe authored
auto-probing doesn't work with shared interrupts, and the auto detection interrupt range is for x86 only. Signed-off-by:
Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Reviewed-by:
Martin Wilck <Martin.Wilck@ts.fujitsu.com> Tested-by:
Scot Doyle <lkml14@scotdoyle.com> Signed-off-by:
-
Jason Gunthorpe authored
Now that the probe and run cases are merged together we can use a much simpler setup flow where probe and normal setup are done with exactly the same code. Since the new flow always calls tpm_gen_interrupt to confirm the IRQ there is also no longer any need to call tpm_get_timeouts twice. Signed-off-by:
-
Jason Gunthorpe authored
The new code that works directly in tpm_tis_send is able to handle IRQ probing duties as well, so just use it for everything. Signed-off-by:
-
Jason Gunthorpe authored
IRQ probing needs to know that the TPM is working before trying to probe, so move tpm_get_timeouts() to the top of the tpm_tis_init(). This has the advantage of also getting the correct timeouts loaded before doing IRQ probing. All the timeout handling code is moved to tpm_get_timeouts() in order to remove duplicate code in tpm_tis and tpm_crb. [jarkko.sakkinen@linux.intel.com: squashed two patches together and improved the commit message.] Signed-off-by:
-
Jason Gunthorpe authored
This should be done very early, before anything could possibly cause the TPM to generate an interrupt. If the IRQ line is shared with another driver causing an interrupt before setting up our handler will be very bad. Signed-off-by:
-
Jason Gunthorpe authored
The interrupt is always allocated with devm_request_irq so it must always be freed with devm_free_irq. Fixes: 448e9c55 ("tpm_tis: verify interrupt during init") Signed-off-by:
-
- 17 Dec, 2015 1 commit
-
-
Roman Kubiak authored
Smack security handler for sendmsg() syscall is vulnerable to type confusion issue what can allow to privilege escalation into root or cause denial of service. A malicious attacker can create socket of one type for example AF_UNIX and pass is into sendmsg() function ensuring that this is AF_INET socket. Remedy Do not trust user supplied data. Proposed fix below. Signed-off-by:
Roman Kubiak <r.kubiak@samsung.com> Signed-off-by:
Mateusz Fruba <m.fruba@samsung.com> Acked-by:
Casey Schaufler <casey@schaufler-ca.com>
-
- 15 Dec, 2015 1 commit
-
-
Paul Gortmaker authored
The Kconfig currently controlling compilation of this code is: ima/Kconfig:config IMA_MOK_KEYRING ima/Kconfig: bool "Create IMA machine owner keys (MOK) and blacklist keyrings" ...meaning that it currently is not being built as a module by anyone. Lets remove the couple of traces of modularity so that when reading the driver there is no doubt it really is builtin-only. Since module_init translates to device_initcall in the non-modular case, the init ordering remains unchanged with this commit. Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: James Morris <james.l.morris@oracle.com> Cc: "Serge E. Hallyn" <serge@hallyn.com> Cc: linux-ima-devel@lists.sourceforge.net Cc: linux-ima-user@lists.sourceforge.net Cc: linux-security-module@vger.kernel.org Signed-off-by:
Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by:
-
