[PATCH 0/4] Basic trusted keys support for TPM 2.0

2015-10-02 Thread Jarkko Sakkinen 
Basic trusted keys support, which means basic sealing with an
authentication value by using SHA256. After we get the groundwork in
place the functionality will be refined with algorithmic agility and
policy based sealing.

Jarkko Sakkinen (4):
  tpm: introduce struct tpm_buf
  trusted: move struct trusted_key_options to trusted-type.h
  tpm: seal/unseal for TPM 2.0
  keys, trusted: seal/unseal with TPM 2.0 chips

 drivers/char/tpm/tpm-interface.c |  75 ++
 drivers/char/tpm/tpm.h   |  78 ++
 drivers/char/tpm/tpm2-cmd.c  | 495 +++
 include/keys/trusted-type.h  |  15 +-
 include/linux/tpm.h  |  26 ++
 include/linux/tpm_command.h  |   1 -
 security/keys/trusted.c  |  18 +-
 security/keys/trusted.h  |  18 +-
 8 files changed, 504 insertions(+), 222 deletions(-)

-- 
2.5.0

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] Smack: Minor initialisation improvement

2015-10-02 Thread José Bollo 
This change has two goals:
 - delay the setting of 'smack_enabled' until
   it will be really effective
 - ensure that smackfs is valid only if 'smack_enabled'
   is set (it is already the case in smack_netfilter.c)

Signed-off-by: José Bollo 
---
 security/smack/smack_lsm.c | 4 ++--
 security/smack/smackfs.c   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 996c889..dd0f0a6 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4708,8 +4708,6 @@ static __init int smack_init(void)
if (!security_module_enable("smack"))
return 0;
 
-   smack_enabled = 1;
-
smack_inode_cache = KMEM_CACHE(inode_smack, 0);
if (!smack_inode_cache)
return -ENOMEM;
@@ -4721,6 +4719,8 @@ static __init int smack_init(void)
return -ENOMEM;
}
 
+   smack_enabled = 1;
+
pr_info("Smack:  Initializing.\n");
 #ifdef CONFIG_SECURITY_SMACK_NETFILTER
pr_info("Smack:  Netfilter enabled.\n");
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index c20b154..d2bb5ee 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -2892,7 +2892,7 @@ static int __init init_smk_fs(void)
int err;
int rc;
 
-   if (!security_module_enable("smack"))
+   if (smack_enabled == 0)
return 0;
 
err = smk_init_sysfs();
-- 
2.1.4




--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] Smack: Fix wrong copy size

2015-10-02 Thread José Bollo 
The function strncpy was copying an extra character
when i == len (what is possible via revoke interface).

Change-Id: Ic7452da05773e620a1d7bbc55e859c25a86c65f6
Signed-off-by: José Bollo 
Signed-off-by: Stephane Desneux 
---
 security/smack/smack_access.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/smack/smack_access.c
b/security/smack/smack_access.c
index c062e94..930e548 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -432,7 +432,7 @@ char *smk_parse_smack(const char *string, int len)
 
smack = kzalloc(i + 1, GFP_KERNEL);
if (smack != NULL) {
-   strncpy(smack, string, i + 1);
+   strncpy(smack, string, i);
smack[i] = '\0';
}
return smack;
-- 
1.9.1



--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 3/4] tpm: seal/unseal for TPM 2.0

2015-10-02 Thread Jarkko Sakkinen 
Added tpm_trusted_seal() and tpm_trusted_unseal() API for sealing
trusted keys.

This patch implements basic sealing and unsealing functionality for
TPM 2.0:

* Seal with a parent key using a 20 byte auth value.
* Unseal with a parent key using a 20 byte auth value.

