Message ID | 20170309202315.15361-7-mathew.j.martineau@linux.intel.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Mat Martineau <mathew.j.martineau@linux.intel.com> wrote: > The keyring restrict callback was sometimes called before > __key_link_begin and sometimes after, which meant that the keyring > semaphores were not always held during the restrict callback. > > If the semaphores are consistently acquired before checking link > restrictions, keyring contents cannot be changed after the restrict > check is complete but before the evaluated key is linked to the keyring. I'm still not entirely sure that this gains us anything. At the point we did the restriction check, the key was validated. Yes, the keyring can be modified between then and the actual link, thereby rendering the chain broken - but this is true after the link also. The whole point is that it was valid at the time of asking. Mainly I have an aversion to doing things under a lock when I can do it outside of the lock. Btw, do you check for cycles anywhere? For example, if I create two keyrings, A and B, and can I then set restrictions such that A is restricted by B and B is restricted by A? David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, 16 Mar 2017, David Howells wrote: > Mat Martineau <mathew.j.martineau@linux.intel.com> wrote: > >> The keyring restrict callback was sometimes called before >> __key_link_begin and sometimes after, which meant that the keyring >> semaphores were not always held during the restrict callback. >> >> If the semaphores are consistently acquired before checking link >> restrictions, keyring contents cannot be changed after the restrict >> check is complete but before the evaluated key is linked to the keyring. > > I'm still not entirely sure that this gains us anything. At the point we did > the restriction check, the key was validated. Yes, the keyring can be > modified between then and the actual link, thereby rendering the chain broken > - but this is true after the link also. The whole point is that it was valid > at the time of asking. > > Mainly I have an aversion to doing things under a lock when I can do it > outside of the lock. Restriction methods can consider the contents of the keyring being linked to, and they can't really be thought of as enforcing invariants on the contents of the keyring without this patch. This locking change had more concrete consequences before KEYCTL_RESTRICT_KEYRING, when you could add the first cert to an empty keyring without a signature check and all later additions would verify signatures based on certificates already in the keyring. It would have been possible to add multiple certs (that hadn't signed each other) to an empty keyring if the keys were both checked before they were linked. In the current iteration of the patch set, it comes down to enforcing invariants (as I mentioned above) and consistency in lock/check ordering across different code paths. Restriction functions (present or future) can't offer a consistency or security guarantee about the state of the keyring if the contents of the keyring can change between the check and the link. I share your locking aversion, but think this is a case where a lock is needed. > Btw, do you check for cycles anywhere? For example, if I create two keyrings, > A and B, and can I then set restrictions such that A is restricted by B and B > is restricted by A? I don't check for cycles yet, but the references held by the restrictions could be a problem. I'm not sure how to address it yet, I could clear the restriction info when a keyring is revoked/dead/etc or I could check when restrictions are created. -- Mat Martineau Intel OTC -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Mat Martineau <mathew.j.martineau@linux.intel.com> wrote: > > Btw, do you check for cycles anywhere? For example, if I create two keyrings, > > A and B, and can I then set restrictions such that A is restricted by B and B > > is restricted by A? > > I don't check for cycles yet, but the references held by the restrictions > could be a problem. I'm not sure how to address it yet, I could clear the > restriction info when a keyring is revoked/dead/etc or I could check when > restrictions are created. Yep. The way to do it is to store the pointer to the restriction keyring in the restriction record and then when you set a restriction on keyring A that refers to keyring B as a source of authority, you go to B's restriction record and if it points to A, say no, if it points to C, go to C's record and if it points to A, say no, if it points to D, go to D's record and so on and so on - all whilst under a master lock. As the above algorithm only has one pointer to follow each time, it can be done iteratively, so no particular stack overhead. And as a lock is held whilst you do the check and the add, you can't get one process adding an A->B dependency whilst another adds B->A. