1. 14 Sep, 2011 8 commits
    • Dmitry Kasatkin's avatar
      evm: clean verification status · fb788d8b
      Dmitry Kasatkin authored
      When allocating from slab, initialization is done the first time in
      init_once() and subsequently on free.  Because evm_status was not
      re-initialized on free, evm_verify_hmac() skipped verifications.
      
      This patch re-initializes evm_status.
      Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@intel.com>
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      fb788d8b
    • Mimi Zohar's avatar
      evm: permit mode bits to be updated · 566be59a
      Mimi Zohar authored
      Before permitting 'security.evm' to be updated, 'security.evm' must
      exist and be valid.  In the case that there are no existing EVM protected
      xattrs, it is safe for posix acls to update the mode bits.
      
      To differentiate between no 'security.evm' xattr and no xattrs used to
      calculate 'security.evm', this patch defines INTEGRITY_NOXATTR.
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      566be59a
    • Mimi Zohar's avatar
      evm: posix acls modify i_mode · bf6d0f5d
      Mimi Zohar authored
      The posix xattr acls are 'system' prefixed, which normally would not
      affect security.evm.  An interesting side affect of writing posix xattr
      acls is their modifying of the i_mode, which is included in security.evm.
      
      This patch updates security.evm when posix xattr acls are written.
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      bf6d0f5d
    • Mimi Zohar's avatar
      evm: limit verifying current security.evm integrity · a924ce0b
      Mimi Zohar authored
      evm_protect_xattr unnecessarily validates the current security.evm
      integrity, before updating non-evm protected extended attributes
      and other file metadata. This patch limits validating the current
      security.evm integrity to evm protected metadata.
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      a924ce0b
    • Mimi Zohar's avatar
      evm: fix security/security_old_init_security return code · fb88c2b6
      Mimi Zohar authored
      security_inode_init_security previously returned -EOPNOTSUPP, for S_PRIVATE
      inodes, and relied on the callers to change it to 0.  As the callers do not
      change the return code anymore, return 0, intead of -EOPNOTSUPP.
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      fb88c2b6
    • Mimi Zohar's avatar
      evm: remove TCG_TPM dependency · 1d714057
      Mimi Zohar authored
      All tristates selected by EVM(boolean) are forced to be builtin, except
      in the TCG_TPM(tristate) dependency case. Arnaud Lacombe summarizes the
      Kconfig bug as, "So it would seem direct dependency state influence the
      state of reverse dependencies.."  For a detailed explanation, refer to
      Arnaud Lacombe's posting http://lkml.org/lkml/2011/8/23/498.
      
      With the "encrypted-keys: remove trusted-keys dependency" patch, EVM
      can now be built without a dependency on TCG_TPM.  The trusted-keys
      dependency requires trusted-keys to either be builtin or not selected.
      This dependency will prevent the boolean/tristate mismatch from
      occuring.
      
      Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>,
                   Randy Dunlap <rdunlap@xenotimenet>
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      1d714057
    • Mimi Zohar's avatar
      encrypted-keys: remove trusted-keys dependency · 982e617a
      Mimi Zohar authored
      Encrypted keys are decrypted/encrypted using either a trusted-key or,
      for those systems without a TPM, a user-defined key.  This patch
      removes the trusted-keys and TCG_TPM dependencies.
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      982e617a
    • Mimi Zohar's avatar
      encrypted-keys: create encrypted-keys directory · 61cf45d0
      Mimi Zohar authored
      Move all files associated with encrypted keys to keys/encrypted-keys.
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      61cf45d0
  2. 13 Sep, 2011 5 commits
  3. 09 Sep, 2011 18 commits
  4. 23 Aug, 2011 2 commits
  5. 22 Aug, 2011 7 commits
    • David Howells's avatar
      KEYS: Correctly destroy key payloads when their keytype is removed · 0c061b57
      David Howells authored
      unregister_key_type() has code to mark a key as dead and make it unavailable in
      one loop and then destroy all those unavailable key payloads in the next loop.
      However, the loop to mark keys dead renders the key undetectable to the second
      loop by changing the key type pointer also.
      
