6eb864c1d9
This patch aimed to prevent deadlock during digsig verification.The point of issue - user space utility modprobe and/or it's dependencies (ld-*.so, libz.so.*, libc-*.so and /lib/modules/ files) that could be used for kernel modules load during digsig verification and could be signed by digsig in the same time. First at all, look at crypto_alloc_tfm() work algorithm: crypto_alloc_tfm() will first attempt to locate an already loaded algorithm. If that fails and the kernel supports dynamically loadable modules, it will then attempt to load a module of the same name or alias. If that fails it will send a query to any loaded crypto manager to construct an algorithm on the fly. We have situation, when public_key_verify_signature() in case of RSA algorithm use alg_name to store internal information in order to construct an algorithm on the fly, but crypto_larval_lookup() will try to use alg_name in order to load kernel module with same name. 1) we can't do anything with crypto module work, since it designed to work exactly in this way; 2) we can't globally filter module requests for modprobe, since it designed to work with any requests. In this patch, I propose add an exception for "crypto-pkcs1pad(rsa,*)" module requests only in case of enabled integrity asymmetric keys support. Since we don't have any real "crypto-pkcs1pad(rsa,*)" kernel modules for sure, we are safe to fail such module request from crypto_larval_lookup(). In this way we prevent modprobe execution during digsig verification and avoid possible deadlock if modprobe and/or it's dependencies also signed with digsig. Requested "crypto-pkcs1pad(rsa,*)" kernel module name formed by: 1) "pkcs1pad(rsa,%s)" in public_key_verify_signature(); 2) "crypto-%s" / "crypto-%s-all" in crypto_larval_lookup(). "crypto-pkcs1pad(rsa," part of request is a constant and unique and could be used as filter. Signed-off-by: Mikhail Kurinnoi <viewizard@viewizard.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> include/linux/integrity.h | 13 +++++++++++++ security/integrity/digsig_asymmetric.c | 23 +++++++++++++++++++++++ security/security.c | 7 ++++++- 3 files changed, 42 insertions(+), 1 deletion(-)
61 lines
1.3 KiB
C
61 lines
1.3 KiB
C
/*
|
|
* Copyright (C) 2009 IBM Corporation
|
|
* Author: Mimi Zohar <zohar@us.ibm.com>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, version 2 of the License.
|
|
*/
|
|
|
|
#ifndef _LINUX_INTEGRITY_H
|
|
#define _LINUX_INTEGRITY_H
|
|
|
|
#include <linux/fs.h>
|
|
|
|
enum integrity_status {
|
|
INTEGRITY_PASS = 0,
|
|
INTEGRITY_PASS_IMMUTABLE,
|
|
INTEGRITY_FAIL,
|
|
INTEGRITY_NOLABEL,
|
|
INTEGRITY_NOXATTRS,
|
|
INTEGRITY_UNKNOWN,
|
|
};
|
|
|
|
/* List of EVM protected security xattrs */
|
|
#ifdef CONFIG_INTEGRITY
|
|
extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode);
|
|
extern void integrity_inode_free(struct inode *inode);
|
|
extern void __init integrity_load_keys(void);
|
|
|
|
#else
|
|
static inline struct integrity_iint_cache *
|
|
integrity_inode_get(struct inode *inode)
|
|
{
|
|
return NULL;
|
|
}
|
|
|
|
static inline void integrity_inode_free(struct inode *inode)
|
|
{
|
|
return;
|
|
}
|
|
|
|
static inline void integrity_load_keys(void)
|
|
{
|
|
}
|
|
#endif /* CONFIG_INTEGRITY */
|
|
|
|
#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
|
|
|
|
extern int integrity_kernel_module_request(char *kmod_name);
|
|
|
|
#else
|
|
|
|
static inline int integrity_kernel_module_request(char *kmod_name)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
#endif /* CONFIG_INTEGRITY_ASYMMETRIC_KEYS */
|
|
|
|
#endif /* _LINUX_INTEGRITY_H */
|