unix: add KEYCTL_RESTRICT_KEYRING capabilities

Asymmetric keyrings can require key payloads to be X.509 certificates signed by a key in a different keyring. This can be helpful for rotating keys on a live machines for subsystems like IMA while preventing local tampering. Tested locally by applying the "key_or_keyring:<id>" restriction to a keyring. Change-Id: Ia8dcb343abc5f405d374c357d5cac3d5181d7159 Reviewed-on: https://go-review.googlesource.com/c/sys/+/178400 Run-TryBot: Tobias Klauser <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Tobias Klauser <[email protected]>
golang · Sep 20, 2019 · ef0ce17 · ef0ce17
1 parent 0c1ff78
commit ef0ce17
Show file tree

Hide file tree

Showing 14 changed files with 418 additions and 0 deletions.
diff --git a/unix/syscall_linux.go b/unix/syscall_linux.go
@@ -1222,6 +1222,34 @@ func KeyctlDHCompute(params *KeyctlDHParams, buffer []byte) (size int, err error
 	return keyctlDH(KEYCTL_DH_COMPUTE, params, buffer)
 }
 
+// KeyctlRestrictKeyring implements the KEYCTL_RESTRICT_KEYRING command. This
+// command limits the set of keys that can be linked to the keyring, regardless
+// of keyring permissions. The command requires the "setattr" permission.
+//
+// When called with an empty keyType the command locks the keyring, preventing
+// any further keys from being linked to the keyring.
+//
+// The "asymmetric" keyType defines restrictions requiring key payloads to be
+// DER encoded X.509 certificates signed by keys in another keyring. Restrictions
+// for "asymmetric" include "builtin_trusted", "builtin_and_secondary_trusted",
+// "key_or_keyring:<key>", and "key_or_keyring:<key>:chain".
+//
+// As of Linux 4.12, only the "asymmetric" keyType defines type-specific
+// restrictions.
+//
+// See the full documentation at:
+// http://man7.org/linux/man-pages/man3/keyctl_restrict_keyring.3.html
+// http://man7.org/linux/man-pages/man2/keyctl.2.html
+func KeyctlRestrictKeyring(ringid int, keyType string, restriction string) error {
+	if keyType == "" {
+		return keyctlRestrictKeyring(KEYCTL_RESTRICT_KEYRING, ringid)
+	}
+	return keyctlRestrictKeyringByType(KEYCTL_RESTRICT_KEYRING, ringid, keyType, restriction)
+}
+
+//sys keyctlRestrictKeyringByType(cmd int, arg2 int, keyType string, restriction string) (err error) = SYS_KEYCTL
+//sys keyctlRestrictKeyring(cmd int, arg2 int) (err error) = SYS_KEYCTL
+
 func Recvmsg(fd int, p, oob []byte, flags int) (n, oobn int, recvflags int, from Sockaddr, err error) {
 	var msg Msghdr
 	var rsa RawSockaddrAny

diff --git a/unix/zsyscall_linux_386.go b/unix/zsyscall_linux_386.go
diff --git a/unix/zsyscall_linux_amd64.go b/unix/zsyscall_linux_amd64.go
diff --git a/unix/zsyscall_linux_arm.go b/unix/zsyscall_linux_arm.go
diff --git a/unix/zsyscall_linux_arm64.go b/unix/zsyscall_linux_arm64.go
diff --git a/unix/zsyscall_linux_mips.go b/unix/zsyscall_linux_mips.go
diff --git a/unix/zsyscall_linux_mips64.go b/unix/zsyscall_linux_mips64.go
diff --git a/unix/zsyscall_linux_mips64le.go b/unix/zsyscall_linux_mips64le.go
diff --git a/unix/zsyscall_linux_mipsle.go b/unix/zsyscall_linux_mipsle.go
diff --git a/unix/zsyscall_linux_ppc64.go b/unix/zsyscall_linux_ppc64.go