Signed-off-by: Jarkko Sakkinen 
---
 drivers/char/tpm/tpm-interface.c |  75 
 drivers/char/tpm/tpm.h   |  14 +++
 drivers/char/tpm/tpm2-cmd.c  | 184 +++
 include/keys/trusted-type.h  |   2 +-
 include/linux/tpm.h  |  26 ++
 5 files changed, 300 insertions(+), 1 deletion(-)

diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
index e85d341..6dd4c74 100644
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -666,6 +666,29 @@ int tpm_pcr_read_dev(struct tpm_chip *chip, int pcr_idx, 
u8 *res_buf)
 }
 
 /**
+ * tpm_is_tpm2 - is the chip a TPM2 chip?
+ * @chip_num:  tpm idx # or ANY
+ *
+ * Returns 1 if the chip is a TPM2 chip.
+ */
+int tpm_is_tpm2(u32 chip_num)
+{
+   struct tpm_chip *chip;
+   int rc;
+
+   chip = tpm_chip_find_get(chip_num);
+   if (chip == NULL)
+   return -ENODEV;
+
+   rc = (chip->flags & TPM_CHIP_FLAG_TPM2) != 0;
+
+   tpm_chip_put(chip);
+
+   return rc;
+}
+EXPORT_SYMBOL_GPL(tpm_is_tpm2);
+
+/**
  * tpm_pcr_read - read a pcr value
  * @chip_num:  tpm idx # or ANY
  * @pcr_idx:   pcr idx to retrieve
@@ -1021,6 +1044,58 @@ int tpm_get_random(u32 chip_num, u8 *out, size_t max)
 }
 EXPORT_SYMBOL_GPL(tpm_get_random);
 
+/**
+ * tpm_seal_trusted() - seal a trusted key
+ * @chip_num: A specific chip number for the request or TPM_ANY_NUM
+ * @options: authentication values and other options
+ * @payload: the key data in clear and encrypted form
+ *
+ * Returns < 0 on error and 0 on success. At the moment, only TPM 2.0 chips
+ * are supported.
+ */
+int tpm_seal_trusted(u32 chip_num, struct trusted_key_payload *payload,
+struct trusted_key_options *options)
+{
+   struct tpm_chip *chip;
+   int rc;
+
+   chip = tpm_chip_find_get(chip_num);
+   if (chip == NULL || !(chip->flags & TPM_CHIP_FLAG_TPM2))
+   return -ENODEV;
+
+   rc = tpm2_seal_trusted(chip, payload, options);
+
+   tpm_chip_put(chip);
+   return rc;
+}
+EXPORT_SYMBOL_GPL(tpm_seal_trusted);
+
+/**
+ * tpm_unseal_trusted() - unseal a trusted key
+ * @chip_num: A specific chip number for the request or TPM_ANY_NUM
+ * @options: authentication values and other options
+ * @payload: the key data in clear and encrypted form
+ *
+ * Returns < 0 on error and 0 on success. At the moment, only TPM 2.0 chips
+ * are supported.
+ */
+int tpm_unseal_trusted(u32 chip_num, struct trusted_key_payload *payload,
+  struct trusted_key_options *options)
+{
+   struct tpm_chip *chip;
+   int rc;
+
+   chip = tpm_chip_find_get(chip_num);
+   if (chip == NULL || !(chip->flags & TPM_CHIP_FLAG_TPM2))
+   return -ENODEV;
+
+   rc = tpm2_unseal_trusted(chip, payload, options);
+
+   tpm_chip_put(chip);
+   return rc;
+}
+EXPORT_SYMBOL_GPL(tpm_unseal_trusted);
+
 static int __init tpm_init(void)
 {
int rc;
diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
index f04afb7..2d79939 100644
--- a/drivers/char/tpm/tpm.h
+++ b/drivers/char/tpm/tpm.h
@@ -88,6 +88,9 @@ enum tpm2_return_codes {
 
 enum tpm2_algorithms {
TPM2_ALG_SHA1   = 0x0004,
+   TPM2_ALG_KEYEDHASH  = 0x0008,
+   TPM2_ALG_SHA256 = 0x000B,
+   TPM2_ALG_NULL   = 0x0010
 };
 
