Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Parsers may not have the same name.  The names are otherwise only used for

displaying in debugging messages.

=========================

KEYRING LINK RESTRICTIONS

=========================

Keyrings created from userspace using add_key can be configured to check the

signature of the key being linked.

Several restriction methods are available:

 (1) Restrict using the kernel builtin trusted keyring

     - Option string used with KEYCTL_RESTRICT_KEYRING:

       - "builtin_trusted"

     The kernel builtin trusted keyring will be searched for the signing

     key. The ca_keys kernel parameter also affects which keys are used for

     signature verification.

 (2) Restrict using the kernel builtin and secondary trusted keyrings

     - Option string used with KEYCTL_RESTRICT_KEYRING:

       - "builtin_and_secondary_trusted"

     The kernel builtin and secondary trusted keyrings will be searched for the

     signing key. The ca_keys kernel parameter also affects which keys are used

     for signature verification.

 (3) Restrict using a separate key or keyring

     - Option string used with KEYCTL_RESTRICT_KEYRING:

       - "key_or_keyring:<key or keyring serial number>[:chain]"

     Whenever a key link is requested, the link will only succeed if the key

     being linked is signed by one of the designated keys. This key may be

     specified directly by providing a serial number for one asymmetric key, or

     a group of keys may be searched for the signing key by providing the

     serial number for a keyring.

     When the "chain" option is provided at the end of the string, the keys

     within the destination keyring will also be searched for signing keys.

     This allows for verification of certificate chains by adding each

     cert in order (starting closest to the root) to one keyring.

In all of these cases, if the signing key is found the signature of the key to

be linked will be verified using the signing key.  The requested key is added

to the keyring only if the signature is successfully verified.  -ENOKEY is

returned if the parent certificate could not be found, or -EKEYREJECTED is

returned if the signature check fails or the key is blacklisted.  Other errors

may be returned if the signature check could not be performed.

       long keyctl(KEYCTL_DH_COMPUTE, struct keyctl_dh_params *params,

		   char *buffer, size_t buflen,

		   void *reserved);

		   struct keyctl_kdf_params *kdf);

     The params struct contains serial numbers for three keys:

     public key.  If the base is the remote public key, the result is

     the shared secret.

     The reserved argument must be set to NULL.

     If the parameter kdf is NULL, the following applies:

     The buffer length must be at least the length of the prime, or zero.

	 - The buffer length must be at least the length of the prime, or zero.

     If the buffer length is nonzero, the length of the result is

	 - If the buffer length is nonzero, the length of the result is

	   returned when it is successfully calculated and copied in to the

	   buffer. When the buffer length is zero, the minimum required

	   buffer length is returned.

     The kdf parameter allows the caller to apply a key derivation function

     (KDF) on the Diffie-Hellman computation where only the result

     of the KDF is returned to the caller. The KDF is characterized with

     struct keyctl_kdf_params as follows:

	 - char *hashname specifies the NUL terminated string identifying

	   the hash used from the kernel crypto API and applied for the KDF

	   operation. The KDF implemenation complies with SP800-56A as well

	   as with SP800-108 (the counter KDF).

	 - char *otherinfo specifies the OtherInfo data as documented in

	   SP800-56A section 5.8.1.2. The length of the buffer is given with

	   otherinfolen. The format of OtherInfo is defined by the caller.

	   The otherinfo pointer may be NULL if no OtherInfo shall be used.

     This function will return error EOPNOTSUPP if the key type is not

     supported, error ENOKEY if the key could not be found, or error

     EACCES if the key is not readable by the caller.

     EACCES if the key is not readable by the caller. In addition, the

     function will return EMSGSIZE when the parameter kdf is non-NULL

     and either the buffer length or the OtherInfo length exceeds the

     allowed length.

 (*) Restrict keyring linkage

       long keyctl(KEYCTL_RESTRICT_KEYRING, key_serial_t keyring,

		   const char *type, const char *restriction);

     An existing keyring can restrict linkage of additional keys by evaluating

     the contents of the key according to a restriction scheme.

     "keyring" is the key ID for an existing keyring to apply a restriction

     to. It may be empty or may already have keys linked. Existing linked keys

     will remain in the keyring even if the new restriction would reject them.

     "type" is a registered key type.

     "restriction" is a string describing how key linkage is to be restricted.