      Fix this by the following means:
      
       (1) The key code has two garbage collectors: one deletes unreferenced keys and
           the other alters keyrings to delete links to old dead, revoked and expired
           keys.  They can end up holding each other up as both want to scan the key
           serial tree under spinlock.  Combine these into a single routine.
      
       (2) Move the dead key marking, dead link removal and dead key removal into the
           garbage collector as a three phase process running over the three cycles
           of the normal garbage collection procedure.  This is tracked by the
           KEY_GC_REAPING_DEAD_1, _2 and _3 state flags.
      
           unregister_key_type() then just unlinks the key type from the list, wakes
           up the garbage collector and waits for the third phase to complete.
      
       (3) Downgrade the key types sem in unregister_key_type() once it has deleted
           the key type from the list so that it doesn't block the keyctl() syscall.
      
       (4) Dead keys that cannot be simply removed in the third phase have their
           payloads destroyed with the key's semaphore write-locked to prevent
           interference by the keyctl() syscall.  There should be no in-kernel users
           of dead keys of that type by the point of unregistration, though keyctl()
           may be holding a reference.
      
       (5) Only perform timer recalculation in the GC if the timer actually expired.
           If it didn't, we'll get another cycle when it goes off - and if the key
           that actually triggered it has been removed, it's not a problem.
      
       (6) Only garbage collect link if the timer expired or if we're doing dead key
           clean up phase 2.
      
       (7) As only key_garbage_collector() is permitted to use rb_erase() on the key
           serial tree, it doesn't need to revalidate its cursor after dropping the
           spinlock as the node the cursor points to must still exist in the tree.
      
       (8) Drop the spinlock in the GC if there is contention on it or if we need to
           reschedule.  After dealing with that, get the spinlock again and resume
           scanning.
      
      This has been tested in the following ways:
      
       (1) Run the keyutils testsuite against it.
      
       (2) Using the AF_RXRPC and RxKAD modules to test keytype removal:
      
           Load the rxrpc_s key type:
      
      	# insmod /tmp/af-rxrpc.ko
      	# insmod /tmp/rxkad.ko
      
           Create a key (http://people.redhat.com/~dhowells/rxrpc/listen.c):
      
      	# /tmp/listen &
      	[1] 8173
      
           Find the key:
      
      	# grep rxrpc_s /proc/keys
      	091086e1 I--Q--     1 perm 39390000     0     0 rxrpc_s   52:2
      
           Link it to a session keyring, preferably one with a higher serial number:
      
      	# keyctl link 0x20e36251 @s
      
           Kill the process (the key should remain as it's linked to another place):
      
      	# fg
      	/tmp/listen
      	^C
      
           Remove the key type:
      
      	rmmod rxkad
      	rmmod af-rxrpc
      
           This can be made a more effective test by altering the following part of
           the patch:
      
      	if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2)) {
      		/* Make sure everyone revalidates their keys if we marked a
      		 * bunch as being dead and make sure all keyring ex-payloads
      		 * are destroyed.
      		 */
      		kdebug("dead sync");
      		synchronize_rcu();
      
           To call synchronize_rcu() in GC phase 1 instead.  That causes that the
           keyring's old payload content to hang around longer until it's RCU
           destroyed - which usually happens after GC phase 3 is complete.  This
           allows the destroy_dead_key branch to be tested.
      Reported-by: default avatarBenjamin Coddington <bcodding@gmail.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      0c061b57
    • David Howells's avatar
      KEYS: The dead key link reaper should be non-reentrant · d199798b
      David Howells authored
      The dead key link reaper should be non-reentrant as it relies on global state
      to keep track of where it's got to when it returns to the work queue manager to
      give it some air.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      d199798b
    • David Howells's avatar
      KEYS: Make the key reaper non-reentrant · b072e9bc
      David Howells authored
      Make the key reaper non-reentrant by sticking it on the appropriate system work
      queue when we queue it.  This will allow it to have global state and drop
      locks.  It should probably be non-reentrant already as it may spend a long time
      holding the key serial spinlock, and so multiple entrants can spend long
      periods of time just sitting there spinning, waiting to get the lock.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      b072e9bc
    • David Howells's avatar
      KEYS: Move the unreferenced key reaper to the keys garbage collector file · 8bc16dea
      David Howells authored
      Move the unreferenced key reaper function to the keys garbage collector file
      as that's a more appropriate place with the dead key link reaper.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      8bc16dea
    • David Howells's avatar
      CRED: Fix prepare_kernel_cred() to provide a new thread_group_cred struct · 012146d0
      David Howells authored
      Fix prepare_kernel_cred() to provide a new, separate thread_group_cred struct
      otherwise when using request_key() ____call_usermodehelper() calls
      umh_keys_init() with the new creds pointing to init_tgcred, which
      umh_keys_init() then blithely alters.
      
