Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris: - EVM gains support for loading an x509 cert from the kernel (EVM_LOAD_X509), into the EVM trusted kernel keyring. - Smack implements 'file receive' process-based permission checking for sockets, rather than just depending on inode checks. - Misc enhancments for TPM & TPM2. - Cleanups and bugfixes for SELinux, Keys, and IMA. * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (41 commits) selinux: Inode label revalidation performance fix KEYS: refcount bug fix ima: ima_write_policy() limit locking IMA: policy can be updated zero times selinux: rate-limit netlink message warnings in selinux_nlmsg_perm() selinux: export validatetrans decisions gfs2: Invalid security labels of inodes when they go invalid selinux: Revalidate invalid inode security labels security: Add hook to invalidate inode security labels selinux: Add accessor functions for inode->i_security security: Make inode argument of inode_getsecid non-const security: Make inode argument of inode_getsecurity non-const selinux: Remove unused variable in selinux_inode_init_security keys, trusted: seal with a TPM2 authorization policy keys, trusted: select hash algorithm for TPM2 chips keys, trusted: fix: *do not* allow duplicate key options tpm_ibmvtpm: properly handle interrupted packet receptions tpm_tis: Tighten IRQ auto-probing tpm_tis: Refactor the interrupt setup tpm_tis: Get rid of the duplicate IRQ probing code ...
This commit is contained in:
Linus Torvalds
@@ -54,6 +54,7 @@ config TRUSTED_KEYS
|
||||
select CRYPTO
|
||||
select CRYPTO_HMAC
|
||||
select CRYPTO_SHA1
|
||||
select CRYPTO_HASH_INFO
|
||||
help
|
||||
This option provides support for creating, sealing, and unsealing
|
||||
keys in the kernel. Trusted keys are random number symmetric keys,
|
||||
|
||||
@@ -429,8 +429,11 @@ static int __key_instantiate_and_link(struct key *key,
|
||||
awaken = 1;
|
||||
|
||||
/* and link it into the destination keyring */
|
||||
if (keyring)
|
||||
if (keyring) {
|
||||
set_bit(KEY_FLAG_KEEP, &key->flags);
|
||||
|
||||
__key_link(key, _edit);
|
||||
}
|
||||
|
||||
/* disable the authorisation key */
|
||||
if (authkey)
|
||||
|
||||
@@ -358,11 +358,14 @@ error:
|
||||
* and any links to the key will be automatically garbage collected after a
|
||||
* certain amount of time (/proc/sys/kernel/keys/gc_delay).
|
||||
*
|
||||
* Keys with KEY_FLAG_KEEP set should not be revoked.
|
||||
*
|
||||
* If successful, 0 is returned.
|
||||
*/
|
||||
long keyctl_revoke_key(key_serial_t id)
|
||||
{
|
||||
key_ref_t key_ref;
|
||||
struct key *key;
|
||||
long ret;
|
||||
|
||||
key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE);
|
||||
@@ -377,8 +380,12 @@ long keyctl_revoke_key(key_serial_t id)
|
||||
}
|
||||
}
|
||||
|
||||
key_revoke(key_ref_to_ptr(key_ref));
|
||||
key = key_ref_to_ptr(key_ref);
|
||||
ret = 0;
|
||||
if (test_bit(KEY_FLAG_KEEP, &key->flags))
|
||||
ret = -EPERM;
|
||||
else
|
||||
key_revoke(key);
|
||||
|
||||
key_ref_put(key_ref);
|
||||
error:
|
||||
@@ -392,11 +399,14 @@ error:
|
||||
* The key and any links to the key will be automatically garbage collected
|
||||
* immediately.
|
||||
*
|
||||
* Keys with KEY_FLAG_KEEP set should not be invalidated.
|
||||
*
|
||||
* If successful, 0 is returned.
