Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3546197pxb; Mon, 1 Mar 2021 12:57:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJwzSrlVBS7H1k4XeZrD4RMRtPrFY5xC9cMb/8Md45x8VX3rPFvWOXulA1IHkRWMMtpiVyTY X-Received: by 2002:a17:906:8443:: with SMTP id e3mr9233752ejy.370.1614632258532; Mon, 01 Mar 2021 12:57:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614632258; cv=none; d=google.com; s=arc-20160816; b=tcpnCKo0bFZQveTN3it66yS+jArPej0To3+Y4XSGMMbPOZp8cmda/DBrnYkr+tpBeC mQAWfNOwLsPb8pGc5qJxlXuFjUPcY3gjPDATbkkg/D3YLZ6L1YsL36TrD7tlql4ZG7ai NHMsMMIxg2xqrRDkX3oZS1Sba3veqLNoTAfS2hdWZNetA0TIynG2W+UdTpyoBI8+IoNl vtWYZRdxD7XDpk0MzMS8Al2g/micYgRp9brkUoFZZ2ID1JwTRFbgT0Eldt2CQPnQ9ZIN ZCupUw9xEkWVVNbv/sS+pyQTenF4W7t+JKczMROZm42R1f8vATDTISIvQO5KmVkRtrdm m9bQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=JS2zybsMTy3MeOHizgL5dOF3zl0fOsm8WlSdBHu+YAo=; b=1GP0tztje+gXW9mCdP6pLxSBBNvBW3LbwPFT7wufrj7XuZcmyMuj2oo7kSjdHoscs2 Ok1ut90FFx/o1marNayt9oZxfEPG0TD0TGbLk0Y1g3j+dg9RML0V6d68qljXFBVTqaeJ XbCn/opQeFVAaxiXbrCKxT1pYFHlDeGTK4Tf3Fu936QPToUoNYQ6UM+9S6r5ckdeNLCA bKtf9VOB3NOAu2wUoOFP4m5M5OH9JpfwGxD0SL+wTnOwwR9j2g0ICpVeYdPK5SqA3g5i 25CQjpRYJncfiIiV1j84xy3CB0s9UQ7I+mUs0BiatmTc8MoRmpz09DonO842VImGjGne IHVg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=bJIsqSWy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b11si3286912edz.197.2021.03.01.12.57.15; Mon, 01 Mar 2021 12:57:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=bJIsqSWy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243997AbhCAUyM (ORCPT + 99 others); Mon, 1 Mar 2021 15:54:12 -0500 Received: from mail.kernel.org ([198.145.29.99]:37622 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237163AbhCARKS (ORCPT ); Mon, 1 Mar 2021 12:10:18 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id E102D6501E; Mon, 1 Mar 2021 16:42:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1614616966; bh=5IM/LDQa7UZZldfn7jNf6artS7u6KjJqX+jFv80doIc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bJIsqSWyPpRNjCWU4+ZJpikYFZ6nK0yy6Wbnx2uw4VQfqeIogLcnq3ZcR8q7Xjv+t IjMC2hy1ILiMUt2758jItSCY2SIZpxQoh62j2Ph4EXioI9ot7cUtxLr1Cn7KarK6KL x/00WsdNxh2xdhaFSkPF85x3ZpdMm4DqrR0r+ChQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , David Howells , Mimi Zohar , David Woodhouse , Sasha Levin Subject: [PATCH 4.19 126/247] certs: Fix blacklist flag type confusion Date: Mon, 1 Mar 2021 17:12:26 +0100 Message-Id: <20210301161037.842729403@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210301161031.684018251@linuxfoundation.org> References: <20210301161031.684018251@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells [ Upstream commit 4993e1f9479a4161fd7d93e2b8b30b438f00cb0f ] KEY_FLAG_KEEP is not meant to be passed to keyring_alloc() or key_alloc(), as these only take KEY_ALLOC_* flags. KEY_FLAG_KEEP has the same value as KEY_ALLOC_BYPASS_RESTRICTION, but fortunately only key_create_or_update() uses it. LSMs using the key_alloc hook don't check that flag. KEY_FLAG_KEEP is then ignored but fortunately (again) the root user cannot write to the blacklist keyring, so it is not possible to remove a key/hash from it. Fix this by adding a KEY_ALLOC_SET_KEEP flag that tells key_alloc() to set KEY_FLAG_KEEP on the new key. blacklist_init() can then, correctly, pass this to keyring_alloc(). We can also use this in ima_mok_init() rather than setting the flag manually. Note that this doesn't fix an observable bug with the current implementation but it is required to allow addition of new hashes to the blacklist in the future without making it possible for them to be removed. Fixes: 734114f8782f ("KEYS: Add a system blacklist keyring") Reported-by: Mickaël Salaün Signed-off-by: David Howells cc: Mickaël Salaün cc: Mimi Zohar Cc: David Woodhouse Signed-off-by: Sasha Levin --- certs/blacklist.c | 2 +- include/linux/key.h | 1 + security/integrity/ima/ima_mok.c | 5 ++--- security/keys/key.c | 2 ++ 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/certs/blacklist.c b/certs/blacklist.c index 3a507b9e2568a..e9f3f81c51f96 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -157,7 +157,7 @@ static int __init blacklist_init(void) KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH, KEY_ALLOC_NOT_IN_QUOTA | - KEY_FLAG_KEEP, + KEY_ALLOC_SET_KEEP, NULL, NULL); if (IS_ERR(blacklist_keyring)) panic("Can't allocate system blacklist keyring\n"); diff --git a/include/linux/key.h b/include/linux/key.h index e58ee10f6e585..3683c6a6fca30 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -249,6 +249,7 @@ extern struct key *key_alloc(struct key_type *type, #define KEY_ALLOC_BUILT_IN 0x0004 /* Key is built into kernel */ #define KEY_ALLOC_BYPASS_RESTRICTION 0x0008 /* Override the check on restricted keyrings */ #define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */ +#define KEY_ALLOC_SET_KEEP 0x0020 /* Set the KEEP flag on the key/keyring */ extern void key_revoke(struct key *key); extern void key_invalidate(struct key *key); diff --git a/security/integrity/ima/ima_mok.c b/security/integrity/ima/ima_mok.c index 073ddc9bce5ba..3e7a1523663b8 100644 --- a/security/integrity/ima/ima_mok.c +++ b/security/integrity/ima/ima_mok.c @@ -43,13 +43,12 @@ __init int ima_mok_init(void) (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_WRITE | KEY_USR_SEARCH, - KEY_ALLOC_NOT_IN_QUOTA, + KEY_ALLOC_NOT_IN_QUOTA | + KEY_ALLOC_SET_KEEP, restriction, NULL); if (IS_ERR(ima_blacklist_keyring)) panic("Can't allocate IMA blacklist keyring."); - - set_bit(KEY_FLAG_KEEP, &ima_blacklist_keyring->flags); return 0; } device_initcall(ima_mok_init); diff --git a/security/keys/key.c b/security/keys/key.c index d5fa8c4fc5544..d3ebc0533e3ad 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -305,6 +305,8 @@ struct key *key_alloc(struct key_type *type, const char *desc, key->flags |= 1 << KEY_FLAG_BUILTIN; if (flags & KEY_ALLOC_UID_KEYRING) key->flags |= 1 << KEY_FLAG_UID_KEYRING; + if (flags & KEY_ALLOC_SET_KEEP) + key->flags |= 1 << KEY_FLAG_KEEP; #ifdef KEY_DEBUGGING key->magic = KEY_DEBUG_MAGIC; -- 2.27.0