lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1454943785.2648.195.camel@linux.vnet.ibm.com>
Date:	Mon, 08 Feb 2016 10:03:05 -0500
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	David Howells <dhowells@...hat.com>
Cc:	linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
	petkan@...-labs.com, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2]

On Mon, 2016-02-08 at 13:55 +0000, David Howells wrote:
> Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote:
> 
> > In addition, this patch set removes the IMA blacklist without any method for
> > adding blacklisted IMA keys to the system blacklist keyring.
> 
> That's not true.
> 
> Patch 18 enables userspace to add keys to the system blacklist keyring,
> provided those keys are validly signed:
> 
> -			      KEY_USR_SEARCH,
> +			      KEY_USR_SEARCH | KEY_USR_WRITE,
>  			      KEY_ALLOC_NOT_IN_QUOTA |
>  			      KEY_FLAG_KEEP,
> -			      NULL, NULL);
> +			      restrict_link_by_system_trusted, NULL);
> 
> After this commit, you can do everything with the system blacklist keyring
> that you can currently do with the IMA blacklist keyring.

Right, this patch makes the system blacklist keyring writable by
userspace and removes the IMA blacklist.  What I don't understand is how
to add a key that is currently on the IMA keyring to the system
blacklist? 

With the IMA blacklist, the same certificate that was added to the IMA
keyring could be added to the blacklist. (Probably not the best idea.)

The system black list currently only supports the  TBSCertificate hash,
not the key-id.   I have the signed certificate being added to the IMA
keyring.  I'm missing the step of getting the TBSCertificate hash based
on the certificate.

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