From patchwork Thu Jul 21 23:31:39 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mat Martineau <mathew.j.martineau@linux.intel.com>
X-Patchwork-Id: 9242663
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	7E8B7602F0
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu, 21 Jul 2016 23:31:49 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 70B471FF0B
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu, 21 Jul 2016 23:31:49 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 655D920120; Thu, 21 Jul 2016 23:31:49 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BC5A61FF0B
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu, 21 Jul 2016 23:31:48 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752656AbcGUXbr (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Thu, 21 Jul 2016 19:31:47 -0400
Received: from mga09.intel.com ([134.134.136.24]:49459 "EHLO mga09.intel.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752490AbcGUXbp (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Thu, 21 Jul 2016 19:31:45 -0400
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
	by orsmga102.jf.intel.com with ESMTP; 21 Jul 2016 16:31:42 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.28,401,1464678000"; d="scan'208";a="737985695"
Received: from mjmartin-nuc01.wa.intel.com ([10.232.97.131])
	by FMSMGA003.fm.intel.com with ESMTP; 21 Jul 2016 16:31:42 -0700
From: Mat Martineau <mathew.j.martineau@linux.intel.com>
To: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	dhowells@redhat.com
Cc: Mat Martineau <mathew.j.martineau@linux.intel.com>,
	zohar@linux.vnet.ibm.com, marcel@holtmann.org
Subject: [PATCH v6 6/6] KEYS: Parse keyring payload for restrict options
Date: Thu, 21 Jul 2016 16:31:39 -0700
Message-Id: <20160721233139.4085-7-mathew.j.martineau@linux.intel.com>
X-Mailer: git-send-email 2.9.2
In-Reply-To: <20160721233139.4085-1-mathew.j.martineau@linux.intel.com>
References: <20160721233139.4085-1-mathew.j.martineau@linux.intel.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

The restrict_link hook was recently added to keyrings so that keys may
be validated prior to linking.  This functionality was only available
using internal kernel APIs.

Configuring keyring restrictions from userspace must work around these
constraints:

 - The restrict_link pointer must be set through keyring_alloc().
 - The add_key system call has a fixed set of parameters.

When creating keyrings, the payload was previously required to be
NULL.  To support restrict_link configuration, the payload is now
parsed for keyring options if a payload is provided.  The expected
option payload format is:

  "restrict_type=<type> restrict_by=<method> restrict_key=<key serial>"

Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
---
 Documentation/crypto/asymmetric-keys.txt |  45 ++++++++++
 Documentation/security/keys.txt          |  13 ++-
 security/keys/keyring.c                  | 138 ++++++++++++++++++++++++++++++-
 3 files changed, 191 insertions(+), 5 deletions(-)

diff --git a/Documentation/crypto/asymmetric-keys.txt b/Documentation/crypto/asymmetric-keys.txt
index 80d45b5..84616d0 100644
--- a/Documentation/crypto/asymmetric-keys.txt
+++ b/Documentation/crypto/asymmetric-keys.txt
@@ -327,3 +327,48 @@ Functions are provided to register and unregister parsers:
 
 Parsers may not have the same name.  The names are otherwise only used for
 displaying in debugging messages.
+
+
+=========================
+KEYRING LINK RESTRICTIONS
+=========================
+
+Keyrings created from userspace using add_key can be configured to check the
+signature of the key being linked.
+
+Several restriction methods are available:
+
+ (1) Restrict using a separate keyring
+
+     - Options used when creating the keyring:
+       - restrict_type=asymmetric
+       - restrict_by=keyring
+       - restrict_key=<keyring serial number>
+
+     Whenever a key link is requested, the keyring identified in restrict_key
+     will be searched for the signing key.
+
+ (2) Restrict using the kernel builtin trusted keyring
+
+     - Options used when creating the keyring:
+       - restrict_type=asymmetric
+       - restrict_by=builtin_trusted
+
+     The kernel builtin trusted keyring will be searched for the signing key.
+
+ (3) Restrict using the kernel builtin and secondary trusted keyrings
+
+     - Options used when creating the keyring:
+       - restrict_type=asymmetric
+       - restrict_by=builtin_and_secondary_trusted
+
+     The kernel builtin and secondary trusted keyrings will be searched for the
+     signing key.
+
+In all of these cases, if the signing key is found the signature of the key to
+be linked will be verified using the signing key.  The requested key is added
+to the keyring only if the signature is successfully verified.  -ENOKEY is
+returned if the parent certificate could not be found, or -EKEYREJECTED is
+returned if the signature check fails or the key is blacklisted.  Other errors
+may be returned if the signature check could not be performed.
+
diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt
index 45f5ff8e..b80c7c6 100644
--- a/Documentation/security/keys.txt
+++ b/Documentation/security/keys.txt
@@ -418,8 +418,17 @@ The main syscalls are:
      the type. The payload is plen in size, and plen can be zero for an empty
      payload.
 
-     A new keyring can be generated by setting type "keyring", the keyring name
-     as the description (or NULL) and setting the payload to NULL.
+     A new keyring can be generated by setting type "keyring" and the keyring
+     name as the description (or NULL).  The payload can be NULL or contain
+     keyring link restriction options using the following format:
+
+	"restrict_type=<type> restrict_by=<method> restrict_key=<key serial>"
+
+     "type" is a registered key type.  The type and method will populate
+     restrict_link in the keyring structure using the lookup_restrict function
+     for the requested type.  restrict_key is optional when creating the
+     keyring, but some restrict methods depend on the presence of a
+     restrict_key value when linking keys.
 