 enum tpm2_command_codes {
@@ -95,6 +98,10 @@ enum tpm2_command_codes {
TPM2_CC_SELF_TEST   = 0x0143,
TPM2_CC_STARTUP = 0x0144,
TPM2_CC_SHUTDOWN= 0x0145,
+   TPM2_CC_CREATE  = 0x0153,
+   TPM2_CC_LOAD= 0x0157,
+   TPM2_CC_UNSEAL  = 0x015E,
+   TPM2_CC_FLUSH_CONTEXT   = 0x0165,
TPM2_CC_GET_CAPABILITY  = 0x017A,
TPM2_CC_GET_RANDOM  = 0x017B,
TPM2_CC_PCR_READ= 0x017E,
@@ -492,6 +499,13 @@ static inline void tpm_remove_ppi(struct tpm_chip *chip)
 int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf);
 int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash);
 int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max);
+int tpm2_seal_trusted(struct tpm_chip *chip,
+ struct trusted_key_payload *payload,
+ struct trusted_key_options *options);
+int tpm2_unseal_trusted(struct tpm_chip *chip,
+   struct trusted_key_payload *payload,
+   struct trusted_key_options *options);
+
 ssize_t tpm2_get_tpm_pt(struct tpm_chip *chip, u32 property_id,
u32 *value, const char *desc);
 
diff --git a/drivers/char/tpm/tpm2-cmd.c

[PATCH 4/4] keys, trusted: seal/unseal with TPM 2.0 chips

2015-10-02 Thread Jarkko Sakkinen 
Call tpm_seal_trusted() and tpm_unseal_trusted() for TPM 2.0 chips.

Signed-off-by: Jarkko Sakkinen 
---
 drivers/char/tpm/tpm2-cmd.c |  2 +-
 include/linux/tpm_command.h |  1 -
 security/keys/trusted.c | 18 ++
 security/keys/trusted.h |  7 +++
 4 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index 0986c96..0fba698 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -422,7 +422,7 @@ static int tpm2_load(struct tpm_chip *chip,
 options->keyauth /* hmac */,
 TPM_DIGEST_SIZE);
 
-   tpm_buf_append(, payload->blob, payload->blob_len);
+   tpm_buf_append(, payload->blob, blob_len);
 
rc = tpm_transmit_cmd(chip, buf.data, TPM_BUF_SIZE, "loading blob");
if (!rc)
diff --git a/include/linux/tpm_command.h b/include/linux/tpm_command.h
index 727512e..d7b0f82 100644
--- a/include/linux/tpm_command.h
+++ b/include/linux/tpm_command.h
@@ -22,7 +22,6 @@
 #define TPM_ORD_UNSEAL  24
 
 /* Other constants */
-#define SRKHANDLE   0x4000
 #define TPM_NONCE_SIZE  20
 
 #endif
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index c0594cb..f6557b1 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -601,7 +601,7 @@ static int tpm_unseal(struct tpm_buf *tb,
}
 
ordinal = htonl(TPM_ORD_UNSEAL);
-   keyhndl = htonl(SRKHANDLE);
+   keyhndl = htonl(TPM1_SRKHANDLE);
ret = tpm_get_random(TPM_ANY_NUM, nonceodd, TPM_NONCE_SIZE);
if (ret != TPM_NONCE_SIZE) {
pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
@@ -867,7 +867,11 @@ static struct trusted_key_options 
*trusted_options_alloc(void)
if (options) {
/* set any non-zero defaults */
options->keytype = SRK_keytype;
-   options->keyhandle = SRKHANDLE;
+
+   if (tpm_is_tpm2(TPM_ANY_NUM))
+   options->keyhandle = TPM2_SRKHANDLE;
+   else
+   options->keyhandle = TPM1_SRKHANDLE;
}
return options;
 }
@@ -937,7 +941,10 @@ static int trusted_instantiate(struct key *key,
 