|
||||
*/
|
||||
long keyctl_invalidate_key(key_serial_t id)
|
||||
{
|
||||
key_ref_t key_ref;
|
||||
struct key *key;
|
||||
long ret;
|
||||
|
||||
kenter("%d", id);
|
||||
@@ -420,8 +430,12 @@ long keyctl_invalidate_key(key_serial_t id)
|
||||
}
|
||||
|
||||
invalidate:
|
||||
key_invalidate(key_ref_to_ptr(key_ref));
|
||||
key = key_ref_to_ptr(key_ref);
|
||||
ret = 0;
|
||||
if (test_bit(KEY_FLAG_KEEP, &key->flags))
|
||||
ret = -EPERM;
|
||||
else
|
||||
key_invalidate(key);
|
||||
error_put:
|
||||
key_ref_put(key_ref);
|
||||
error:
|
||||
@@ -433,12 +447,13 @@ error:
|
||||
* Clear the specified keyring, creating an empty process keyring if one of the
|
||||
* special keyring IDs is used.
|
||||
*
|
||||
* The keyring must grant the caller Write permission for this to work. If
|
||||
* successful, 0 will be returned.
|
||||
* The keyring must grant the caller Write permission and not have
|
||||
* KEY_FLAG_KEEP set for this to work. If successful, 0 will be returned.
|
||||
*/
|
||||
long keyctl_keyring_clear(key_serial_t ringid)
|
||||
{
|
||||
key_ref_t keyring_ref;
|
||||
struct key *keyring;
|
||||
long ret;
|
||||
|
||||
keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
|
||||
@@ -460,7 +475,11 @@ long keyctl_keyring_clear(key_serial_t ringid)
|
||||
}
|
||||
|
||||
clear:
|
||||
ret = keyring_clear(key_ref_to_ptr(keyring_ref));
|
||||
keyring = key_ref_to_ptr(keyring_ref);
|
||||
if (test_bit(KEY_FLAG_KEEP, &keyring->flags))
|
||||
ret = -EPERM;
|
||||
else
|
||||
ret = keyring_clear(keyring);
|
||||
error_put:
|
||||
key_ref_put(keyring_ref);
|
||||
error:
|
||||
@@ -511,11 +530,14 @@ error:
|
||||
* itself need not grant the caller anything. If the last link to a key is
|
||||
* removed then that key will be scheduled for destruction.
|
||||
*
|
||||
* Keys or keyrings with KEY_FLAG_KEEP set should not be unlinked.
|
||||
*
|
||||
* If successful, 0 will be returned.
|
||||
*/
|
||||
long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
|
||||
{
|
||||
key_ref_t keyring_ref, key_ref;
|
||||
struct key *keyring, *key;
|
||||
long ret;
|
||||
|
||||
keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE);
|
||||
@@ -530,7 +552,13 @@ long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
|
||||
goto error2;
|
||||
}
|
||||
|
||||
ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref));
|
||||
keyring = key_ref_to_ptr(keyring_ref);
|
||||
key = key_ref_to_ptr(key_ref);
|
||||
if (test_bit(KEY_FLAG_KEEP, &keyring->flags) &&
|
||||
test_bit(KEY_FLAG_KEEP, &key->flags))
|
||||
ret = -EPERM;
|
||||
else
|
||||
ret = key_unlink(keyring, key);
|
||||
|
||||
key_ref_put(key_ref);
|
||||
error2:
|
||||
@@ -1289,6 +1317,8 @@ error:
|
||||
* the current time. The key and any links to the key will be automatically
|
||||
* garbage collected after the timeout expires.
|
||||
*
|
||||
* Keys with KEY_FLAG_KEEP set should not be timed out.
|
||||
*
|
||||
* If successful, 0 is returned.
