From 14409624e2d8b4a38a0d597d295b0337c6363118 Mon Sep 17 00:00:00 2001 From: Krzysztof Struczynski Date: Fri, 10 Sep 2021 19:59:51 +0800 Subject: [PATCH] keys: Allow to set key domain tag separately from the key type hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I49KW1 CVE: NA -------------------------------- Add KEY_ALLOC_DOMAIN_* flags so that the key domain tag can be specified on the key creation. This is done to separate the key domain setting from the key type. If applied to the keyring, it will set the requested domain tag for every key added to that keyring. IMA uses the existing key_type_asymmetric for appraisal, but also has to specify the key domain to bind appraisal key with the ima namespace. Signed-off-by: Krzysztof Struczynski Reviewed-by: Zhang Tianxing Signed-off-by: Zheng Zengkai --- include/linux/key.h | 10 ++++++++++ security/keys/key.c | 16 ++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/include/linux/key.h b/include/linux/key.h index 53684db44615..61250dfd9ccc 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -272,6 +272,12 @@ struct key { * restriction. */ struct key_restriction *restrict_link; + + /* This is set on a keyring to indicate that every key added to this + * keyring should be tagged with a given key domain tag. It is ignored + * for the non-keyring keys and can be overridden by the key-type flags. + */ + unsigned long key_alloc_domain; }; extern struct key *key_alloc(struct key_type *type, @@ -291,6 +297,10 @@ extern struct key *key_alloc(struct key_type *type, #define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */ #define KEY_ALLOC_SET_KEEP 0x0020 /* Set the KEEP flag on the key/keyring */ +/* Only one domain can be set */ +#define KEY_ALLOC_DOMAIN_IMA 0x0100 /* add IMA domain tag, based on the "current" */ +#define KEY_ALLOC_DOMAIN_MASK 0xFF00 + extern void key_revoke(struct key *key); extern void key_invalidate(struct key *key); extern void key_put(struct key *key); diff --git a/security/keys/key.c b/security/keys/key.c index 151ff39b6803..d052b9a0b1fd 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -278,6 +278,19 @@ struct key *key_alloc(struct key_type *type, const char *desc, if (!key) goto no_memory_2; + if (flags & KEY_ALLOC_DOMAIN_MASK) { + /* set alloc domain for all keys added to this keyring */ + if (type == &key_type_keyring) + key->key_alloc_domain = (flags & KEY_ALLOC_DOMAIN_MASK); + + /* set domain tag if it's not predefined for the key type */ + if ((!type->flags) && (flags & KEY_ALLOC_DOMAIN_IMA)) + /* Set it to something meaningful after adding a key + * domain to the ima namespace. + */ + key->index_key.domain_tag = NULL; + } + key->index_key.desc_len = desclen; key->index_key.description = kmemdup(desc, desclen + 1, GFP_KERNEL); if (!key->index_key.description) @@ -927,6 +940,9 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, perm |= KEY_POS_WRITE; } + if (keyring->key_alloc_domain) + flags |= keyring->key_alloc_domain; + /* allocate a new key */ key = key_alloc(index_key.type, index_key.description, cred->fsuid, cred->fsgid, cred, perm, flags, NULL); -- GitLab