summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorRoberto Sassu <roberto.sassu@huawei.com>2024-02-15 11:31:06 +0100
committerPaul Moore <paul@paul-moore.com>2024-02-15 23:43:45 -0500
commitb8d997032a46fcf47d5bda011c0d1e87b20c08ba (patch)
tree7d98596e0338a1ae9dac887b611958d62cf25084 /security
parent2d705d8024143c272a764320c880ccd3230bb699 (diff)
downloadlinux-b8d997032a46fcf47d5bda011c0d1e87b20c08ba.tar.gz
linux-b8d997032a46fcf47d5bda011c0d1e87b20c08ba.tar.bz2
linux-b8d997032a46fcf47d5bda011c0d1e87b20c08ba.zip
security: Introduce key_post_create_or_update hook
In preparation for moving IMA and EVM to the LSM infrastructure, introduce the key_post_create_or_update hook. Depending on policy, IMA measures the key content after creation or update, so that remote verifiers are aware of the operation. Other LSMs could similarly take some action after successful key creation or update. The new hook cannot return an error and cannot cause the operation to be reverted. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/keys/key.c7
-rw-r--r--security/security.c19
2 files changed, 25 insertions, 1 deletions
diff --git a/security/keys/key.c b/security/keys/key.c
index 5b10641debd5..31a8b9408b7c 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -930,6 +930,8 @@ static key_ref_t __key_create_or_update(key_ref_t keyring_ref,
goto error_link_end;
}
+ security_key_post_create_or_update(keyring, key, payload, plen, flags,
+ true);
ima_post_key_create_or_update(keyring, key, payload, plen,
flags, true);
@@ -963,10 +965,13 @@ error:
key_ref = __key_update(key_ref, &prep);
- if (!IS_ERR(key_ref))
+ if (!IS_ERR(key_ref)) {
+ security_key_post_create_or_update(keyring, key, payload, plen,
+ flags, false);
ima_post_key_create_or_update(keyring, key,
payload, plen,
flags, false);
+ }
goto error_free_prep;
}
diff --git a/security/security.c b/security/security.c
index 3bed660fc950..6c23c620e3c1 100644
--- a/security/security.c
+++ b/security/security.c
@@ -5453,6 +5453,25 @@ int security_key_getsecurity(struct key *key, char **buffer)
*buffer = NULL;
return call_int_hook(key_getsecurity, 0, key, buffer);
}
+
+/**
+ * security_key_post_create_or_update() - Notification of key create or update
+ * @keyring: keyring to which the key is linked to
+ * @key: created or updated key
+ * @payload: data used to instantiate or update the key
+ * @payload_len: length of payload
+ * @flags: key flags
+ * @create: flag indicating whether the key was created or updated
+ *
+ * Notify the caller of a key creation or update.
+ */
+void security_key_post_create_or_update(struct key *keyring, struct key *key,
+ const void *payload, size_t payload_len,
+ unsigned long flags, bool create)
+{
+ call_void_hook(key_post_create_or_update, keyring, key, payload,
+ payload_len, flags, create);
+}
#endif /* CONFIG_KEYS */
#ifdef CONFIG_AUDIT