aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--security/integrity/digsig.c30
-rw-r--r--security/integrity/ima/Kconfig8
-rw-r--r--security/integrity/ima/ima_appraise.c11
-rw-r--r--security/integrity/integrity.h7
4 files changed, 1 insertions, 55 deletions
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 77ca965ab684..b4af4ebc5be2 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -13,9 +13,7 @@
13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14 14
15#include <linux/err.h> 15#include <linux/err.h>
16#include <linux/sched.h>
17#include <linux/rbtree.h> 16#include <linux/rbtree.h>
18#include <linux/cred.h>
19#include <linux/key-type.h> 17#include <linux/key-type.h>
20#include <linux/digsig.h> 18#include <linux/digsig.h>
21 19
@@ -23,19 +21,11 @@
23 21
24static struct key *keyring[INTEGRITY_KEYRING_MAX]; 22static struct key *keyring[INTEGRITY_KEYRING_MAX];
25 23
26#ifdef CONFIG_IMA_TRUSTED_KEYRING
27static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
28 ".evm",
29 ".module",
30 ".ima",
31};
32#else
33static const char *keyring_name[INTEGRITY_KEYRING_MAX] = { 24static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
34 "_evm", 25 "_evm",
35 "_module", 26 "_module",
36 "_ima", 27 "_ima",
37}; 28};
38#endif
39 29
40int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, 30int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
41 const char *digest, int digestlen) 31 const char *digest, int digestlen)
@@ -45,7 +35,7 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
45 35
46 if (!keyring[id]) { 36 if (!keyring[id]) {
47 keyring[id] = 37 keyring[id] =
48 request_key(&key_type_keyring, keyring_name[id], NULL); 38 request_key(&key_type_keyring, keyring_name[id], NULL);
49 if (IS_ERR(keyring[id])) { 39 if (IS_ERR(keyring[id])) {
50 int err = PTR_ERR(keyring[id]); 40 int err = PTR_ERR(keyring[id]);
51 pr_err("no %s keyring: %d\n", keyring_name[id], err); 41 pr_err("no %s keyring: %d\n", keyring_name[id], err);
@@ -66,21 +56,3 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
66 56
67 return -EOPNOTSUPP; 57 return -EOPNOTSUPP;
68} 58}
69
70int integrity_init_keyring(const unsigned int id)
71{
72 const struct cred *cred = current_cred();
73 const struct user_struct *user = cred->user;
74
75 keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
76 KGIDT_INIT(0), cred,
77 ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
78 KEY_USR_VIEW | KEY_USR_READ),
79 KEY_ALLOC_NOT_IN_QUOTA, user->uid_keyring);
80 if (!IS_ERR(keyring[id]))
81 set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
82 else
83 pr_info("Can't allocate %s keyring (%ld)\n",
84 keyring_name[id], PTR_ERR(keyring[id]));
85 return 0;
86}
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index dad8d4ca2437..81a27971d884 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -123,11 +123,3 @@ config IMA_APPRAISE
123 For more information on integrity appraisal refer to: 123 For more information on integrity appraisal refer to:
124 <http://linux-ima.sourceforge.net> 124 <http://linux-ima.sourceforge.net>
125 If unsure, say N. 125 If unsure, say N.
126
127config IMA_TRUSTED_KEYRING
128 bool "Require all keys on the _ima keyring be signed"
129 depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
130 default y
131 help
132 This option requires that all keys added to the _ima
133 keyring be signed by a key on the system trusted keyring.
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 46353ee517f6..734e9468aca0 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -381,14 +381,3 @@ int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
381 } 381 }
382 return result; 382 return result;
383} 383}
384
385#ifdef CONFIG_IMA_TRUSTED_KEYRING
386static int __init init_ima_keyring(void)
387{
388 int ret;
389
390 ret = integrity_init_keyring(INTEGRITY_KEYRING_IMA);
391 return 0;
392}
393late_initcall(init_ima_keyring);
394#endif
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index b9e7c133734a..2fb5e53e927f 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -137,19 +137,12 @@ static inline int integrity_digsig_verify(const unsigned int id,
137#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS 137#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
138int asymmetric_verify(struct key *keyring, const char *sig, 138int asymmetric_verify(struct key *keyring, const char *sig,
139 int siglen, const char *data, int datalen); 139 int siglen, const char *data, int datalen);
140
141int integrity_init_keyring(const unsigned int id);
142#else 140#else
143static inline int asymmetric_verify(struct key *keyring, const char *sig, 141static inline int asymmetric_verify(struct key *keyring, const char *sig,
144 int siglen, const char *data, int datalen) 142 int siglen, const char *data, int datalen)
145{ 143{
146 return -EOPNOTSUPP; 144 return -EOPNOTSUPP;
147} 145}
148
149static int integrity_init_keyring(const unsigned int id)
150{
151 return 0;
152}
153#endif 146#endif
154 147
155#ifdef CONFIG_INTEGRITY_AUDIT 148#ifdef CONFIG_INTEGRITY_AUDIT
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-22 22:40:23 -0500