linux/security/integrity/ima/ima_asymmetric_keys.c

// SPDX-License-Identifier: GPL-2.0+
/*
 * Copyright (C) 2019 Microsoft Corporation
 *
 * Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com)
 *
 * File: ima_asymmetric_keys.c
 *       Defines an IMA hook to measure asymmetric keys on key
 *       create or update.
 */

#include <keys/asymmetric-type.h>
#include <linux/user_namespace.h>
#include <linux/ima.h>
#include "ima.h"

/**
 * ima_post_key_create_or_update - measure asymmetric keys
 * @keyring: keyring to which the key is linked to
 * @key: created or updated key
 * @payload: The data used to instantiate or update the key.
 * @payload_len: The length of @payload.
 * @flags: key flags
 * @create: flag indicating whether the key was created or updated
 *
 * Keys can only be measured, not appraised.
 * The payload data used to instantiate or update the key is measured.
 */
void ima_post_key_create_or_update(struct key *keyring, struct key *key,
				   const void *payload, size_t payload_len,
				   unsigned long flags, bool create)
{
	bool queued = false;

	/* Only asymmetric keys are handled by this hook. */
	if (key->type != &key_type_asymmetric)
		return;

	if (!payload || (payload_len == 0))
		return;

	if (ima_should_queue_key())
		queued = ima_queue_key(keyring, payload, payload_len);

	if (queued)
		return;

	/*
	 * keyring->description points to the name of the keyring
	 * (such as ".builtin_trusted_keys", ".ima", etc.) to
	 * which the given key is linked to.
	 *
	 * The name of the keyring is passed in the "eventname"
	 * parameter to process_buffer_measurement() and is set
	 * in the "eventname" field in ima_event_data for
	 * the key measurement IMA event.
	 *
	 * The name of the keyring is also passed in the "keyring"
	 * parameter to process_buffer_measurement() to check
	 * if the IMA policy is configured to measure a key linked
	 * to the given keyring.
	 */
	process_buffer_measurement(&nop_mnt_idmap, NULL, payload, payload_len,
				   keyring->description, KEY_CHECK, 0,
				   keyring->description, false, NULL, 0);
}
IMA: Define an IMA hook to measure keys Measure asymmetric keys used for verifying file signatures, certificates, etc. This patch defines a new IMA hook namely ima_post_key_create_or_update() to measure the payload used to create a new asymmetric key or update an existing asymmetric key. Asymmetric key structure is defined only when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is defined. Since the IMA hook measures asymmetric keys, the IMA hook is defined in a new file namely ima_asymmetric_keys.c which is built only if CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is defined. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2019-12-11 19:47:04 +03:00			`// SPDX-License-Identifier: GPL-2.0+`
			`/*`
			`* Copyright (C) 2019 Microsoft Corporation`
			`*`
			`* Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com)`
			`*`
			`* File: ima_asymmetric_keys.c`
			`* Defines an IMA hook to measure asymmetric keys on key`
			`* create or update.`
			`*/`

			`#include <keys/asymmetric-type.h>`
ima: handle idmapped mounts IMA does sometimes access the inode's i_uid and compares it against the rules' fowner. Enable IMA to handle idmapped mounts by passing down the mount's user namespace. We simply make use of the helpers we introduced before. If the initial user namespace is passed nothing changes so non-idmapped mounts will see identical behavior as before. Link: https://lore.kernel.org/r/20210121131959.646623-27-christian.brauner@ubuntu.com Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> 2021-01-21 16:19:45 +03:00			`#include <linux/user_namespace.h>`
ima: Include header defining ima_post_key_create_or_update() This patch fixes the sparse warning for ima_post_key_create_or_update() by adding the header file that defines the prototype (linux/ima.h). Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2021-06-08 15:31:23 +03:00			`#include <linux/ima.h>`
IMA: Define an IMA hook to measure keys Measure asymmetric keys used for verifying file signatures, certificates, etc. This patch defines a new IMA hook namely ima_post_key_create_or_update() to measure the payload used to create a new asymmetric key or update an existing asymmetric key. Asymmetric key structure is defined only when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is defined. Since the IMA hook measures asymmetric keys, the IMA hook is defined in a new file namely ima_asymmetric_keys.c which is built only if CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is defined. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2019-12-11 19:47:04 +03:00			`#include "ima.h"`