|
||||
*/
|
||||
long keyctl_set_timeout(key_serial_t id, unsigned timeout)
|
||||
@@ -1320,10 +1350,13 @@ long keyctl_set_timeout(key_serial_t id, unsigned timeout)
|
||||
|
||||
okay:
|
||||
key = key_ref_to_ptr(key_ref);
|
||||
key_set_timeout(key, timeout);
|
||||
ret = 0;
|
||||
if (test_bit(KEY_FLAG_KEEP, &key->flags))
|
||||
ret = -EPERM;
|
||||
else
|
||||
key_set_timeout(key, timeout);
|
||||
key_put(key);
|
||||
|
||||
ret = 0;
|
||||
error:
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -11,6 +11,7 @@
|
||||
* See Documentation/security/keys-trusted-encrypted.txt
|
||||
*/
|
||||
|
||||
#include <crypto/hash_info.h>
|
||||
#include <linux/uaccess.h>
|
||||
#include <linux/module.h>
|
||||
#include <linux/init.h>
|
||||
@@ -710,7 +711,10 @@ enum {
|
||||
Opt_err = -1,
|
||||
Opt_new, Opt_load, Opt_update,
|
||||
Opt_keyhandle, Opt_keyauth, Opt_blobauth,
|
||||
Opt_pcrinfo, Opt_pcrlock, Opt_migratable
|
||||
Opt_pcrinfo, Opt_pcrlock, Opt_migratable,
|
||||
Opt_hash,
|
||||
Opt_policydigest,
|
||||
Opt_policyhandle,
|
||||
};
|
||||
|
||||
static const match_table_t key_tokens = {
|
||||
@@ -723,6 +727,9 @@ static const match_table_t key_tokens = {
|
||||
{Opt_pcrinfo, "pcrinfo=%s"},
|
||||
{Opt_pcrlock, "pcrlock=%s"},
|
||||
{Opt_migratable, "migratable=%s"},
|
||||
{Opt_hash, "hash=%s"},
|
||||
{Opt_policydigest, "policydigest=%s"},
|
||||
{Opt_policyhandle, "policyhandle=%s"},
|
||||
{Opt_err, NULL}
|
||||
};
|
||||
|
||||
@@ -736,11 +743,23 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
|
||||
int res;
|
||||
unsigned long handle;
|
||||
unsigned long lock;
|
||||
unsigned long token_mask = 0;
|
||||
int i;
|
||||
int tpm2;
|
||||
|
||||
tpm2 = tpm_is_tpm2(TPM_ANY_NUM);
|
||||
if (tpm2 < 0)
|
||||
return tpm2;
|
||||
|
||||
opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1;
|
||||
opt->digest_len = hash_digest_size[opt->hash];
|
||||
|
||||
while ((p = strsep(&c, " \t"))) {
|
||||
if (*p == '\0' || *p == ' ' || *p == '\t')
|
||||
continue;
|
||||
token = match_token(p, key_tokens, args);
|
||||
if (test_and_set_bit(token, &token_mask))
|
||||
return -EINVAL;
|
||||
|
||||
switch (token) {
|
||||
case Opt_pcrinfo:
|
||||
@@ -787,6 +806,41 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
|
||||
return -EINVAL;
|
||||
opt->pcrlock = lock;
|
||||
break;
|
||||
case Opt_hash:
|
||||
if (test_bit(Opt_policydigest, &token_mask))
|
||||
return -EINVAL;
|
||||
for (i = 0; i < HASH_ALGO__LAST; i++) {
|
||||
if (!strcmp(args[0].from, hash_algo_name[i])) {
|
||||
opt->hash = i;
|
||||
opt->digest_len =
|
||||
hash_digest_size[opt->hash];
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (i == HASH_ALGO__LAST)
|
||||
return -EINVAL;
|
||||
if (!tpm2 && i != HASH_ALGO_SHA1) {
|
||||
pr_info("trusted_key: TPM 1.x only supports SHA-1.\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
break;
|
||||
case Opt_policydigest:
|
||||
if (!tpm2 ||
|
||||
strlen(args[0].from) != (2 * opt->digest_len))
|
||||
return -EINVAL;
|
||||
res = hex2bin(opt->policydigest, args[0].from,
|
||||
opt->digest_len);
|
||||
if (res < 0)
|
||||
return -EINVAL;
|
||||
break;
|
||||
case Opt_policyhandle:
|
||||
if (!tpm2)
|
||||
return -EINVAL;
|
||||
res = kstrtoul(args[0].from, 16, &handle);
|
||||
if (res < 0)
|
||||
return -EINVAL;
|
||||
opt->policyhandle = handle;
|
||||
break;
|
||||
default:
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
Referens i nytt ärende
Block a user