• David Howells's avatar
    KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings · 7488aaea
    David Howells authored
    commit ee8f844e upstream.
    
    This fixes CVE-2016-9604.
    
    Keyrings whose name begin with a '.' are special internal keyrings and so
    userspace isn't allowed to create keyrings by this name to prevent
    shadowing.  However, the patch that added the guard didn't fix
    KEYCTL_JOIN_SESSION_KEYRING.  Not only can that create dot-named keyrings,
    it can also subscribe to them as a session keyring if they grant SEARCH
    permission to the user.
    
    This, for example, allows a root process to set .builtin_trusted_keys as
    its session keyring, at which point it has full access because now the
    possessor permissions are added.  This permits root to add extra public
    keys, thereby bypassing module verification.
    
    This also affects kexec and IMA.
    
    This can be tested by (as root):
    
    	keyctl session .builtin_trusted_keys
    	keyctl add user a a @s
    	keyctl list @s
    
    which on my test box gives me:
    
    	2 keys in keyring:
    	180010936: ---lswrv     0     0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05
    	801382539: --alswrv     0     0 user: a
    
    
    Fix this by rejecting names beginning with a '.' in the keyctl.
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Acked-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
    cc: linux-ima-devel@lists.sourceforge.net
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    7488aaea
keyctl.c 39.4 KB