• Linus Torvalds's avatar
    Merge branch 'for-linus2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · 78dc53c4
    Linus Torvalds authored
    Pull security subsystem updates from James Morris:
     "In this patchset, we finally get an SELinux update, with Paul Moore
      taking over as maintainer of that code.
    
      Also a significant update for the Keys subsystem, as well as
      maintenance updates to Smack, IMA, TPM, and Apparmor"
    
    and since I wanted to know more about the updates to key handling,
    here's the explanation from David Howells on that:
    
     "Okay.  There are a number of separate bits.  I'll go over the big bits
      and the odd important other bit, most of the smaller bits are just
      fixes and cleanups.  If you want the small bits accounting for, I can
      do that too.
    
       (1) Keyring capacity expansion.
    
            KEYS: Consolidate the concept of an 'index key' for key access
            KEYS: Introduce a search context structure
            KEYS: Search for auth-key by name rather than target key ID
            Add a generic associative array implementation.
            KEYS: Expand the capacity of a keyring
    
         Several of the patches are providing an expansion of the capacity of a
         keyring.  Currently, the maximum size of a keyring payload is one page.
         Subtract a small header and then divide up into pointers, that only gives
         you ~500 pointers on an x86_64 box.  However, since the NFS idmapper uses
         a keyring to store ID mapping data, that has proven to be insufficient to
         the cause.
    
         Whatever data structure I use to handle the keyring payload, it can only
         store pointers to keys, not the keys themselves because several keyrings
         may point to a single key.  This precludes inserting, say, and rb_node
         struct into the key struct for this purpose.
    
         I could make an rbtree of records such that each record has an rb_node
         and a key pointer, but that would use four words of space per key stored
         in the keyring.  It would, however, be able to use much existing code.
    
         I selected instead a non-rebalancing radix-tree type approach as that
         could have a better space-used/key-pointer ratio.  I could have used the
         radix tree implementation that we already have and insert keys into it by
         their serial numbers, but that means any sort of search must iterate over
         the whole radix tree.  Further, its nodes are a bit on the capacious side
         for what I want - especially given that key serial numbers are randomly
         allocated, thus leaving a lot of empty space in the tree.
    
         So what I have is an associative array that internally is a radix-tree
         with 16 pointers per node where the index key is constructed from the key
         type pointer and the key description.  This means that an exact lookup by
         type+description is very fast as this tells us how to navigate directly to
         the target key.
    
         I made the data structure general in lib/assoc_array.c as far as it is
         concerned, its index key is just a sequence of bits that leads to a
         pointer.  It's possible that someone else will be able to make use of it
         also.  FS-Cache might, for example.
    
       (2) Mark keys as 'trusted' and keyrings as 'trusted only'.
    
            KEYS: verify a certificate is signed by a 'trusted' key
            KEYS: Make the system 'trusted' keyring viewable by userspace
            KEYS: Add a 'trusted' flag and a 'trusted only' flag
            KEYS: Separate the kernel signature checking keyring from module signing
    
         These patches allow keys carrying asymmetric public keys to be marked as
         being 'trusted' and allow keyrings to be marked as only permitting the
         addition or linkage of trusted keys.
    
         Keys loaded from hardware during kernel boot or compiled into the kernel
         during build are marked as being trusted automatically.  New keys can be
         loaded at runtime with add_key().  They are checked against the system
         keyring contents and if their signatures can be validated with keys that
         are already marked trusted, then they are marked trusted also and can
         thus be added into the master keyring.
    
         Patches from Mimi Zohar make this usable with the IMA keyrings also.
    
       (3) Remove the date checks on the key used to validate a module signature.
    
            X.509: Remove certificate date checks
    
         It's not reasonable to reject a signature just because the key that it was
         generated with is no longer valid datewise - especially if the kernel
         hasn't yet managed to set the system clock when the first module is
         loaded - so just remove those checks.
    
       (4) Make it simpler to deal with additional X.509 being loaded into the kernel.
    
            KEYS: Load *.x509 files into kernel keyring
            KEYS: Have make canonicalise the paths of the X.509 certs better to deduplicate
    
         The builder of the kernel now just places files with the extension ".x509"
         into the kernel source or build trees and they're concatenated by the
         kernel build and stuffed into the appropriate section.
    
       (5) Add support for userspace kerberos to use keyrings.
    
            KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches
            KEYS: Implement a big key type that can save to tmpfs
    
         Fedora went to, by default, storing kerberos tickets and tokens in tmpfs.
         We looked at storing it in keyrings instead as that confers certain
         advantages such as tickets being automatically deleted after a certain
         amount of time and the ability for the kernel to get at these tokens more
         easily.
    
         To make this work, two things were needed:
    
         (a) A way for the tickets to persist beyond the lifetime of all a user's
             sessions so that cron-driven processes can still use them.
    
             The problem is that a user's session keyrings are deleted when the
             session that spawned them logs out and the user's user keyring is
             deleted when the UID is deleted (typically when the last log out
             happens), so neither of these places is suitable.
    
             I've added a system keyring into which a 'persistent' keyring is
             created for each UID on request.  Each time a user requests their
             persistent keyring, the expiry time on it is set anew.  If the user
             doesn't ask for it for, say, three days, the keyring is automatically
             expired and garbage collected using the existing gc.  All the kerberos
             tokens it held are then also gc'd.
    
         (b) A key type that can hold really big tickets (up to 1MB in size).
    
             The problem is that Active Directory can return huge tickets with lots
             of auxiliary data attached.  We don't, however, want to eat up huge
             tracts of unswappable kernel space for this, so if the ticket is
             greater than a certain size, we create a swappable shmem file and dump
             the contents in there and just live with the fact we then have an
             inode and a dentry overhead.  If the ticket is smaller than that, we
             slap it in a kmalloc()'d buffer"
    
    * 'for-linus2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (121 commits)
      KEYS: Fix keyring content gc scanner
      KEYS: Fix error handling in big_key instantiation
      KEYS: Fix UID check in keyctl_get_persistent()
      KEYS: The RSA public key algorithm needs to select MPILIB
      ima: define '_ima' as a builtin 'trusted' keyring
      ima: extend the measurement list to include the file signature
      kernel/system_certificate.S: use real contents instead of macro GLOBAL()
      KEYS: fix error return code in big_key_instantiate()
      KEYS: Fix keyring quota misaccounting on key replacement and unlink
      KEYS: Fix a race between negating a key and reading the error set
      KEYS: Make BIG_KEYS boolean
      apparmor: remove the "task" arg from may_change_ptraced_domain()
      apparmor: remove parent task info from audit logging
      apparmor: remove tsk field from the apparmor_audit_struct
      apparmor: fix capability to not use the current task, during reporting
      Smack: Ptrace access check mode
      ima: provide hash algo info in the xattr
      ima: enable support for larger default filedata hash algorithms
      ima: define kernel parameter 'ima_template=' to change configured default
      ima: add Kconfig default measurement list template
      ...
    78dc53c4
Kconfig 59.5 KB