[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3018D440-A632-4F5E-BF49-F2971FC4D5E4@oracle.com>
Date: Fri, 18 Oct 2024 21:55:41 +0000
From: Eric Snowberg <eric.snowberg@...cle.com>
To: Ben Boeckel <me@...boeckel.net>
CC: "open list:SECURITY SUBSYSTEM" <linux-security-module@...r.kernel.org>,
David Howells <dhowells@...hat.com>,
David Woodhouse <dwmw2@...radead.org>,
"herbert@...dor.apana.org.au" <herbert@...dor.apana.org.au>,
"davem@...emloft.net" <davem@...emloft.net>,
Ard Biesheuvel
<ardb@...nel.org>, Jarkko Sakkinen <jarkko@...nel.org>,
Paul Moore
<paul@...l-moore.com>, James Morris <jmorris@...ei.org>,
"Serge E. Hallyn"
<serge@...lyn.com>,
Mimi Zohar <zohar@...ux.ibm.com>,
Roberto Sassu
<roberto.sassu@...wei.com>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
Mickaël Salaün <mic@...ikod.net>,
"casey@...aufler-ca.com" <casey@...aufler-ca.com>,
Stefan Berger
<stefanb@...ux.ibm.com>,
"ebiggers@...nel.org" <ebiggers@...nel.org>,
Randy
Dunlap <rdunlap@...radead.org>,
open list <linux-kernel@...r.kernel.org>,
"keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
"linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
"linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>,
"linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>
Subject: Re: [RFC PATCH v3 05/13] clavis: Introduce a new key type called
clavis_key_acl
> On Oct 18, 2024, at 10:55 AM, Ben Boeckel <me@...boeckel.net> wrote:
>
> On Fri, Oct 18, 2024 at 15:42:15 +0000, Eric Snowberg wrote:
>>
>> This was done incase the end-user has a trailing carriage return at the
>> end of their ACL. I have updated the comment as follows:
>>
>> + /*
>> + * Copy the user supplied contents, if uppercase is used, convert it to
>> + * lowercase. Also if the end of the ACL contains any whitespace, strip
>> + * it out.
>> + */
>
> Well, this doesn't check the end for whitespace; any internal whitespace
> will terminate the key:
>
> DEAD BEEF
> ^ becomes NUL
>
> and results in the same thing as `DEAD` being passed.
Originally I was thinking I could extract and fix up the data in pkcs7_preparse_content,
later when key_acl_vet_description gets called do the validation. But I see
your point that it is possible there could be a valid ACL, followed by a space and
some other data, which should trigger an invalid response. I'll take care of this in
the next round too. I'll also add a Kunit test for this one. Thanks.
Powered by blists - more mailing lists