linux/security/keys
David Howells ee8f844e3c KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
This fixes CVE-2016-9604.

Keyrings whose name begin with a '.' are special internal keyrings and so
userspace isn't allowed to create keyrings by this name to prevent
shadowing.  However, the patch that added the guard didn't fix
KEYCTL_JOIN_SESSION_KEYRING.  Not only can that create dot-named keyrings,
it can also subscribe to them as a session keyring if they grant SEARCH
permission to the user.

This, for example, allows a root process to set .builtin_trusted_keys as
its session keyring, at which point it has full access because now the
possessor permissions are added.  This permits root to add extra public
keys, thereby bypassing module verification.

This also affects kexec and IMA.

This can be tested by (as root):

	keyctl session .builtin_trusted_keys
	keyctl add user a a @s
	keyctl list @s

which on my test box gives me:

	2 keys in keyring:
	180010936: ---lswrv     0     0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05
	801382539: --alswrv     0     0 user: a


Fix this by rejecting names beginning with a '.' in the keyctl.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
cc: linux-ima-devel@lists.sourceforge.net
cc: stable@vger.kernel.org
2017-04-18 15:31:35 +01:00
..
encrypted-keys KEYS: Differentiate uses of rcu_dereference_key() and user_key_payload() 2017-03-02 10:09:00 +11:00
big_key.c KEYS: Sort out big_key initialisation 2016-10-27 16:03:27 +11:00
compat.c KEYS: Add placeholder for KDF usage with DH 2016-06-03 16:14:34 +10:00
dh.c KEYS: Differentiate uses of rcu_dereference_key() and user_key_payload() 2017-03-02 10:09:00 +11:00
gc.c KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring 2015-10-15 17:21:37 +01:00
internal.h sched/headers: Prepare to remove <linux/cred.h> inclusion from <linux/sched.h> 2017-03-02 08:42:31 +01:00
Kconfig security/keys: make BIG_KEYS dependent on stdrng. 2016-10-27 16:03:33 +11:00
key.c KEYS: potential uninitialized variable 2016-06-16 17:15:04 -10:00
keyctl.c KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings 2017-04-18 15:31:35 +01:00
keyring.c KEYS: Remove KEY_FLAG_TRUSTED and KEY_ALLOC_TRUSTED 2016-04-11 22:44:15 +01:00
Makefile KEYS: Add KEYCTL_DH_COMPUTE command 2016-04-12 19:54:58 +01:00
permission.c KEYS: Move the flags representing required permission to linux/key.h 2014-03-14 17:44:49 +00:00
persistent.c sched/headers: Prepare to remove <linux/cred.h> inclusion from <linux/sched.h> 2017-03-02 08:42:31 +01:00
proc.c KEYS: Fix short sprintf buffer in /proc/keys show function 2016-10-27 16:03:24 +11:00
process_keys.c sched/headers: Prepare for new header dependencies before moving code to <linux/sched/user.h> 2017-03-02 08:42:29 +01:00
request_key_auth.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
request_key.c Make static usermode helper binaries constant 2017-01-19 12:59:45 +01:00
sysctl.c security: Convert use of typedef ctl_table to struct ctl_table 2014-04-15 13:39:58 +10:00
trusted.c KEYS: Differentiate uses of rcu_dereference_key() and user_key_payload() 2017-03-02 10:09:00 +11:00
trusted.h keys, trusted: move struct trusted_key_options to trusted-type.h 2015-10-19 01:01:21 +02:00
user_defined.c KEYS: Differentiate uses of rcu_dereference_key() and user_key_payload() 2017-03-02 10:09:00 +11:00