			`/**`
			`* ima_post_key_create_or_update - measure asymmetric keys`
			`* @keyring: keyring to which the key is linked to`
			`* @key: created or updated key`
			`* @payload: The data used to instantiate or update the key.`
			`* @payload_len: The length of @payload.`
			`* @flags: key flags`
			`* @create: flag indicating whether the key was created or updated`
			`*`
			`* Keys can only be measured, not appraised.`
			`* The payload data used to instantiate or update the key is measured.`
			`*/`
			`void ima_post_key_create_or_update(struct key keyring, struct key key,`
			`const void *payload, size_t payload_len,`
			`unsigned long flags, bool create)`
			`{`
IMA: Call workqueue functions to measure queued keys Measuring keys requires a custom IMA policy to be loaded. Keys should be queued for measurement if a custom IMA policy is not yet loaded. Keys queued for measurement, if any, should be processed when a custom policy is loaded. This patch updates the IMA hook function ima_post_key_create_or_update() to queue the key if a custom IMA policy has not yet been loaded. And, ima_update_policy() function, which is called when a custom IMA policy is loaded, is updated to process queued keys. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-01-23 04:32:05 +03:00			`bool queued = false;`

IMA: Define an IMA hook to measure keys Measure asymmetric keys used for verifying file signatures, certificates, etc. This patch defines a new IMA hook namely ima_post_key_create_or_update() to measure the payload used to create a new asymmetric key or update an existing asymmetric key. Asymmetric key structure is defined only when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is defined. Since the IMA hook measures asymmetric keys, the IMA hook is defined in a new file namely ima_asymmetric_keys.c which is built only if CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is defined. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2019-12-11 19:47:04 +03:00			`/* Only asymmetric keys are handled by this hook. */`
			`if (key->type != &key_type_asymmetric)`
			`return;`

			`if (!payload \|\| (payload_len == 0))`
			`return;`

IMA: Call workqueue functions to measure queued keys Measuring keys requires a custom IMA policy to be loaded. Keys should be queued for measurement if a custom IMA policy is not yet loaded. Keys queued for measurement, if any, should be processed when a custom policy is loaded. This patch updates the IMA hook function ima_post_key_create_or_update() to queue the key if a custom IMA policy has not yet been loaded. And, ima_update_policy() function, which is called when a custom IMA policy is loaded, is updated to process queued keys. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-01-23 04:32:05 +03:00			`if (ima_should_queue_key())`
			`queued = ima_queue_key(keyring, payload, payload_len);`