switch (key_cmd) {
case Opt_load:
-   ret = key_unseal(payload, options);
+   if (tpm_is_tpm2(TPM_ANY_NUM))
+   ret = tpm_unseal_trusted(TPM_ANY_NUM, payload, options);
+   else
+   ret = key_unseal(payload, options);
dump_payload(payload);
dump_options(options);
if (ret < 0)
@@ -950,7 +957,10 @@ static int trusted_instantiate(struct key *key,
pr_info("trusted_key: key_create failed (%d)\n", ret);
goto out;
}
-   ret = key_seal(payload, options);
+   if (tpm_is_tpm2(TPM_ANY_NUM))
+   ret = tpm_seal_trusted(TPM_ANY_NUM, payload, options);
+   else
+   ret = key_seal(payload, options);
if (ret < 0)
pr_info("trusted_key: key_seal failed (%d)\n", ret);
break;
diff --git a/security/keys/trusted.h b/security/keys/trusted.h
index ff001a5..fc32c47 100644
--- a/security/keys/trusted.h
+++ b/security/keys/trusted.h
@@ -12,6 +12,13 @@
 #define TPM_RETURN_OFFSET  6
 #define TPM_DATA_OFFSET10
 
+/* Transient object handles start from 0x8000 in TPM 2.0, which makes it
+ * a sane default.
+ */
+
+#define TPM1_SRKHANDLE 0x4000
+#define TPM2_SRKHANDLE 0x8000
+
 #define LOAD32(buffer, offset) (ntohl(*(uint32_t *)[offset]))
 #define LOAD32N(buffer, offset)(*(uint32_t *)[offset])
 #define LOAD16(buffer, offset) (ntohs(*(uint16_t *)[offset]))
-- 
2.5.0

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] KEYS: use kvfree() in add_key

2015-10-02 Thread Geliang Tang 
There is no need to make a flag to tell that this memory is allocated by
kmalloc or vmalloc. Just use kvfree to free the memory.

Signed-off-by: Geliang Tang 
---
 security/keys/keyctl.c | 8 +---
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 0b9ec78..6110fa4 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -67,7 +67,6 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
char type[32], *description;
void *payload;
long ret;
-   bool vm;
 
ret = -EINVAL;
if (plen > 1024 * 1024 - 1)
@@ -98,14 +97,12 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
/* pull the payload in if one was supplied */
payload = NULL;
 
-   vm = false;
if (_payload) {
ret = -ENOMEM;
payload = kmalloc(plen, GFP_KERNEL | __GFP_NOWARN);
if (!payload) {
if (plen <= PAGE_SIZE)
goto error2;
-   vm = true;
payload = vmalloc(plen);
if (!payload)
goto error2;
@@ -138,10 +135,7 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
 
key_ref_put(keyring_ref);
  error3:
-   if (!vm)
-   kfree(payload);
-   else
-   vfree(payload);
+   kvfree(payload);
  error2:
kfree(description);
  error:
-- 
2.5.0


--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v3 2/2] Adds ima_root_ca keyring;

2015-10-02 Thread Mimi Zohar 
On Thu, 2015-09-10 at 14:17 +0300, Petko Manolov wrote:
> The .system keyring is populated at kernel build time and read-only while the
> system is running.  There is no way to dynamically add other user's CA so
> .ima_root_ca was introduced as read-write keyring that stores these
> certificates.  CA hierarchy is achieved by allowing import of key material 
> that
> has been signed by CA already present in the .system keyring.
> 
> The new .ima_blacklist is a keyring that holds all revoked IMA keys.  It is
> consulted first, then the .ima keyring.

A couple of minor comments inline below...

