aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2013-11-23 19:36:35 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2013-11-23 19:36:35 -0500
commit34ef7bd3823bf4401bf8f1f855e1bc77b82b1a43 (patch)
tree80b9e7de72353048b5e933d634d64bd14d0eb00c /security/integrity
parent26b265cd29dde56bf0901c421eabc7ae815f38c4 (diff)
Revert "ima: define '_ima' as a builtin 'trusted' keyring"
This reverts commit 217091dd7a7a1bdac027ddb7c5a25f6ac0b8e241, which caused the following build error: security/integrity/digsig.c:70:5: error: redefinition of ‘integrity_init_keyring’ security/integrity/integrity.h:149:12: note: previous definition of ‘integrity_init_keyring’ w security/integrity/integrity.h:149:12: warning: ‘integrity_init_keyring’ defined but not used reported by Krzysztof Kolasa. Mimi says: "I made the classic mistake of requesting this patch to be upstreamed at the last second, rather than waiting until the next open window. At this point, the best course would probably be to revert the two commits and fix them for the next open window" Reported-by: Krzysztof Kolasa <kkolasa@winsoft.pl> Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/digsig.c30
-rw-r--r--security/integrity/ima/Kconfig8
-rw-r--r--security/integrity/ima/ima_appraise.c11
-rw-r--r--security/integrity/integrity.h7
4 files changed, 1 insertions, 55 deletions
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 77ca965ab684..b4af4ebc5be2 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -13,9 +13,7 @@
13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14 14
15#include <linux/err.h> 15#include <linux/err.h>
16#include <linux/sched.h>
17#include <linux/rbtree.h> 16#include <linux/rbtree.h>
18#include <linux/cred.h>
19#include <linux/key-type.h> 17#include <linux/key-type.h>
20#include <linux/digsig.h> 18#include <linux/digsig.h>
21 19
@@ -23,19 +21,11 @@
23 21
24static struct key *keyring[INTEGRITY_KEYRING_MAX]; 22static struct key *keyring[INTEGRITY_KEYRING_MAX];
25 23
26#ifdef CONFIG_IMA_TRUSTED_KEYRING
27static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
28 ".evm",
29 ".module",
30 ".ima",
31};
32#else
33static const char *keyring_name[INTEGRITY_KEYRING_MAX] = { 24static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
34 "_evm", 25 "_evm",
35 "_module", 26 "_module",
36 "_ima", 27 "_ima",
37}; 28};
38#endif
39 29
40int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, 30int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
41 const char *digest, int digestlen) 31 const char *digest, int digestlen)
@@ -45,7 +35,7 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
45 35
46 if (!keyring[id]) { 36 if (!keyring[id]) {
47 keyring[id] = 37 keyring[id] =
48 request_key(&key_type_keyring, keyring_name[id], NULL); 38 request_key(&key_type_keyring, keyring_name[id], NULL);
49 if (IS_ERR(keyring[id])) { 39 if (IS_ERR(keyring[id])) {
50 int err = PTR_ERR(keyring[id]); 40 int err = PTR_ERR(keyring[id]);
51 pr_err("no %s keyring: %d\n", keyring_name[id], err); 41 pr_err("no %s keyring: %d\n", keyring_name[id], err);
@@ -66,21 +56,3 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
66 56
67 return -EOPNOTSUPP; 57 return -EOPNOTSUPP;
68} 58}
69
70int integrity_init_keyring(const unsigned int id)
71{
72 const struct cred *cred = current_cred();
73 const struct user_struct *user = cred->user;
74
75 keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
76 KGIDT_INIT(0), cred,
77 ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
78 KEY_USR_VIEW | KEY_USR_READ),
79 KEY_ALLOC_NOT_IN_QUOTA, user->uid_keyring);
80 if (!IS_ERR(keyring[id]))
81 set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
82 else
83 pr_info("Can't allocate %s keyring (%ld)\n",
84 keyring_name[id], PTR_ERR(keyring[id]));
85 return 0;
86}
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index dad8d4ca2437..81a27971d884 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -123,11 +123,3 @@ config IMA_APPRAISE
123 For more information on integrity appraisal refer to: 123 For more information on integrity appraisal refer to:
124 <http://linux-ima.sourceforge.net> 124 <http://linux-ima.sourceforge.net>
125 If unsure, say N. 125 If unsure, say N.
126
127config IMA_TRUSTED_KEYRING
128 bool "Require all keys on the _ima keyring be signed"
129 depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
130 default y
131 help
132 This option requires that all keys added to the _ima
133 keyring be signed by a key on the system trusted keyring.
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 46353ee517f6..734e9468aca0 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -381,14 +381,3 @@ int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
381 } 381 }
382 return result; 382 return result;
383} 383}
384
385#ifdef CONFIG_IMA_TRUSTED_KEYRING
386static int __init init_ima_keyring(void)
387{
388 int ret;
389
390 ret = integrity_init_keyring(INTEGRITY_KEYRING_IMA);
391 return 0;
392}
393late_initcall(init_ima_keyring);
394#endif
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index b9e7c133734a..2fb5e53e927f 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -137,19 +137,12 @@ static inline int integrity_digsig_verify(const unsigned int id,
137#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS 137#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
138int asymmetric_verify(struct key *keyring, const char *sig, 138int asymmetric_verify(struct key *keyring, const char *sig,
139 int siglen, const char *data, int datalen); 139 int siglen, const char *data, int datalen);
140
141int integrity_init_keyring(const unsigned int id);
142#else 140#else
143static inline int asymmetric_verify(struct key *keyring, const char *sig, 141static inline int asymmetric_verify(struct key *keyring, const char *sig,
144 int siglen, const char *data, int datalen) 142 int siglen, const char *data, int datalen)
145{ 143{
146 return -EOPNOTSUPP; 144 return -EOPNOTSUPP;
147} 145}
148
149static int integrity_init_keyring(const unsigned int id)
150{
151 return 0;
152}
153#endif 146#endif
154 147
155#ifdef CONFIG_INTEGRITY_AUDIT 148#ifdef CONFIG_INTEGRITY_AUDIT