Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp643433ybk; Fri, 15 May 2020 09:47:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw4cFywLcO3lYR3omivLXaF3l6A/fQdtJgpCgnAp1jLgQ6n8vu2Hc7yukeb2yWELSYs8P50 X-Received: by 2002:a50:b202:: with SMTP id o2mr3599285edd.251.1589561263888; Fri, 15 May 2020 09:47:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589561263; cv=none; d=google.com; s=arc-20160816; b=I+/8y1Gi+pEc9ZlW9M8TfQK9cX3b3XSPv/YHf0+WEGYGUksnNNpra3zZlI6mCvBKcf Lxbgd4J+EnI3wi8OHmwpAS4f4LN7UkHeH46H2TOAE9kn0jkKA12iq39Z7dIW6rM1vyF+ LSf7bFo/qnShyEZijZ1wkhcHPCeDxPvwERtE5n6hp6wBZx0E7Iv6Zgw1NqmUIpdg0SkS JEoyBJteBcTfwVtQnhTa3r8dR+g7q1U+mQoPp1wcuB6+BhTQLg7465y9lR2AhBllc5im CSJrfXGdkEfiK0oO+xkPeZ1nQ4PdBvLR3EnBhEgm0IeR6o4ymBPUBLDWDjEWy/AuiotF psAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:content-transfer-encoding :content-id:mime-version:subject:cc:to:references:in-reply-to:from :organization:dkim-signature; bh=+IBvKYnMRct6wIVYk1OHcT0bp5/WnDeiDsV8CVPaV/4=; b=dFwM7OOVAaoqmCuagQwGrNpuJkFmR4BhKH2XsQjQXDZ0a96HmgeHsUYogCEAzd+x47 mdDjnodP1rDyZvFrPSKcfLalS+YvEvT/mpPHw+Li4/A8S8G6vfDHkNyNKwHJPrmMrtwH JkO5zoCy/DEVI+ek0vjexXF5gL9a7acowIihGAXf1T9zKb3lbVs89JM2+yfvNPE/BHJ0 MNAXXNDAWjFWBNSsvXdifCxb/kNNHUW+BULunDQD6r0pTkVFF5lWY3/SRoCkANNxlbMP Mj+4dNuqVFw9q0LN3NPD5VJ8P67Oj58kcuI/KJtQ2CPUOvfWX7prLGG5YE07ybTgk+Mw N93Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=QECgooPW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n24si1580467ejg.142.2020.05.15.09.47.19; Fri, 15 May 2020 09:47:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=QECgooPW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726226AbgEOQpf (ORCPT + 99 others); Fri, 15 May 2020 12:45:35 -0400 Received: from us-smtp-2.mimecast.com ([207.211.31.81]:46152 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726185AbgEOQpe (ORCPT ); Fri, 15 May 2020 12:45:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1589561133; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+IBvKYnMRct6wIVYk1OHcT0bp5/WnDeiDsV8CVPaV/4=; b=QECgooPWYpPmKqiqQ9PAiKUs/Go7y+kcTQ5C5+KV/hSt/WlVczLsGAislwSOYX1NxquHav uvQGPMLs3XTBJI0pgLSDDMqCrzHnRRLdVgEli6IlBR5YkNAFxWApBHYV15i5LX8+H0rqCa UJMWE6KTun7QeC+B8E1l7bZkUgnXn+g= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-311-00j2DJWnOzuUdvc1IhJFqw-1; Fri, 15 May 2020 12:45:29 -0400 X-MC-Unique: 00j2DJWnOzuUdvc1IhJFqw-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9AF0218B6450; Fri, 15 May 2020 16:45:12 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-112-95.rdu2.redhat.com [10.10.112.95]) by smtp.corp.redhat.com (Postfix) with ESMTP id 94C9C579A0; Fri, 15 May 2020 16:45:10 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: References: <158932282880.2885325.2688622278854566047.stgit@warthog.procyon.org.uk> <3999877.1589475539@warthog.procyon.org.uk> To: Stephen Smalley Cc: dhowells@redhat.com, Jarkko Sakkinen , Paul Moore , Casey Schaufler , keyrings@vger.kernel.org, SElinux list , LSM List , linux-kernel Subject: Re: [PATCH] keys: Move permissions checking decisions into the checking code MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <196729.1589561109.1@warthog.procyon.org.uk> Content-Transfer-Encoding: quoted-printable Date: Fri, 15 May 2020 17:45:09 +0100 Message-ID: <196730.1589561109@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Stephen Smalley wrote: > > (1) KEY_FLAG_KEEP in key->flags - The key may not be deleted and/= or things > > may not be removed from the keyring. > = > Why can't they be deleted / removed? They can't ever be deleted or > removed or for some period of time? This is only settable internally to keep special keys, such as the blackli= st loaded from the EFI BIOS, from being removed. > > (2) KEY_FLAG_ROOT_CAN_CLEAR in key->flags - The keyring can be cl= eared by > > CAP_SYS_ADMIN. > = > Why do some keyrings get this flag and others do not? Under what > conditions? Why is CAP_SYS_ADMIN the right capability for this? > = > > (3) KEY_FLAG_ROOT_CAN_INVAL in key->flags - The key can be invali= dated by > > CAP_SYS_ADMIN. > = > Ditto. So that the sysadmin can clear, say, the NFS idmapper keyring or invalidat= e DNS lookup keys. > > (4) An appropriate auth token being set in cred->request_key_auth= that > > gives a process transient permission to view and instantiate = a key. > > This is used by the kernel to delegate instantiation to users= pace. > = > Is this ever allowed across different credentials? The kernel upcalls by spawning a daemon. I want to change this as it's no= t compatible with containers since namespaces make this problematic. > When? The request_key() system call will do this. The normal use case is someth= ing like the AFS filesystem asking for a key so that it can do an operation. = The possibility exists for the kernel to upcall, say, to something that does a= klog on behalf of the user - but aklog in turn needs to get the TGT out of the keyrings. > Why? Is there a check between the different credentials before the > auth token is created? No. I don't even know what the target creds will necessarily be at this point. > > Note that this requires some tweaks to the testsuite as some of th= e > > error codes change. > = > Which testsuite? keyring or selinux or both? The keyring testsuite. No idea about the SELinux one. > What error codes change (from what to what)? Does this constitute an AB= I > change? The following: (1) Passing the wrong type of key to KEYCTL_DH_COMPUTE now gets you EOPNOTSUPP rather than ENOKEY. This is now as documented in the manu= al page. (2) Passing key ID 0 or an invalid negative key ID to KEYCTL_DH_COMPUTE n= ow gets you EINVAL rather than ENOKEY. (3) Passing key ID 0 or an invalid negative key ID to KEYCTL_READ now get= s you EINVAL rather than ENOKEY. Technically, it consistutes an ABI change, I suppose, but I think it is probably sufficiently minor. Or maybe on (2) and (3) I should go the other way. You get ENOKEY for inv= alid key IDs (such as 0 or unsupported negative ones) across all callers of lookup_user_key(). This would at least by consistent with the manual page= s. > I like moving more of the permission checking logic into the security > modules and giving them greater visibility and control. That said, I > am somewhat concerned by the scale of this change, by the extent to > which you are exposing keyring internals inside the security modules, > and by the extent to which logic is getting duplicated in each > security module. It's what you asked for. Now, I don't know if the LSM needs to know that the main keyutils permissi= ons checker invoked an override. At least one of the overrides will have gone through the LSM anyway when capable() was called. > I'd suggest a more incremental approach, e.g. start with just the enum > patch, then migrate the easy cases, then consider the more complicated > cases. And possibly we need multiple different security hooks for the > keyring subsystem that are more specialized for the complicated cases. = If > we authorize the delegation up front, we don't need to check it later. I'll consider it. But I really need to get what I'm going to include in t= he middle of the notifications patchset sorted now - or risk the notification= s and fsinfo patchsets getting bumped again. Maybe what's needed is a pair of hooks whereby the call to capable() is replaced with LSM hook specifically to ask about the overrides: security_key_use_sysadmin_override(key, cred); security_key_use_construction_override(key, cred); And/or a hook to ask whether the process is allowed to do the request_key(= ) call that they want: security_request_key(struct key_type *type, const char *description, struct key_tag *domain_tag, const void *callout_info, size_t callout_len, void *aux); I don't really want to do a "can the kernel delegate to process X?" hook j= ust at the moment, since I want to change/extend that code and I don't want to commit to any particular security information being present yet. I can go back to the enum patch for the moment if you and Casey can put up with that for the moment? David