keys: Allow to set key domain tag separately from the key type

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I49KW1 CVE: NA -------------------------------- Add KEY_ALLOC_DOMAIN_* flags so that the key domain tag can be specified on the key creation. This is done to separate the key domain setting from the key type. If applied to the keyring, it will set the requested domain tag for every key added to that keyring. IMA uses the existing key_type_asymmetric for appraisal, but also has to specify the key domain to bind appraisal key with the ima namespace. Signed-off-by: N Krzysztof Struczynski <krzysztof.struczynski@huawei.com> Reviewed-by: N Zhang Tianxing <zhangtianxing3@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

keys: Allow to set key domain tag separately from the key type
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I49KW1 CVE: NA -------------------------------- Add KEY_ALLOC_DOMAIN_* flags so that the key domain tag can be specified on the key creation. This is done to separate the key domain setting from the key type. If applied to the keyring, it will set the requested domain tag for every key added to that keyring. IMA uses the existing key_type_asymmetric for appraisal, but also has to specify the key domain to bind appraisal key with the ima namespace. Signed-off-by: N Krzysztof Struczynski <krzysztof.struczynski@huawei.com> Reviewed-by: N Zhang Tianxing <zhangtianxing3@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
14409624 · Krzysztof Struczynski · Zheng Zengkai · 44313f67 · 14409624 · 14409624
隐藏空白更改
内联并排

Showing with 26 addition and 0 deletion

include/linux/key.h include/linux/key.h +10 -0

security/keys/key.c security/keys/key.c +16 -0

未找到文件。
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -272,6 +272,12 @@ struct key {
 	 * restriction.
 	 */
 	struct key_restriction *restrict_link;
+
+	/* This is set on a keyring to indicate that every key added to this
+	 * keyring should be tagged with a given key domain tag. It is ignored
+	 * for the non-keyring keys and can be overridden by the key-type flags.
+	 */
+	unsigned long key_alloc_domain;
 };

 extern struct key *key_alloc(struct key_type *type,
@@ -291,6 +297,10 @@ extern struct key *key_alloc(struct key_type *type,
 #define KEY_ALLOC_UID_KEYRING		0x0010	/* allocating a user or user session keyring */
 #define KEY_ALLOC_SET_KEEP		0x0020	/* Set the KEEP flag on the key/keyring */

+/* Only one domain can be set */
+#define KEY_ALLOC_DOMAIN_IMA		0x0100  /* add IMA domain tag, based on the "current" */
+#define KEY_ALLOC_DOMAIN_MASK		0xFF00
+
 extern void key_revoke(struct key *key);
 extern void key_invalidate(struct key *key);
 extern void key_put(struct key *key);

--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -278,6 +278,19 @@ struct key *key_alloc(struct key_type *type, const char *desc,
 	if (!key)
 		goto no_memory_2;

+	if (flags & KEY_ALLOC_DOMAIN_MASK) {
+		/* set alloc domain for all keys added to this keyring */
+		if (type == &key_type_keyring)
+			key->key_alloc_domain = (flags & KEY_ALLOC_DOMAIN_MASK);
+
+		/* set domain tag if it's not predefined for the key type */
+		if ((!type->flags) && (flags & KEY_ALLOC_DOMAIN_IMA))
+			/* Set it to something meaningful after adding a key
+			 * domain to the ima namespace.
+			 */
+			key->index_key.domain_tag = NULL;
+	}
+
 	key->index_key.desc_len = desclen;
 	key->index_key.description = kmemdup(desc, desclen + 1, GFP_KERNEL);
 	if (!key->index_key.description)
@@ -927,6 +940,9 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
 			perm |= KEY_POS_WRITE;
 	}

+	if (keyring->key_alloc_domain)
+		flags |= keyring->key_alloc_domain;
+
 	/* allocate a new key */
 	key = key_alloc(index_key.type, index_key.description,
 			cred->fsuid, cred->fsgid, cred, perm, flags, NULL);