lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241017155516.2582369-10-eric.snowberg@oracle.com>
Date: Thu, 17 Oct 2024 09:55:12 -0600
From: Eric Snowberg <eric.snowberg@...cle.com>
To: linux-security-module@...r.kernel.org
Cc: dhowells@...hat.com, dwmw2@...radead.org, herbert@...dor.apana.org.au,
        davem@...emloft.net, ardb@...nel.org, jarkko@...nel.org,
        paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com,
        zohar@...ux.ibm.com, roberto.sassu@...wei.com,
        dmitry.kasatkin@...il.com, mic@...ikod.net, casey@...aufler-ca.com,
        stefanb@...ux.ibm.com, eric.snowberg@...cle.com, ebiggers@...nel.org,
        rdunlap@...radead.org, linux-kernel@...r.kernel.org,
        keyrings@...r.kernel.org, linux-crypto@...r.kernel.org,
        linux-efi@...r.kernel.org, linux-integrity@...r.kernel.org
Subject: [RFC PATCH v3 09/13] clavis: Allow user to define acl at build time

Add a new Kconfig called Security_CLAVIS_ACL_LIST. If set, this option
should be the file name of a list of clavis ACL entries. This will be
included into a C wrapper to incorporate the acl list into the kernel.
The file contents must be in the following format: <two digit key usage
number>:<subject key id>. If more than one entry is added, add a carriage
return after each entry.

Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
---
 security/clavis/.gitignore           |  1 +
 security/clavis/Kconfig              | 10 ++++++++++
 security/clavis/Makefile             | 16 ++++++++++++++++
 security/clavis/clavis.h             |  2 ++
 security/clavis/clavis_builtin_acl.c |  7 +++++++
 security/clavis/clavis_keyring.c     |  1 +
 6 files changed, 37 insertions(+)
 create mode 100644 security/clavis/.gitignore
 create mode 100644 security/clavis/clavis_builtin_acl.c

diff --git a/security/clavis/.gitignore b/security/clavis/.gitignore
new file mode 100644
index 000000000000..c1b60bee049e
--- /dev/null
+++ b/security/clavis/.gitignore
@@ -0,0 +1 @@
+/builtin_acl
diff --git a/security/clavis/Kconfig b/security/clavis/Kconfig
index 04f7565f2e2b..b702311ec905 100644
--- a/security/clavis/Kconfig
+++ b/security/clavis/Kconfig
@@ -9,3 +9,13 @@ config SECURITY_CLAVIS
 	  keyrings (builtin, secondary, or platform).  One way to add this key
 	  is during boot by passing in the asymmetric key id within the "clavis=" boot
 	  param.  This keyring is required by the Clavis LSM.
+
+config SECURITY_CLAVIS_ACL_LIST
+	string "Clavis ACL list to preload into the clavis keyring"
+	depends on SECURITY_CLAVIS
+	help
+	  If set, this option should be the file name of a list of clavis ACL
+	  entries. This will be included into a C wrapper to incorporate the
+	  acl list into the kernel. The file contents must be in the following
+	  format: <two digit key usage number>:<subject key id>.  If more than
+	  one entry is added, add a carriage return after each entry.
diff --git a/security/clavis/Makefile b/security/clavis/Makefile
index a3430dd6bdf9..082e6d3c0934 100644
--- a/security/clavis/Makefile
+++ b/security/clavis/Makefile
@@ -2,3 +2,19 @@
 
 obj-$(CONFIG_SECURITY_CLAVIS) += clavis_keyring.o
 obj-$(CONFIG_SECURITY_CLAVIS) += clavis.o
+obj-$(CONFIG_SECURITY_CLAVIS) += clavis_builtin_acl.o
+
+ifeq ($(CONFIG_SECURITY_CLAVIS_ACL_LIST),)
+quiet_cmd_make_builtin_acl = GEN     $@
+      cmd_make_builtin_acl = \
+	echo > $@
+else
+quiet_cmd_make_builtin_acl = GEN     $@
+      cmd_make_builtin_acl = \
+	sed 's/^[ \t]*//; s/.*/"&",/' $< | tr '[:upper:]' '[:lower:]' > $@
+endif
+
+$(obj)/builtin_acl: $(CONFIG_SECURITY_CLAVIS_ACL_LIST) FORCE
+	$(call if_changed,make_builtin_acl)
+
+$(obj)/clavis_builtin_acl.o: $(obj)/builtin_acl
diff --git a/security/clavis/clavis.h b/security/clavis/clavis.h
index b77e4ec8edbe..7099a517b111 100644
--- a/security/clavis/clavis.h
+++ b/security/clavis/clavis.h
@@ -14,6 +14,8 @@ struct asymmetric_setup_kid {
 	unsigned char data[CLAVIS_BIN_KID_MAX];
 };
 
+extern const char __initconst *const clavis_builtin_acl_list[];
+
 #ifndef CONFIG_SYSTEM_TRUSTED_KEYRING
 const char __initconst *const clavis_module_acl[] = {
 	 NULL
diff --git a/security/clavis/clavis_builtin_acl.c b/security/clavis/clavis_builtin_acl.c
new file mode 100644
index 000000000000..c98b6df05413
--- /dev/null
+++ b/security/clavis/clavis_builtin_acl.c
@@ -0,0 +1,7 @@
+// SPDX-License-Identifier: GPL-2.0
+#include "clavis.h"
+
+const char __initconst *const clavis_builtin_acl_list[] = {
+#include "builtin_acl"
+	NULL
+};
diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c
index 1e1fbb54f6be..a4a95a931b50 100644
--- a/security/clavis/clavis_keyring.c
+++ b/security/clavis/clavis_keyring.c
@@ -300,6 +300,7 @@ int __init clavis_keyring_init(void)
 		panic("Can't allocate clavis keyring\n");
 
 	clavis_add_acl(clavis_module_acl, clavis_keyring);
+	clavis_add_acl(clavis_builtin_acl_list, clavis_keyring);
 
 	return 0;
 }
-- 
2.45.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