Re: [PATCH] KEYS: prevent KEYCTL_READ on negative key

From: David Howells
Date: Mon Sep 25 2017 - 09:30:03 EST


Eric Biggers <ebiggers3@xxxxxxxxx> wrote:

> Putting the check in key_validate() would make lookups with
> KEY_LOOKUP_PARTIAL stop returning negative keys, which would break
> keyctl_describe(), keyctl_chown(), keyctl_setperm(), keyctl_set_timeout(),
> keyctl_get_security() on negative keys. I presume those are supposed to
> work?

Lookups with KEY_LOOKUP_PARTIAL should never return a negative key by
definition. A negative key is instantiated with an error code, so is no longer
under construction.

key_get_instantiation_authkey() must fail if the key has been constructed - but
I guess there's a potential race in keyctl_describe_key(), keyctl_set_timeout()
and keyctl_get_security() between getting the auth token and calling
lookup_user_key() with perm of 0 in which the key could be instantiated,
revoked, or instantiated elsewhere, or simply expire. This would allow the
instantiating process a longer access window - but they do/did have a valid
token...

It should still be possible to describe, chown, setperm and get the security on
negative keys by the normal access mechanism. Changing the timeout should
probably be denied.

> Another solution would be to remove the special case from lookup_user_key()
> where it can return a negative/revoked/invalidated/expired key if
> KEY_LOOKUP_PARTIAL is not specified and the 'perm' mask is 0.

There are a number of circumstances in which it lookup_user_key() is called
with perm==0, and in each case, the caller is responsible for handling the
security:

(1) keyctl_invalidate_key() will do so if the caller doesn't have permission,
but CAP_SYS_ADMIN is set and the key is marked KEY_FLAG_ROOT_CAN_INVAL.

(2) keyctl_keyring_clear() will do so if the caller doesn't have permission,
but CAP_SYS_ADMIN is set and the key is marked KEY_FLAG_ROOT_CAN_CLEAR.

(3) keyctl_keyring_unlink() will do so on the key-to-be-removed since only the
keyring needs a perm check.

(4) keyctl_read_key() always does so and then does the READ perm check and the
possessor-can-SEARCH can search check itself.

(5) keyctl_describe_key(), keyctl_set_timeout() and keyctl_get_security() will
do so if the caller doesn't have permission, but does have a valid
authorisation token. The latter requires that the key be under
construction.

Functions that use KEY_LOOKUP_PARTIAL include:

keyctl_describe_key()
keyctl_chown_key()
keyctl_setperm_key()
keyctl_set_timeout()
keyctl_get_security()

all of which might need to be called from the upcall program. None of these
should look at the payload.

> The only callers it would affect are the case in question here which is
> clearly a bug,

keyctl_read_key() is definitely buggy. Actually, rather than manually testing
KEY_FLAG_NEGATIVE there, it should probably use key_validate().

> and the root-only exceptions for keyctl_invalidate() and
> keyctl_clear(). And I suspect the latter two are unintentional as well.

I'm not sure what you think is unintentional.

> (Is root *supposed* to be able to invalidate a
> negative/revoked/invalidated/expired key, or clear a
> revoked/invalidated/expired keyring?)

You should be able to invalidate or unlink negative, revoked or expired keys if
you have permission to do so. If you're using keyrings to cache stuff, you
need to be able to invalidate negative results as well as positive ones.

Invalidation of an invalidated key doesn't really make sense, but it shouldn't
hurt. I can't immediately automatically remove all links to the invalidated
key, but have to leave it to the garbage collector to effect.

As for clearing of revoked/invalidated/expired keyrings, I'm not sure whether
it makes sense to allow it - however, whilst keyrings are cleared upon
revocation (since we have a definite point to do that with the key sem
writelocked), they aren't automatically cleared upon expiry or invalidation, so
it might make sense to permit it still.

David