lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Jan 2016 11:32:54 +0000 From: David Howells <dhowells@...hat.com> To: zohar@...ux.vnet.ibm.com Cc: dhowells@...hat.com, linux-security-module@...r.kernel.org, keyrings@...r.kernel.org, petkan@...-labs.com, linux-kernel@...r.kernel.org Subject: [RFC PATCH 20/20] IMA: Replace the .ima_mok keyring with the secondary system keyring [ver #2] Use the secondary system keyring instead of the .ima_mok keyring and remove the latter. Signed-off-by: David Howells <dhowells@...hat.com> --- include/keys/system_keyring.h | 15 ------------- security/integrity/digsig.c | 28 ++---------------------- security/integrity/ima/Kconfig | 18 ---------------- security/integrity/ima/Makefile | 1 - security/integrity/ima/ima_mok.c | 44 -------------------------------------- 5 files changed, 2 insertions(+), 104 deletions(-) delete mode 100644 security/integrity/ima/ima_mok.c diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index b261362c8b2d..622c1760ecc9 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -45,19 +45,4 @@ static inline int is_key_blacklisted(const char *name) } #endif -#ifdef CONFIG_IMA_MOK_KEYRING -extern struct key *ima_mok_keyring; - -static inline struct key *get_ima_mok_keyring(void) -{ - return ima_mok_keyring; -} -#else -static inline struct key *get_ima_mok_keyring(void) -{ - return NULL; -} -#endif /* CONFIG_IMA_MOK_KEYRING */ - - #endif /* _KEYS_SYSTEM_KEYRING_H */ diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 464d25e698ec..70fa199731f1 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -42,25 +42,6 @@ static bool init_keyring __initdata = true; static bool init_keyring __initdata; #endif -/* - * Restrict the addition of keys into the IMA keyring. - * - * Any key that needs to go in .ima keyring must be signed by CA in - * either .system or .ima_mok keyrings. - */ -static int restrict_link_by_ima_mok(struct key *keyring, - const struct key_type *type, - const union key_payload *payload) -{ - int ret; - - ret = restrict_link_by_system_trusted(keyring, type, payload); - if (ret != -ENOKEY) - return ret; - - return public_key_restrict_link(get_ima_mok_keyring(), type, payload); -} - int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, const char *digest, int digestlen) { @@ -93,25 +74,20 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, int __init integrity_init_keyring(const unsigned int id) { - int (*restrict_link)(struct key *, - const struct key_type *, - const union key_payload *) = NULL; const struct cred *cred = current_cred(); int err = 0; if (!init_keyring) return 0; - if (id == 1) - restrict_link = restrict_link_by_ima_mok; - keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0), KGIDT_INIT(0), cred, ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_WRITE | KEY_USR_SEARCH), KEY_ALLOC_NOT_IN_QUOTA, - restrict_link, NULL); + restrict_link_by_system_trusted, + NULL); if (IS_ERR(keyring[id])) { err = PTR_ERR(keyring[id]); pr_info("Can't allocate %s keyring (%d)\n", diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index e54a8a8dae94..5466cfe0305f 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -155,24 +155,6 @@ config IMA_TRUSTED_KEYRING This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING -config IMA_MOK_KEYRING - bool "Create IMA machine owner keys (MOK) and blacklist keyrings" - depends on SYSTEM_TRUSTED_KEYRING - depends on IMA_TRUSTED_KEYRING - default n - help - This option creates IMA MOK and blacklist keyrings. IMA MOK is an - intermediate keyring that sits between .system and .ima keyrings, - effectively forming a simple CA hierarchy. To successfully import a - key into .ima_mok it must be signed by a key which CA is in .system - keyring. On turn any key that needs to go in .ima keyring must be - signed by CA in either .system or .ima_mok keyrings. IMA MOK is empty - at kernel boot. - - IMA blacklist keyring contains all revoked IMA keys. It is consulted - before any other keyring. If the search is successful the requested - operation is rejected and error is returned to the caller. - config IMA_LOAD_X509 bool "Load X509 certificate onto the '.ima' trusted keyring" depends on IMA_TRUSTED_KEYRING diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile index a8539f9e060f..d79263d2fdbf 100644 --- a/security/integrity/ima/Makefile +++ b/security/integrity/ima/Makefile @@ -8,4 +8,3 @@ obj-$(CONFIG_IMA) += ima.o ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \ ima_policy.o ima_template.o ima_template_lib.o ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o -obj-$(CONFIG_IMA_MOK_KEYRING) += ima_mok.o diff --git a/security/integrity/ima/ima_mok.c b/security/integrity/ima/ima_mok.c deleted file mode 100644 index 6b34770a6c9f..000000000000 --- a/security/integrity/ima/ima_mok.c +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright (C) 2015 Juniper Networks, Inc. - * - * Author: - * Petko Manolov <petko.manolov@...sulko.com> - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, version 2 of the - * License. - * - */ - -#include <linux/export.h> -#include <linux/kernel.h> -#include <linux/sched.h> -#include <linux/cred.h> -#include <linux/err.h> -#include <linux/init.h> -#include <keys/system_keyring.h> - - -struct key *ima_mok_keyring; - -/* - * Allocate the IMA MOK and blacklist keyrings - */ -__init int ima_mok_init(void) -{ - pr_notice("Allocating IMA MOK and blacklist keyrings.\n"); - - ima_mok_keyring = keyring_alloc(".ima_mok", - KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), - (KEY_POS_ALL & ~KEY_POS_SETATTR) | - KEY_USR_VIEW | KEY_USR_READ | - KEY_USR_WRITE | KEY_USR_SEARCH, - KEY_ALLOC_NOT_IN_QUOTA, - restrict_link_by_system_trusted, NULL); - - if (IS_ERR(ima_mok_keyring)) - panic("Can't allocate IMA MOK keyring."); - return 0; -} -device_initcall(ima_mok_init);
Powered by blists - more mailing lists