> 
> Signed-off-by: Petko Manolov 
> ---
>  crypto/asymmetric_keys/x509_public_key.c |  2 ++
>  include/keys/system_keyring.h| 13 
>  security/integrity/digsig_asymmetric.c   | 13 
>  security/integrity/ima/Kconfig   | 11 +++
>  security/integrity/ima/Makefile  |  1 +
>  security/integrity/ima/ima_root_ca.c | 56 
> 
>  security/integrity/integrity.h   | 13 
>  7 files changed, 109 insertions(+)
>  create mode 100644 security/integrity/ima/ima_root_ca.c
> 
> diff --git a/crypto/asymmetric_keys/x509_public_key.c 
> b/crypto/asymmetric_keys/x509_public_key.c
> index 6d88dd1..e39ca38 100644
> --- a/crypto/asymmetric_keys/x509_public_key.c
> +++ b/crypto/asymmetric_keys/x509_public_key.c
> @@ -319,6 +319,8 @@ static int x509_key_preparse(struct key_preparsed_payload 
> *prep)
>   goto error_free_cert;
>   } else if (!prep->trusted) {
>   ret = x509_validate_trust(cert, get_system_trusted_keyring());
> + if (ret)
> + ret = x509_validate_trust(cert, 
> get_ima_root_ca_keyring());
>   if (!ret)
>   prep->trusted = 1;
>   }
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index b20cd88..774de6c 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -35,4 +35,17 @@ extern int system_verify_data(const void *data, unsigned 
> long len,
> enum key_being_used_for usage);
>  #endif
> 
> +#ifdef CONFIG_IMA_ROOT_CA_KEYRING
> +extern struct key *ima_root_ca_keyring;
> +static inline struct key *get_ima_root_ca_keyring(void)
> +{
> + return ima_root_ca_keyring;
> +}
> +#else
> +static inline struct key *get_ima_root_ca_keyring(void)
> +{
> + return NULL;
> +}
> +#endif /* CONFIG_IMA_ROOT_CA_KEYRING */
> +
>  #endif /* _KEYS_SYSTEM_KEYRING_H */
> diff --git a/security/integrity/digsig_asymmetric.c 
> b/security/integrity/digsig_asymmetric.c
> index 4fec181..52377d9 100644
> --- a/security/integrity/digsig_asymmetric.c
> +++ b/security/integrity/digsig_asymmetric.c
> @@ -32,9 +32,22 @@ static struct key *request_asymmetric_key(struct key 
> *keyring, uint32_t keyid)
> 
>   pr_debug("key search: \"%s\"\n", name);
> 
> + key = get_ima_blacklist_keyring();
> + if (key) {
> + key_ref_t kref;
> +
> + kref = keyring_search(make_key_ref(key, 1),
> +  _type_asymmetric, name);
> + if (!IS_ERR(kref)) {
> + pr_err("Key '%s' is in ima_blacklist_keyring\n", name);
> + return ERR_PTR(-EKEYREJECTED);
> + }
> + }
> +
>   if (keyring) {
>   /* search in specific keyring */
>   key_ref_t kref;
> +
>   kref = keyring_search(make_key_ref(keyring, 1),
> _type_asymmetric, name);
>   if (IS_ERR(kref))
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index ebe7a907..69426ce 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -146,6 +146,17 @@ config IMA_TRUSTED_KEYRING
>  This option requires that all keys added to the .ima
>  keyring be signed by a key on the system trusted keyring.
> 
> +config IMA_ROOT_CA_KEYRING
> + bool "Create IMA Root CA keyring"
> + depends on IMA_TRUSTED_KEYRING
> + default y
> + help
> +This option creates IMA Root CA keyring.  This is intermediate
> +keyring which sits between the .system and .ima keyrings, effectively
> +creating a simple CA hierarchy.  All keys in it must be signed either
> +by a key in the .system keyring or one which is already in
> +.ima_root_ca_keyring.
> +
>  config IMA_LOAD_X509
>   bool "Load X509 certificate onto the '.ima' trusted keyring"
>   depends on IMA_TRUSTED_KEYRING
> diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile
> index d79263d..b2f9aa0 100644
> --- a/security/integrity/ima/Makefile
> +++ b/security/integrity/ima/Makefile
> @@ -8,3 +8,4 @@ obj-$(CONFIG_IMA) += ima.o
>  ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \
>ima_policy.o ima_template.o