     The format varies depending on the key type, and the string is passed to

     the lookup_restriction() function for the requested type.  It may specify

     a method and relevant data for the restriction such as signature

     verification or constraints on key payload. If the requested key type is

     later unregistered, no keys may be added to the keyring after the key type

     is removed.

     To apply a keyring restriction the process must have Set Attribute

     permission and the keyring must not be previously restricted.

===============

KERNEL SERVICES

	struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,

				  const struct cred *cred,

				  key_perm_t perm,

				  int (*restrict_link)(struct key *,

						       const struct key_type *,

						       unsigned long,

						       const union key_payload *),

				  struct key_restriction *restrict_link,

				  unsigned long flags,

				  struct key *dest);

    KEY_ALLOC_NOT_IN_QUOTA in flags if the keyring shouldn't be accounted

    towards the user's quota).  Error ENOMEM can also be returned.

    If restrict_link not NULL, it should point to a function that will be

    called each time an attempt is made to link a key into the new keyring.

    This function is called to check whether a key may be added into the keying

    or not.  Callers of key_create_or_update() within the kernel can pass

    KEY_ALLOC_BYPASS_RESTRICTION to suppress the check.  An example of using

    this is to manage rings of cryptographic keys that are set up when the

    kernel boots where userspace is also permitted to add keys - provided they

    can be verified by a key the kernel already has.

    If restrict_link is not NULL, it should point to a structure that contains

    the function that will be called each time an attempt is made to link a

    key into the new keyring.  The structure may also contain a key pointer

    and an associated key type.  The function is called to check whether a key

    may be added into the keyring or not.  The key type is used by the garbage

    collector to clean up function or data pointers in this structure if the

    given key type is unregistered.  Callers of key_create_or_update() within

    the kernel can pass KEY_ALLOC_BYPASS_RESTRICTION to suppress the check.

    An example of using this is to manage rings of cryptographic keys that are

    set up when the kernel boots where userspace is also permitted to add keys

    - provided they can be verified by a key the kernel already has.

    When called, the restriction function will be passed the keyring being

    added to, the key flags value and the type and payload of the key being

    added.  Note that when a new key is being created, this is called between

    payload preparsing and actual key creation.  The function should return 0

    to allow the link or an error to reject it.

    added to, the key type, the payload of the key being added, and data to be

    used in the restriction check.  Note that when a new key is being created,

    this is called between payload preparsing and actual key creation.  The

    function should return 0 to allow the link or an error to reject it.

    A convenience function, restrict_link_reject, exists to always return

    -EPERM to in this case.

     	 The authorisation key.

 (*) struct key_restriction *(*lookup_restriction)(const char *params);

     This optional method is used to enable userspace configuration of keyring

     restrictions. The restriction parameter string (not including the key type

     name) is passed in, and this method returns a pointer to a key_restriction

     structure containing the relevant functions and data to evaluate each

     attempted key link operation. If there is no match, -EINVAL is returned.

============================

REQUEST-KEY CALLBACK SERVICE

============================

	  those keys are not blacklisted and are vouched for by a key built

	  into the kernel or already in the secondary trusted keyring.

config SYSTEM_BLACKLIST_KEYRING

	bool "Provide system-wide ring of blacklisted keys"

	depends on KEYS

	help

	  Provide a system keyring to which blacklisted keys can be added.

	  Keys in the keyring are considered entirely untrusted.  Keys in this

	  keyring are used by the module signature checking to reject loading

	  of modules signed with a blacklisted key.

config SYSTEM_BLACKLIST_HASH_LIST

	string "Hashes to be preloaded into the system blacklist keyring"

	depends on SYSTEM_BLACKLIST_KEYRING

	help

	  If set, this option should be the filename of a list of hashes in the

	  form "<hash>", "<hash>", ... .  This will be included into a C

	  wrapper to incorporate the list into the kernel.  Each <hash> should

	  be a string of hex digits.

endmenu

#

obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o

obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o

ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"")

obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o

else

obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o

endif

ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)

/* System hash blacklist.

 *

 * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.

 * Written by David Howells (dhowells@redhat.com)

 *

 * This program is free software; you can redistribute it and/or

 * modify it under the terms of the GNU General Public Licence

 * as published by the Free Software Foundation; either version

 * 2 of the Licence, or (at your option) any later version.

