From patchwork Mon Jan 4 23:21:18 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kamal Mostafa X-Patchwork-Id: 562791 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id DB8A51402BC; Tue, 5 Jan 2016 10:24:47 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1aGEUU-0000mA-8w; Mon, 04 Jan 2016 23:24:42 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1aGERI-0007Az-La for kernel-team@lists.ubuntu.com; Mon, 04 Jan 2016 23:21:24 +0000 Received: from 1.general.kamal.us.vpn ([10.172.68.52] helo=fourier) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1aGERG-0006C3-6z; Mon, 04 Jan 2016 23:21:22 +0000 Received: from kamal by fourier with local (Exim 4.82) (envelope-from ) id 1aGERD-0006Ay-FV; Mon, 04 Jan 2016 15:21:19 -0800 From: Kamal Mostafa To: Dmitry Kasatkin Subject: [4.2.y-ckt stable] Patch "integrity: prevent loading untrusted certificates on the IMA trusted keyring" has been added to staging queue Date: Mon, 4 Jan 2016 15:21:18 -0800 Message-Id: <1451949678-23710-1-git-send-email-kamal@canonical.com> X-Mailer: git-send-email 1.9.1 X-Extended-Stable: 4.2 Cc: Kamal Mostafa , Mimi Zohar , Dmitry Kasatkin , kernel-team@lists.ubuntu.com X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com This is a note to let you know that I have just added a patch titled integrity: prevent loading untrusted certificates on the IMA trusted keyring to the linux-4.2.y-queue branch of the 4.2.y-ckt extended stable tree which can be found at: http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-4.2.y-queue This patch is scheduled to be released in version 4.2.8-ckt1. If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 4.2.y-ckt tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Kamal ------ From ba313bdf3a096af18cbb052f05a739ee87efbfd6 Mon Sep 17 00:00:00 2001 From: Dmitry Kasatkin Date: Thu, 10 Sep 2015 22:06:15 +0300 Subject: integrity: prevent loading untrusted certificates on the IMA trusted keyring commit 72e1eed8abb11c79749266d433c817ce36732893 upstream. If IMA_LOAD_X509 is enabled, either directly or indirectly via IMA_APPRAISE_SIGNED_INIT, certificates are loaded onto the IMA trusted keyring by the kernel via key_create_or_update(). When the KEY_ALLOC_TRUSTED flag is provided, certificates are loaded without first verifying the certificate is properly signed by a trusted key on the system keyring. This patch removes the KEY_ALLOC_TRUSTED flag. Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar Signed-off-by: Kamal Mostafa --- security/integrity/digsig.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 1.9.1 diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 36fb6b5..5be9ffb 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -105,7 +105,7 @@ int __init integrity_load_x509(const unsigned int id, const char *path) rc, ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ), - KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_TRUSTED); + KEY_ALLOC_NOT_IN_QUOTA); if (IS_ERR(key)) { rc = PTR_ERR(key); pr_err("Problem loading X.509 certificate (%d): %s\n",