Re: [rfc] [patch] persistent IMA policy file

2015-10-02 Thread Mimi Zohar 
On Sun, 2015-09-27 at 18:23 +0300, Petko Manolov wrote:
> On 15-09-23 23:06:54, Mimi Zohar wrote:
> > On Tue, 2015-09-22 at 18:19 +0300, Petko Manolov wrote:
> > > 
> > > Well, this is a sore point.  I don't have sufficient knowledge about how 
> > > audit_rule_xxx callbacks work and the only safe workaround i could think 
> > > of 
> > > is to move this call out of the ima_match_policy()'s big RCU read lock.
> > 
> > The LSM rule numbers change when the LSM policy (eg. SELinux) is reloaded.  
> > All of the old LSM policy rules will be included in the new policy, so 
> > there 
> > shouldn't be a problem with simply replacing the old LSM rule number with 
> > the 
> > new one.
> 
> OK.
> 
> > > I suggest that we run another list_for_each_entry(entry, ima_rules, list) 
> > > loop and update the LSM rules there, where taking a mutex is legal.  What 
> > > would you say?
> > 
> > The mutex prevented the concurrent udpate.  As there shouldn't be any side 
> > affects with updating the field multiple times, I would leave it alone.
> 
> This means the patch stays as it is?

Yes.

> > > Yes, i did.  The problem with list_splice_tail_init() is not RCU safe and 
> > > it 
> > > does pointer assignment in the wrong way for us.  If i used it i should 
> > > have 
> > > put spinlocks around the call, which i thought i can avoid.
> > > 
> > > include/linux/rculist.h has only one splice routine, 
> > > list_splice_init_rcu(), 
> > > but it creates stack structure, not queue.
> > > 
> > > The pointers assignment is done in such order so any in-flight readers 
> > > will 
> > > either see the old policy or the combined one, not a disjointed version 
> > > of 
> > > it.  This is guaranteed by the way the readers walk the list, IOW - 
> > > forward.
> > > 
> > > This line is the key: rcu_assign_pointer(list_next_rcu(policy->prev), 
> > > first);
> > 
> > Fine, eventually this code should be moved to rculist.h.
> 
> I just sent a patch to Paul McKenney doing just that.  However, i suggest 
> that 
> we don't wait for him applying the said patch as it may take some time.

Agreed.

> Do you want me to do anything else or the two patches i sent earlier (one 
> adding 
> additional keyring and another for IMA policy updates) are OK for mainlining?
> 
> As far as i can tell we're late for 4.3, but let's aim for 4.4 window.

Definitely way too late for 4.3.  In general, for patches being
upstreamed via the linux-security subsystem, patches are first
upstreamed via their respective trees.  For integrity, the patches first
go into the linux-integrity next branch.  (linux-next automatically
picks up these patches.)   Pull requests for the different
linux-security subsystems (eg. SELinux, smack, apparmor, capabilities,
YAMA, integrity, etc)  are sent around rc4 to James.  During the open
window, James sends a pull request to Linus.

Mimi

> 
> thanks,
> Petko


--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/1] integrity: prevent loading untrusted certificates to IMA trusted keyring

2015-10-02 Thread Mimi Zohar 
On Thu, 2015-09-10 at 22:06 +0300, Dmitry Kasatkin wrote:
> If IMA_LOAD_X509 is enabled either directly or indirectly via
> IMA_APPRAISE_SIGNED_INIT, it enables certificate loading to the IMA trusted
> keyring from the kernel. Due to the overlook, KEY_ALLOC_TRUSTED was used in 
> the
> key_create_or_update() to create keys within the kernel, which caused
> overriding certificate verification result and allowed to load self-signed or
> wrongly signed certificates.
> 
> This patch just removes this option.

Thanks!

Mimi

> 
> Signed-off-by: Dmitry Kasatkin 
> Cc:   # 3.19+
> ---
>  security/integrity/digsig.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index 36fb6b5..5be9ffb 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -105,7 +105,7 @@ int __init integrity_load_x509(const unsigned int id, 
> const char *path)
>  rc,
>  ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
>   KEY_USR_VIEW | KEY_USR_READ),
> -KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_TRUSTED);
> +KEY_ALLOC_NOT_IN_QUOTA);
>   if (IS_ERR(key)) {
>   rc = PTR_ERR(key);
>   pr_err("Problem loading X.509 certificate (%d): %s\n",


--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html