56104cf2b8
Add a config option (IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY) that, when enabled, allows keys to be added to the IMA keyrings by userspace - with the restriction that each must be signed by a key in the system trusted keyrings. EPERM will be returned if this option is disabled, ENOKEY will be returned if no authoritative key can be found and EKEYREJECTED will be returned if the signature doesn't match. Other errors such as ENOPKG may also be returned. If this new option is enabled, the builtin system keyring is searched, as is the secondary system keyring if that is also enabled. Intermediate keys between the builtin system keyring and the key being added can be added to the secondary keyring (which replaces .ima_mok) to form a trust chain - provided they are also validly signed by a key in one of the trusted keyrings. The .ima_mok keyring is then removed and the IMA blacklist keyring gets its own config option (IMA_BLACKLIST_KEYRING). Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
46 lines
1.1 KiB
C
46 lines
1.1 KiB
C
/*
|
|
* Copyright (C) 2015 Juniper Networks, Inc.
|
|
*
|
|
* Author:
|
|
* Petko Manolov <petko.manolov@konsulko.com>
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License as
|
|
* published by the Free Software Foundation, version 2 of the
|
|
* License.
|
|
*
|
|
*/
|
|
|
|
#include <linux/export.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/cred.h>
|
|
#include <linux/err.h>
|
|
#include <linux/init.h>
|
|
#include <keys/system_keyring.h>
|
|
|
|
|
|
struct key *ima_blacklist_keyring;
|
|
|
|
/*
|
|
* Allocate the IMA blacklist keyring
|
|
*/
|
|
__init int ima_mok_init(void)
|
|
{
|
|
pr_notice("Allocating IMA blacklist keyring.\n");
|
|
|
|
ima_blacklist_keyring = keyring_alloc(".ima_blacklist",
|
|
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
|
|
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
|
KEY_USR_VIEW | KEY_USR_READ |
|
|
KEY_USR_WRITE | KEY_USR_SEARCH,
|
|
KEY_ALLOC_NOT_IN_QUOTA,
|
|
restrict_link_by_builtin_trusted, NULL);
|
|
|
|
if (IS_ERR(ima_blacklist_keyring))
|
|
panic("Can't allocate IMA blacklist keyring.");
|
|
|
|
set_bit(KEY_FLAG_KEEP, &ima_blacklist_keyring->flags);
|
|
return 0;
|
|
}
|
|
device_initcall(ima_mok_init);
|