      The problem can be demonstrated by:
      
      	# keyctl request2 user a debug:a @s
      	249681132
      	# grep req /proc/keys
      	079906a5 I--Q--     1 perm 1f3f0000     0     0 keyring   _req.249681132: 1/4
      	38ef1626 IR----     1 expd 0b010000     0     0 .request_ key:ee1d4ec pid:4371 ci:1
      
      The keyring _req.XXXX should have gone away, but something (init_tgcred) is
      pinning it.
      
      That key actually requested can then be removed and a new one created:
      
      	# keyctl unlink 249681132
      	1 links removed
      	[root@andromeda ~]# grep req /proc/keys
      	116cecac IR----     1 expd 0b010000     0     0 .request_ key:eeb4911 pid:4379 ci:1
      	36d1cbf8 I--Q--     1 perm 1f3f0000     0     0 keyring   _req.250300689: 1/4
      
      which causes the old _req keyring to go away and a new one to take its place.
      
      This is a consequence of the changes in:
      
      	commit 87966996
      	Author: David Howells <dhowells@redhat.com>
      	Date:   Fri Jun 17 11:25:59 2011 +0100
      	KEYS/DNS: Fix ____call_usermodehelper() to not lose the session keyring
      
      and:
      
      	commit 17f60a7d
      	Author: Eric Paris <eparis@redhat.com>
      	Date:   Fri Apr 1 17:07:50 2011 -0400
      	capabilites: allow the application of capability limits to usermode helpers
      
      After this patch is applied, the _req keyring and the .request_key key are
      cleaned up.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      012146d0
    • David Howells's avatar
      KEYS: __key_link() should use the RCU deref wrapper for keyring payloads · 6d528b08
      David Howells authored
      __key_link() should use the RCU deref wrapper rcu_dereference_locked_keyring()
      for accessing keyring payloads rather than calling rcu_dereference_protected()
      directly.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      6d528b08
    • David Howells's avatar
      KEYS: keyctl_get_keyring_ID() should create a session keyring if create flag set · 3ecf1b4f
      David Howells authored
      The keyctl call:
      
      	keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1)
      
      should create a session keyring if the process doesn't have one of its own
      because the create flag argument is set - rather than subscribing to and
      returning the user-session keyring as:
      
      	keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0)
      
      will do.
      
      This can be tested by commenting out pam_keyinit in the /etc/pam.d files and
      running the following program a couple of times in a row:
      
      	#include <stdio.h>
      	#include <stdlib.h>
      	#include <keyutils.h>
      	int main(int argc, char *argv[])
      	{
      		key_serial_t uk, usk, sk, nsk;
      		uk  = keyctl_get_keyring_ID(KEY_SPEC_USER_KEYRING, 0);
      		usk = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
      		sk  = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
      		nsk = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1);
      		printf("keys: %08x %08x %08x %08x\n", uk, usk, sk, nsk);
      		return 0;
      	}
      
      Without this patch, I see:
      
      	keys: 3975ddc7 119c0c66 119c0c66 119c0c66
      	keys: 3975ddc7 119c0c66 119c0c66 119c0c66
      
      With this patch, I see:
      
      	keys: 2cb4997b 34112878 34112878 17db2ce3
      	keys: 2cb4997b 34112878 34112878 39f3c73e
      
      As can be seen, the session keyring starts off the same as the user-session
      keyring each time, but with the patch a new session keyring is created when
      the create flag is set.
      Reported-by: default avatarGreg Wettstein <greg@enjellic.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarGreg Wettstein <greg@enjellic.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      3ecf1b4f