      User defined keys can be created by specifying type "user". It is
      recommended that a user defined key's description by prefixed with a type
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index c91e4e0..a0f1148 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -20,9 +20,18 @@
 #include <keys/user-type.h>
 #include <linux/assoc_array_priv.h>
 #include <linux/uaccess.h>
+#include <linux/parser.h>
 #include "internal.h"
 
 /*
+ * Layout of preparse payload
+ */
+enum {
+	keyring_restrict_link,
+	keyring_restrict_key,
+};
+
+/*
  * When plumbing the depths of the key tree, this sets a hard limit
  * set on how deep we're willing to go.
  */
@@ -125,29 +134,151 @@ static void keyring_publish_name(struct key *keyring)
 	}
 }
 
+enum {
+	Opt_restrict_type,
+	Opt_restrict_by,
+	Opt_restrict_key,
+	Opt_err,
+};
+
+static const match_table_t keyring_tokens = {
+	{ Opt_restrict_type,	"restrict_type=%s" },
+	{ Opt_restrict_by,	"restrict_by=%s" },
+	{ Opt_restrict_key,	"restrict_key=%d" },
+	{ Opt_err,		NULL },
+};
+
+/*
+ * Parse the keyring options and fill in the required keyring members.
+ *
+ * Returns 0 if the option string is valid (including the empty case),
+ * otherwise -EINVAL.
+ */
+static int keyring_datablob_parse(char *datablob,
+				  struct key_preparsed_payload *prep)
+{
+	substring_t args[MAX_OPT_ARGS];
+	char *c;
+	int token;
+	unsigned long token_mask = 0;
+	struct key_type *restrict_type = NULL;
+	char *restrict_by = NULL;
+	restrict_link_func_t restrict_link;
+	key_serial_t serial = 0;
+	int result;
+	key_ref_t key_ref;
+
+	while ((c = strsep(&datablob, " \t"))) {
+		if (*c == '\0')
+			continue;
+
+		token = match_token(c, keyring_tokens, args);
+		if (test_and_set_bit(token, &token_mask))
+			goto error;
+
+		switch (token) {
+		case Opt_restrict_type:
+			restrict_type = key_type_lookup(args[0].from);
+			if (IS_ERR(restrict_type)) {
+				restrict_type = NULL;
+				goto error;
+			}
+			break;
+		case Opt_restrict_by:
+			restrict_by = args[0].from;
+			break;
+		case Opt_restrict_key:
+			result = kstrtos32(args[0].from, 0, &serial);
+			if (result < 0)
+				goto error;
+			break;
+		case Opt_err:
+			goto error;
+		}
+	}
+
+	if (restrict_type && restrict_by) {
+		if (!restrict_type->lookup_restrict)
+			goto error;
+
+		restrict_link = restrict_type->lookup_restrict(restrict_by);
+		if (IS_ERR(restrict_link))
+			goto error;
+
+		if (test_bit(Opt_restrict_key, &token_mask)) {
+			key_ref = lookup_user_key(serial, 0, 0);
+			if (IS_ERR(key_ref))
+				goto error;
+
+			prep->payload.data[keyring_restrict_key] =
+				key_ref_to_ptr(key_ref);
+		}
+
+		prep->payload.data[keyring_restrict_link] = restrict_link;
+	} else if (test_bit(Opt_restrict_type, &token_mask) ||
+		   test_bit(Opt_restrict_by, &token_mask) ||
+		   test_bit(Opt_restrict_key, &token_mask)) {
+		goto error;
+	}
+
+	if (restrict_type)
+		key_type_put(restrict_type);
+
+	return 0;
+
+error:
+	if (restrict_type)
+		key_type_put(restrict_type);
+
+	return -EINVAL;
+}
+
 /*
  * Preparse a keyring payload
  */
 static int keyring_preparse(struct key_preparsed_payload *prep)
 {
-	return prep->datalen != 0 ? -EINVAL : 0;
+	char *datablob;
+	size_t datalen = prep->datalen;
+	int ret = 0;
+
+	if (datalen) {
+		datablob = kmalloc(datalen + 1, GFP_KERNEL);
+		if (!datablob)
+			return -ENOMEM;
+
+		memcpy(datablob, prep->data, datalen);
+		datablob[datalen] = '\0';
+
+		ret = keyring_datablob_parse(datablob, prep);
+
+		kfree(datablob);
+	}
+
+	return ret;
 }
 
 /*
- * Free a preparse of a user defined key payload
+ * Free a preparse of a keyring payload
  */
 static void keyring_free_preparse(struct key_preparsed_payload *prep)
 {
+	key_put(prep->payload.data[keyring_restrict_key]);
 }
 
 /*
  * Initialise a keyring.
  *
- * Returns 0 on success, -EINVAL if given any data.
+ * Returns 0 on success.
  */
 static int keyring_instantiate(struct key *keyring,
 			       struct key_preparsed_payload *prep)
 {
+	keyring->restrict_link = prep->payload.data[keyring_restrict_link];
+	keyring->restrict_key = prep->payload.data[keyring_restrict_key];
+	/* Don't let keyring_free_preparse do a key_put() on the key pointer */
+	prep->payload.data[keyring_restrict_key] = NULL;
+
 	assoc_array_init(&keyring->keys);
 	/* make the keyring available by name if it has one */
 	keyring_publish_name(keyring);
@@ -394,6 +525,7 @@ static void keyring_destroy(struct key *keyring)
 		write_unlock(&keyring_name_lock);
 	}
 
+	key_put(keyring->restrict_key);
 	assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops);
 }