Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"Highlights:
- PKCS#7 support added to support signed kexec, also utilized for
module signing. See comments in 3f1e1bea.
** NOTE: this requires linking against the OpenSSL library, which
must be installed, e.g. the openssl-devel on Fedora **
- Smack
- add IPv6 host labeling; ignore labels on kernel threads
- support smack labeling mounts which use binary mount data
- SELinux:
- add ioctl whitelisting (see
http://kernsec.org/files/lss2015/vanderstoep.pdf)
- fix mprotect PROT_EXEC regression caused by mm change
- Seccomp:
- add ptrace options for suspend/resume"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (57 commits)
PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use them
Documentation/Changes: Now need OpenSSL devel packages for module signing
scripts: add extract-cert and sign-file to .gitignore
modsign: Handle signing key in source tree
modsign: Use if_changed rule for extracting cert from module signing key
Move certificate handling to its own directory
sign-file: Fix warning about BIO_reset() return value
PKCS#7: Add MODULE_LICENSE() to test module
Smack - Fix build error with bringup unconfigured
sign-file: Document dependency on OpenSSL devel libraries
PKCS#7: Appropriately restrict authenticated attributes and content type
KEYS: Add a name for PKEY_ID_PKCS7
PKCS#7: Improve and export the X.509 ASN.1 time object decoder
modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS
extract-cert: Cope with multiple X.509 certificates in a single file
sign-file: Generate CMS message as signature instead of PKCS#7
PKCS#7: Support CMS messages also [RFC5652]
X.509: Change recorded SKID & AKID to not include Subject or Issuer
PKCS#7: Check content type and versions
MAINTAINERS: The keyrings mailing list has moved
...
Este cometimento está contido em:
Linus Torvalds
@@ -45,7 +45,6 @@ ifneq ($(CONFIG_SMP),y)
|
||||
obj-y += up.o
|
||||
endif
|
||||
obj-$(CONFIG_UID16) += uid16.o
|
||||
obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
|
||||
obj-$(CONFIG_MODULES) += module.o
|
||||
obj-$(CONFIG_MODULE_SIG) += module_signing.o
|
||||
obj-$(CONFIG_KALLSYMS) += kallsyms.o
|
||||
@@ -112,99 +111,3 @@ $(obj)/config_data.gz: $(KCONFIG_CONFIG) FORCE
|
||||
targets += config_data.h
|
||||
$(obj)/config_data.h: $(obj)/config_data.gz FORCE
|
||||
$(call filechk,ikconfiggz)
|
||||
|
||||
###############################################################################
|
||||
#
|
||||
# Roll all the X.509 certificates that we can find together and pull them into
|
||||
# the kernel so that they get loaded into the system trusted keyring during
|
||||
# boot.
|
||||
#
|
||||
# We look in the source root and the build root for all files whose name ends
|
||||
# in ".x509". Unfortunately, this will generate duplicate filenames, so we
|
||||
# have make canonicalise the pathnames and then sort them to discard the
|
||||
# duplicates.
|
||||
#
|
||||
###############################################################################
|
||||
ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
|
||||
X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
|
||||
X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(objtree)/signing_key.x509
|
||||
X509_CERTIFICATES-raw := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \
|
||||
$(or $(realpath $(CERT)),$(CERT))))
|
||||
X509_CERTIFICATES := $(subst $(realpath $(objtree))/,,$(X509_CERTIFICATES-raw))
|
||||
|
||||
ifeq ($(X509_CERTIFICATES),)
|
||||
$(warning *** No X.509 certificates found ***)
|
||||
endif
|
||||
|
||||
ifneq ($(wildcard $(obj)/.x509.list),)
|
||||
ifneq ($(shell cat $(obj)/.x509.list),$(X509_CERTIFICATES))
|
||||
$(warning X.509 certificate list changed to "$(X509_CERTIFICATES)" from "$(shell cat $(obj)/.x509.list)")
|
||||
$(shell rm $(obj)/.x509.list)
|
||||
endif
|
||||
endif
|
||||
|
||||
kernel/system_certificates.o: $(obj)/x509_certificate_list
|
||||
|
||||
quiet_cmd_x509certs = CERTS $@
|
||||
cmd_x509certs = cat $(X509_CERTIFICATES) /dev/null >$@ $(foreach X509,$(X509_CERTIFICATES),; $(kecho) " - Including cert $(X509)")
|
||||
|
||||
targets += $(obj)/x509_certificate_list
|
||||
$(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list
|
||||
$(call if_changed,x509certs)
|
||||
|
||||
targets += $(obj)/.x509.list
|
||||
$(obj)/.x509.list:
|
||||
@echo $(X509_CERTIFICATES) >$@
|
||||
endif
|
||||
|
||||
clean-files := x509_certificate_list .x509.list
|
||||
|
||||
ifeq ($(CONFIG_MODULE_SIG),y)
|
||||
###############################################################################
|
||||
#
|
||||
# If module signing is requested, say by allyesconfig, but a key has not been
|
||||
# supplied, then one will need to be generated to make sure the build does not
|
||||
# fail and that the kernel may be used afterwards.
|
||||
#
|
||||
###############################################################################
|
||||
ifndef CONFIG_MODULE_SIG_HASH
|
||||
$(error Could not determine digest type to use from kernel config)
|
||||
endif
|
||||
|
||||
signing_key.priv signing_key.x509: x509.genkey
|
||||
@echo "###"
|
||||
@echo "### Now generating an X.509 key pair to be used for signing modules."
|
||||
@echo "###"
|
||||
@echo "### If this takes a long time, you might wish to run rngd in the"
|
||||
@echo "### background to keep the supply of entropy topped up. It"
|
||||
@echo "### needs to be run as root, and uses a hardware random"
|
||||
@echo "### number generator if one is available."
|
||||
@echo "###"
|
||||
openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
|
||||
-batch -x509 -config x509.genkey \
|
||||
-outform DER -out signing_key.x509 \
|
||||
-keyout signing_key.priv 2>&1
|
||||
@echo "###"
|
||||
@echo "### Key pair generated."
|
||||
@echo "###"
|
||||
|
||||
x509.genkey:
|
||||
@echo Generating X.509 key generation config
|
||||
@echo >x509.genkey "[ req ]"
|
||||
@echo >>x509.genkey "default_bits = 4096"
|
||||
@echo >>x509.genkey "distinguished_name = req_distinguished_name"
|
||||
@echo >>x509.genkey "prompt = no"
|
||||
@echo >>x509.genkey "string_mask = utf8only"
|
||||
@echo >>x509.genkey "x509_extensions = myexts"
|
||||
@echo >>x509.genkey
|
||||
@echo >>x509.genkey "[ req_distinguished_name ]"
|
||||
@echo >>x509.genkey "#O = Unspecified company"
|
||||
@echo >>x509.genkey "CN = Build time autogenerated kernel key"
|
||||
@echo >>x509.genkey "#emailAddress = unspecified.user@unspecified.company"
|
||||
@echo >>x509.genkey
|
||||
@echo >>x509.genkey "[ myexts ]"
|
||||
@echo >>x509.genkey "basicConstraints=critical,CA:FALSE"
|
||||
@echo >>x509.genkey "keyUsage=digitalSignature"
|
||||
@echo >>x509.genkey "subjectKeyIdentifier=hash"
|
||||
@echo >>x509.genkey "authorityKeyIdentifier=keyid"
|
||||
endif
|
||||
|
||||
Criar uma nova questão referindo esta
Bloquear um utilizador