 */

#define pr_fmt(fmt) "blacklist: "fmt

#include <linux/module.h>

#include <linux/slab.h>

#include <linux/key.h>

#include <linux/key-type.h>

#include <linux/sched.h>

#include <linux/ctype.h>

#include <linux/err.h>

#include <linux/seq_file.h>

#include <keys/system_keyring.h>

#include "blacklist.h"

static struct key *blacklist_keyring;

/*

 * The description must be a type prefix, a colon and then an even number of

 * hex digits.  The hash is kept in the description.

 */

static int blacklist_vet_description(const char *desc)

{

	int n = 0;

	if (*desc == ':')

		return -EINVAL;

	for (; *desc; desc++)

		if (*desc == ':')

			goto found_colon;

	return -EINVAL;

found_colon:

	desc++;

	for (; *desc; desc++) {

		if (!isxdigit(*desc))

			return -EINVAL;

		n++;

	}

	if (n == 0 || n & 1)

		return -EINVAL;

	return 0;

}

/*

 * The hash to be blacklisted is expected to be in the description.  There will

 * be no payload.

 */

static int blacklist_preparse(struct key_preparsed_payload *prep)

{

	if (prep->datalen > 0)

		return -EINVAL;

	return 0;

}

static void blacklist_free_preparse(struct key_preparsed_payload *prep)

{

}

static void blacklist_describe(const struct key *key, struct seq_file *m)

{

	seq_puts(m, key->description);

}

static struct key_type key_type_blacklist = {

	.name			= "blacklist",

	.vet_description	= blacklist_vet_description,

	.preparse		= blacklist_preparse,

	.free_preparse		= blacklist_free_preparse,

	.instantiate		= generic_key_instantiate,

	.describe		= blacklist_describe,

};

/**

 * mark_hash_blacklisted - Add a hash to the system blacklist

 * @hash - The hash as a hex string with a type prefix (eg. "tbs:23aa429783")

 */

int mark_hash_blacklisted(const char *hash)

{

	key_ref_t key;

	key = key_create_or_update(make_key_ref(blacklist_keyring, true),

				   "blacklist",

				   hash,

				   NULL,

				   0,

				   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |

				    KEY_USR_VIEW),

				   KEY_ALLOC_NOT_IN_QUOTA |

				   KEY_ALLOC_BUILT_IN);

	if (IS_ERR(key)) {

		pr_err("Problem blacklisting hash (%ld)\n", PTR_ERR(key));

		return PTR_ERR(key);

	}

	return 0;

}

/**

 * is_hash_blacklisted - Determine if a hash is blacklisted

 * @hash: The hash to be checked as a binary blob

 * @hash_len: The length of the binary hash

 * @type: Type of hash

 */

int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type)

{

	key_ref_t kref;

	size_t type_len = strlen(type);

	char *buffer, *p;

	int ret = 0;

	buffer = kmalloc(type_len + 1 + hash_len * 2 + 1, GFP_KERNEL);

	if (!buffer)

		return -ENOMEM;

	p = memcpy(buffer, type, type_len);

	p += type_len;

	*p++ = ':';

	bin2hex(p, hash, hash_len);

	p += hash_len * 2;

	*p = 0;

	kref = keyring_search(make_key_ref(blacklist_keyring, true),

			      &key_type_blacklist, buffer);

	if (!IS_ERR(kref)) {

		key_ref_put(kref);

		ret = -EKEYREJECTED;

	}

	kfree(buffer);

	return ret;

}

EXPORT_SYMBOL_GPL(is_hash_blacklisted);

/*

 * Intialise the blacklist

 */

static int __init blacklist_init(void)

{

	const char *const *bl;

	if (register_key_type(&key_type_blacklist) < 0)

		panic("Can't allocate system blacklist key type\n");

	blacklist_keyring =

		keyring_alloc(".blacklist",

			      KUIDT_INIT(0), KGIDT_INIT(0),

			      current_cred(),

			      (KEY_POS_ALL & ~KEY_POS_SETATTR) |

			      KEY_USR_VIEW | KEY_USR_READ |

			      KEY_USR_SEARCH,

			      KEY_ALLOC_NOT_IN_QUOTA |

			      KEY_FLAG_KEEP,

			      NULL, NULL);

	if (IS_ERR(blacklist_keyring))

		panic("Can't allocate system blacklist keyring\n");

	for (bl = blacklist_hashes; *bl; bl++)

		if (mark_hash_blacklisted(*bl) < 0)

			pr_err("- blacklisting failed\n");

	return 0;

}

/*

 * Must be initialised before we try and load the keys into the keyring.

 */

device_initcall(blacklist_init);