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, 17 Mar 2017, David Howells wrote: > Mat Martineau <mathew.j.martineau@linux.intel.com> wrote: > >>> Btw, do you check for cycles anywhere? For example, if I create two keyrings, >>> A and B, and can I then set restrictions such that A is restricted by B and B >>> is restricted by A? >> >> I don't check for cycles yet, but the references held by the restrictions >> could be a problem. I'm not sure how to address it yet, I could clear the >> restriction info when a keyring is revoked/dead/etc or I could check when >> restrictions are created. > > Yep. > > The way to do it is to store the pointer to the restriction keyring in the > restriction record and then when you set a restriction on keyring A that > refers to keyring B as a source of authority, you go to B's restriction record > and if it points to A, say no, if it points to C, go to C's record and if it > points to A, say no, if it points to D, go to D's record and so on and so on - > all whilst under a master lock. > > As the above algorithm only has one pointer to follow each time, it can be > done iteratively, so no particular stack overhead. And as a lock is held > whilst you do the check and the add, you can't get one process adding an A->B > dependency whilst another adds B->A. v6 and earlier of the patch set had a pointer to the restriction keyring in the restriction record, then we generalized the structure to use a void* and the free_data function. The void* is helpful for letting the key types have more complicated restrictions (maybe even having *multiple* keyring dependencies), but it rules out the iterative search technique. I see why my first suggestion doesn't work: while destroyed keyrings already clear out their restriction references, that doesn't help when the ref count goes to 0 on an instantiated keyring. Do we go back to the simpler restriction record (just a key pointer, no void*, no free_data) so we can detect cycles without the stack overhead of a depth-first search, like this? struct key_restriction { key_restrict_link_func_t check; struct key *key; struct key_type *owner_type; }; If we have both a key pointer and a void*, the void* won't be used by the asymmetric key type and future restriction implementations could end up with cycle problems if they stash key pointers behind that void*. Other solutions I can think of would add a lot of complexity (like adding weak references), so I favor using the single key pointer as in the struct above. -- Mat Martineau Intel OTC -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Mat Martineau <mathew.j.martineau@linux.intel.com> wrote: > Do we go back to the simpler restriction record (just a key pointer, no void*, > no free_data) so we can detect cycles without the stack overhead of a > depth-first search, like this? Sure. We can always add data in future. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/security/keys/key.c b/security/keys/key.c index 488adf2b6ad4..989ec35c1c48 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -500,21 +500,23 @@ int key_instantiate_and_link(struct key *key, } if (keyring) { + ret = __key_link_begin(keyring, &key->index_key, &edit); + if (ret < 0) + goto error; + if (keyring->restrict_link && keyring->restrict_link->check) { struct key_restriction *keyres = keyring->restrict_link; ret = keyres->check(keyring, key->type, &prep.payload, keyres->data); if (ret < 0) - goto error; + goto error_link_end; } - ret = __key_link_begin(keyring, &key->index_key, &edit); - if (ret < 0) - goto error; } ret = __key_instantiate_and_link(key, &prep, keyring, authkey, &edit); +error_link_end: if (keyring) __key_link_end(keyring, &key->index_key, edit); @@ -855,21 +857,21 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, } index_key.desc_len = strlen(index_key.description); + ret = __key_link_begin(keyring, &index_key, &edit); + if (ret < 0) { + key_ref = ERR_PTR(ret); + goto error_free_prep; + } + if (restrict_link && restrict_link->check) { ret = restrict_link->check(keyring, index_key.type, &prep.payload, restrict_link->data); if (ret < 0) { key_ref = ERR_PTR(ret); - goto error_free_prep; + goto error_link_end; } } - ret = __key_link_begin(keyring, &index_key, &edit); - if (ret < 0) { - key_ref = ERR_PTR(ret); - goto error_free_prep; - } - /* if we're going to allocate a new key, we're going to have * to modify the keyring */ ret = key_permission(keyring_ref, KEY_NEED_WRITE);
The keyring restrict callback was sometimes called before __key_link_begin and sometimes after, which meant that the keyring semaphores were not always held during the restrict callback. If the semaphores are consistently acquired before checking link restrictions, keyring contents cannot be changed after the restrict check is complete but before the evaluated key is linked to the keyring. Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com> --- security/keys/key.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-)