			`if (queued)`
			`return;`

IMA: Define an IMA hook to measure keys Measure asymmetric keys used for verifying file signatures, certificates, etc. This patch defines a new IMA hook namely ima_post_key_create_or_update() to measure the payload used to create a new asymmetric key or update an existing asymmetric key. Asymmetric key structure is defined only when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is defined. Since the IMA hook measures asymmetric keys, the IMA hook is defined in a new file namely ima_asymmetric_keys.c which is built only if CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is defined. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2019-12-11 19:47:04 +03:00			`/*`
			`* keyring->description points to the name of the keyring`
			`* (such as ".builtin_trusted_keys", ".ima", etc.) to`
			`* which the given key is linked to.`
			`*`
			`* The name of the keyring is passed in the "eventname"`
			`* parameter to process_buffer_measurement() and is set`
			`* in the "eventname" field in ima_event_data for`
			`* the key measurement IMA event.`
IMA: Add support to limit measuring keys Limit measuring keys to those keys being loaded onto a given set of keyrings only and when the user id (uid) matches if uid is specified in the policy. This patch defines a new IMA policy option namely "keyrings=" that can be used to specify a set of keyrings. If this option is specified in the policy for "measure func=KEY_CHECK" then only the keys loaded onto a keyring given in the "keyrings=" option are measured. If uid is specified in the policy then the key is measured only if the current user id matches the one specified in the policy. Added a new parameter namely "keyring" (name of the keyring) to process_buffer_measurement(). The keyring name is passed to ima_get_action() to determine the required action. ima_match_rules() is updated to check keyring in the policy, if specified, for KEY_CHECK function. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2019-12-11 19:47:06 +03:00			`*`
			`* The name of the keyring is also passed in the "keyring"`
			`* parameter to process_buffer_measurement() to check`
			`* if the IMA policy is configured to measure a key linked`
			`* to the given keyring.`
IMA: Define an IMA hook to measure keys Measure asymmetric keys used for verifying file signatures, certificates, etc. This patch defines a new IMA hook namely ima_post_key_create_or_update() to measure the payload used to create a new asymmetric key or update an existing asymmetric key. Asymmetric key structure is defined only when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is defined. Since the IMA hook measures asymmetric keys, the IMA hook is defined in a new file namely ima_asymmetric_keys.c which is built only if CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is defined. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2019-12-11 19:47:04 +03:00			`*/`
fs: port xattr to mnt_idmap Convert to struct mnt_idmap. Last cycle we merged the necessary infrastructure in 256c8aed2b42 ("fs: introduce dedicated idmap type for mounts"). This is just the conversion to struct mnt_idmap. Currently we still pass around the plain namespace that was attached to a mount. This is in general pretty convenient but it makes it easy to conflate namespaces that are relevant on the filesystem with namespaces that are relevent on the mount level. Especially for non-vfs developers without detailed knowledge in this area this can be a potential source for bugs. Once the conversion to struct mnt_idmap is done all helpers down to the really low-level helpers will take a struct mnt_idmap argument instead of two namespace arguments. This way it becomes impossible to conflate the two eliminating the possibility of any bugs. All of the vfs and all filesystems only operate on struct mnt_idmap. Acked-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org> 2023-01-13 14:49:23 +03:00			`process_buffer_measurement(&nop_mnt_idmap, NULL, payload, payload_len,`
IMA: Add support to limit measuring keys Limit measuring keys to those keys being loaded onto a given set of keyrings only and when the user id (uid) matches if uid is specified in the policy. This patch defines a new IMA policy option namely "keyrings=" that can be used to specify a set of keyrings. If this option is specified in the policy for "measure func=KEY_CHECK" then only the keys loaded onto a keyring given in the "keyrings=" option are measured. If uid is specified in the policy then the key is measured only if the current user id matches the one specified in the policy. Added a new parameter namely "keyring" (name of the keyring) to process_buffer_measurement(). The keyring name is passed to ima_get_action() to determine the required action. ima_match_rules() is updated to check keyring in the policy, if specified, for KEY_CHECK function. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2019-12-11 19:47:06 +03:00			`keyring->description, KEY_CHECK, 0,`
ima: Add digest and digest_len params to the functions to measure a buffer This patch performs the final modification necessary to pass the buffer measurement to callers, so that they provide a functionality similar to ima_file_hash(). It adds the 'digest' and 'digest_len' parameters to ima_measure_critical_data() and process_buffer_measurement(). These functions calculate the digest even if there is no suitable rule in the IMA policy and, in this case, they simply return 1 before generating a new measurement entry. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2021-07-23 11:53:04 +03:00			`keyring->description, false, NULL, 0);`
IMA: Define an IMA hook to measure keys Measure asymmetric keys used for verifying file signatures, certificates, etc. This patch defines a new IMA hook namely ima_post_key_create_or_update() to measure the payload used to create a new asymmetric key or update an existing asymmetric key. Asymmetric key structure is defined only when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is defined. Since the IMA hook measures asymmetric keys, the IMA hook is defined in a new file namely ima_asymmetric_keys.c which is built only if CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is defined. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2019-12-11 19:47:04 +03:00			`}`